Backend Developer Skill

Purpose

Provides comprehensive expertise in server-side application development across multiple frameworks, languages, and deployment strategies. Specializes in building scalable APIs, database design, authentication systems, and production-ready backend infrastructure.

When to Use

• Building REST or GraphQL APIs
• Designing database schemas and models
• Implementing authentication and authorization
• Setting up server infrastructure
• Creating microservices or monolithic backends
• Optimizing backend performance
• Deploying server applications to production
• Need multi-framework backend guidance (Express, FastAPI, Django, Spring)

Quick Start

Invoke this skill when:

• Building server-side APIs (REST, GraphQL) in Node.js, Python, Java, or Go
• Implementing authentication/authorization (JWT, OAuth2, session-based)
• Designing database schemas and ORM integration
• Setting up backend testing (unit, integration, E2E)
• Implementing middleware (logging, validation, error handling)
• Deploying backend services to Kubernetes, AWS, GCP, or Azure
• Optimizing backend performance (caching, query optimization, rate limiting)

Do NOT invoke when:

• Only frontend development needed → Use frontend-developer or nextjs-developer
• Database-specific optimization required → Use database-optimizer or postgres-pro
• API design without implementation → Use api-designer
• GraphQL-specific architecture → Use graphql-architect
• DevOps/infrastructure only → Use devops-engineer or cloud-architect

Framework Support

Node.js/TypeScript

• Express.js, NestJS, Koa.js, Fastify

Python

• FastAPI, Django, Flask, Tornado

Java

• Spring Boot, Quarkus, Micronaut

Go

• Gin, Echo, Fiber

Decision Framework

Backend Framework Selection

Backend Framework Selection
├─ JavaScript/TypeScript
│   ├─ Need rapid development + type safety → NestJS
│   ├─ Need lightweight/fast performance → Fastify
│   └─ Need simplicity + ecosystem → Express.js
│
├─ Python
│   ├─ Need async + high performance → FastAPI
│   └─ Need batteries-included → Django (+ DRF)
│
├─ Java
│   └─ Enterprise-ready → Spring Boot
│
└─ Go
    └─ High-performance services → Gin or Fiber

Authentication Strategy Matrix

Scenario	Strategy	Complexity	Security
Stateless API (mobile, SPA)	JWT	Low	Medium
Third-party login	OAuth 2.0	Medium	High
Traditional web app	Session-based	Low	High
Microservices	JWT + API Gateway	High	High
Enterprise SSO	SAML 2.0	High	Very High

Database & ORM Selection

Database & ORM Decision
├─ Relational (SQL)
│   ├─ Node.js/TypeScript
│   │   ├─ Need type safety + migrations → Prisma
│   │   └─ Need flexibility → TypeORM or Sequelize
│   ├─ Python
│   │   ├─ Async required → Tortoise ORM or SQLModel
│   │   └─ Sync / Django → Django ORM or SQLAlchemy
│   └─ Java
│       └─ JPA (Hibernate) or jOOQ
│
└─ NoSQL
    ├─ Document store → MongoDB (Mongoose for Node.js)
    └─ Key-value → Redis (caching, sessions)

Best Practices

1. Always validate input - Use provided validation middleware
2. Handle errors gracefully - Use generated error handlers
3. Write tests - Use test templates for consistency
4. Use environment variables - Never hardcode secrets
5. Implement logging - Use provided logging configuration
6. Monitor performance - Set up metrics and alerts
7. Security first - Use provided authentication setup
8. Version your API - Follow versioning patterns
9. Document your code - Generate API docs automatically
10. Deploy safely - Use provided deployment scripts

Common Patterns

Repository Pattern

• Separation of concerns
• Easy testing
• Swappable implementations

Service Layer

• Centralized business rules
• Transaction management
• Error handling

Middleware Stack

• Authentication
• Authorization
• Validation
• Logging
• Error handling

Troubleshooting

Common Issues

Database connection errors

• Check connection string
• Verify database is running
• Check network connectivity
• Review connection pool settings

Authentication failures

• Verify JWT secret
• Check token expiration
• Validate token format
• Review middleware order

Build failures

• Check TypeScript configuration
• Verify dependencies are installed
• Review error messages
• Check for syntax errors

Deployment issues

• Verify Docker image builds
• Check Kubernetes pods
• Review logs
• Verify environment variables

Quality Checklist

Security

• Input validation on all endpoints (Zod/Joi)
• Password hashing (bcrypt cost 10+ or Argon2)
• SQL injection prevention (parameterized queries)
• Rate limiting on auth endpoints
• Security headers (Helmet.js)
• Environment variables for secrets

Authentication & Authorization

• Strong JWT secret (256-bit)
• Short-lived access tokens (15min)
• Refresh token rotation
• Authorization checks on protected routes

Error Handling

• Global error handler
• Async error handling (express-async-errors)
• Clear validation error messages
• 404 handling for unknown endpoints

Performance

• Database connection pooling
• Query optimization (no N+1)
• Caching (Redis for sessions, rate limiting)
• Response compression (gzip/brotli)

Testing

• Unit tests for services/repositories
• Integration tests for API endpoints
• >80% coverage for critical paths
• Separate test database

Additional Resources

• Detailed Technical Reference: See REFERENCE.md
• Code Examples & Patterns: See EXAMPLES.md