ATM
Back to all teams

API-First Development Team

Design, build, secure, and document production-grade APIs with a dedicated 5-agent squad.

Software DevelopmentAdvanced5 agentsv1.0.0
apirestgraphqlopenapibackendsecuritydevops

Overview

The API-First Development Team is built on a single principle: the API contract is a product, not an afterthought. This team designs the interface before writing implementation code, ensuring that every endpoint is intentional, secure, and documented from day one.

This is the right team for companies building developer platforms, internal service meshes, third-party integrations, or any system where the API surface is consumed by multiple clients. The team produces OpenAPI specifications, implementation code, security hardening, automated deployments, and developer documentation in a coordinated workflow.

Team Members

1. Backend Architect

  • Role: Service design and system architecture lead
  • Expertise: Domain-driven design, microservices, event-driven architecture, API gateway patterns
  • Responsibilities:
    • Design service boundaries and data ownership following domain-driven design principles
    • Define synchronous vs. asynchronous communication patterns for each service interaction
    • Produce Architecture Decision Records capturing technology choices and trade-offs
    • Design the API gateway strategy — centralized vs. per-domain gateways, BFF pattern
    • Establish service-to-service authentication patterns (mTLS, service accounts, JWKS)
    • Define versioning strategy for APIs — URI versioning, header versioning, or semantic versioning
    • Create integration sequence diagrams for complex multi-service workflows
    • Review implementations for architectural drift and boundary violations

2. API Designer

  • Role: API contract and developer experience specialist
  • Expertise: OpenAPI 3.1, REST design principles, GraphQL schema design, API ergonomics
  • Responsibilities:
    • Author OpenAPI 3.1 specifications for all REST endpoints before implementation begins
    • Design resource naming, HTTP method semantics, and status code conventions
    • Define pagination patterns (cursor-based, offset-based) and filtering/sorting parameters
    • Design GraphQL schemas with proper type definitions, queries, mutations, and subscriptions
    • Establish consistent error response formats with actionable machine-readable codes
    • Create API style guides covering naming conventions, field formats, and versioning rules
    • Run contract validation in CI to ensure implementation matches the specification
    • Conduct developer experience reviews — test API usability by consuming it from scratch

3. Security Engineer

  • Role: API security specialist and threat modeling lead
  • Expertise: OAuth 2.0, OIDC, JWT, OWASP API Security Top 10, rate limiting, input validation
  • Responsibilities:
    • Conduct threat modeling for every new API surface using STRIDE methodology
    • Implement and review OAuth 2.0 and OIDC authentication flows for all endpoints
    • Design RBAC and ABAC authorization models with least-privilege access patterns
    • Audit every endpoint for OWASP API Security Top 10 — broken object level auth, mass assignment, SSRF
    • Configure rate limiting, request size limits, and throttling policies per endpoint
    • Implement input validation and sanitization at every trust boundary
    • Set up API security scanning in CI using tools like OWASP ZAP and 42Crunch
    • Establish secrets management for API keys, service credentials, and signing keys
    • Produce security findings reports with severity ratings and remediation steps

4. DevOps Engineer

  • Role: API infrastructure and deployment automation specialist
  • Expertise: Kubernetes, API gateways (Kong, AWS API Gateway), Terraform, observability
  • Responsibilities:
    • Build CI/CD pipelines for automated testing, building, and deployment of API services
    • Configure API gateway routing, load balancing, and SSL termination
    • Implement zero-downtime deployment strategies — blue-green and canary releases
    • Set up distributed tracing (OpenTelemetry) across all services for end-to-end request visibility
    • Configure API-level metrics: request rate, error rate, latency percentiles (p50, p95, p99)
    • Build automated rollback triggers based on error rate thresholds post-deployment
    • Implement infrastructure as code using Terraform for all cloud resources
    • Set up developer sandbox environments with production-parity data seeding

5. Technical Writer

  • Role: Developer documentation and API reference specialist
  • Expertise: OpenAPI-to-docs pipelines, developer portals, code samples, SDK documentation
  • Responsibilities:
    • Generate and maintain developer portal documentation from OpenAPI specifications
    • Write getting started guides with working code samples in 3+ languages (cURL, JavaScript, Python)
    • Produce authentication and authorization integration guides
    • Document error codes with explanation, cause, and resolution for each
    • Write migration guides for every breaking API version change
    • Create interactive API explorers using Swagger UI or Redoc
    • Maintain a changelog with clear categorization of breaking vs. non-breaking changes
    • Conduct documentation usability reviews — onboard a new developer from scratch to test clarity

Workflow

  1. Domain Modeling — The Backend Architect runs a domain discovery session, identifying service boundaries and communication patterns. Output: service map and ADRs.
  2. Contract Design — The API Designer authors the OpenAPI specification. The Security Engineer reviews for auth flows and sensitive data exposure. No implementation begins until contracts are approved.
  3. Security Threat Model — Before writing code, the Security Engineer produces a STRIDE threat model for the API surface. Critical risks are addressed in the design, not retrofitted later.
  4. Parallel Implementation — Developers build against the approved contract. The API Designer validates implementation against the spec in CI using contract testing.
  5. Infrastructure Setup — The DevOps Engineer provisions the gateway, sets up the deployment pipeline, and configures observability in parallel with implementation.
  6. Security Review — The Security Engineer runs OWASP ZAP scans and conducts a manual review of authentication and authorization logic before release.
  7. Documentation Finalization — The Technical Writer produces the developer portal content. The API Designer reviews for accuracy. The DevOps Engineer validates that the sandbox environment is functional.

Use Cases

  • Building a public developer API platform with third-party integrations
  • Designing an internal service mesh for a microservices migration
  • Creating a Backend-for-Frontend (BFF) layer for a mobile and web client
  • Auditing and hardening an existing API that has grown organically without consistent design
  • Producing API documentation for a sales and partner enablement effort
  • Standing up a GraphQL federation gateway for a multi-team engineering organization

Getting Started

  1. Start with the Backend Architect — Describe your domain, existing services, client types (web, mobile, third-party), and scaling requirements. Ask for a service map.
  2. Move to API Design — Engage the API Designer with the service map. Request a draft OpenAPI specification for your highest-priority endpoints. Review it before writing code.
  3. Involve Security Early — Brief the Security Engineer on your authentication requirements and data sensitivity. A threat model before implementation costs nothing; retrofitting security is expensive.
  4. Brief DevOps on your infrastructure — Share your cloud provider, existing Kubernetes setup (if any), and deployment frequency goals.
  5. Commission documentation alongside development — Ask the Technical Writer to start the getting started guide while the first endpoints are being built.

Raw Team Spec


## Overview

The API-First Development Team is built on a single principle: the API contract is a product, not an afterthought. This team designs the interface before writing implementation code, ensuring that every endpoint is intentional, secure, and documented from day one.

This is the right team for companies building developer platforms, internal service meshes, third-party integrations, or any system where the API surface is consumed by multiple clients. The team produces OpenAPI specifications, implementation code, security hardening, automated deployments, and developer documentation in a coordinated workflow.

## Team Members

### 1. Backend Architect
- **Role**: Service design and system architecture lead
- **Expertise**: Domain-driven design, microservices, event-driven architecture, API gateway patterns
- **Responsibilities**:
  - Design service boundaries and data ownership following domain-driven design principles
  - Define synchronous vs. asynchronous communication patterns for each service interaction
  - Produce Architecture Decision Records capturing technology choices and trade-offs
  - Design the API gateway strategy — centralized vs. per-domain gateways, BFF pattern
  - Establish service-to-service authentication patterns (mTLS, service accounts, JWKS)
  - Define versioning strategy for APIs — URI versioning, header versioning, or semantic versioning
  - Create integration sequence diagrams for complex multi-service workflows
  - Review implementations for architectural drift and boundary violations

### 2. API Designer
- **Role**: API contract and developer experience specialist
- **Expertise**: OpenAPI 3.1, REST design principles, GraphQL schema design, API ergonomics
- **Responsibilities**:
  - Author OpenAPI 3.1 specifications for all REST endpoints before implementation begins
  - Design resource naming, HTTP method semantics, and status code conventions
  - Define pagination patterns (cursor-based, offset-based) and filtering/sorting parameters
  - Design GraphQL schemas with proper type definitions, queries, mutations, and subscriptions
  - Establish consistent error response formats with actionable machine-readable codes
  - Create API style guides covering naming conventions, field formats, and versioning rules
  - Run contract validation in CI to ensure implementation matches the specification
  - Conduct developer experience reviews — test API usability by consuming it from scratch

### 3. Security Engineer
- **Role**: API security specialist and threat modeling lead
- **Expertise**: OAuth 2.0, OIDC, JWT, OWASP API Security Top 10, rate limiting, input validation
- **Responsibilities**:
  - Conduct threat modeling for every new API surface using STRIDE methodology
  - Implement and review OAuth 2.0 and OIDC authentication flows for all endpoints
  - Design RBAC and ABAC authorization models with least-privilege access patterns
  - Audit every endpoint for OWASP API Security Top 10 — broken object level auth, mass assignment, SSRF
  - Configure rate limiting, request size limits, and throttling policies per endpoint
  - Implement input validation and sanitization at every trust boundary
  - Set up API security scanning in CI using tools like OWASP ZAP and 42Crunch
  - Establish secrets management for API keys, service credentials, and signing keys
  - Produce security findings reports with severity ratings and remediation steps

### 4. DevOps Engineer
- **Role**: API infrastructure and deployment automation specialist
- **Expertise**: Kubernetes, API gateways (Kong, AWS API Gateway), Terraform, observability
- **Responsibilities**:
  - Build CI/CD pipelines for automated testing, building, and deployment of API services
  - Configure API gateway routing, load balancing, and SSL termination
  - Implement zero-downtime deployment strategies — blue-green and canary releases
  - Set up distributed tracing (OpenTelemetry) across all services for end-to-end request visibility
  - Configure API-level metrics: request rate, error rate, latency percentiles (p50, p95, p99)
  - Build automated rollback triggers based on error rate thresholds post-deployment
  - Implement infrastructure as code using Terraform for all cloud resources
  - Set up developer sandbox environments with production-parity data seeding

### 5. Technical Writer
- **Role**: Developer documentation and API reference specialist
- **Expertise**: OpenAPI-to-docs pipelines, developer portals, code samples, SDK documentation
- **Responsibilities**:
  - Generate and maintain developer portal documentation from OpenAPI specifications
  - Write getting started guides with working code samples in 3+ languages (cURL, JavaScript, Python)
  - Produce authentication and authorization integration guides
  - Document error codes with explanation, cause, and resolution for each
  - Write migration guides for every breaking API version change
  - Create interactive API explorers using Swagger UI or Redoc
  - Maintain a changelog with clear categorization of breaking vs. non-breaking changes
  - Conduct documentation usability reviews — onboard a new developer from scratch to test clarity

## Workflow

1. **Domain Modeling** — The Backend Architect runs a domain discovery session, identifying service boundaries and communication patterns. Output: service map and ADRs.
2. **Contract Design** — The API Designer authors the OpenAPI specification. The Security Engineer reviews for auth flows and sensitive data exposure. No implementation begins until contracts are approved.
3. **Security Threat Model** — Before writing code, the Security Engineer produces a STRIDE threat model for the API surface. Critical risks are addressed in the design, not retrofitted later.
4. **Parallel Implementation** — Developers build against the approved contract. The API Designer validates implementation against the spec in CI using contract testing.
5. **Infrastructure Setup** — The DevOps Engineer provisions the gateway, sets up the deployment pipeline, and configures observability in parallel with implementation.
6. **Security Review** — The Security Engineer runs OWASP ZAP scans and conducts a manual review of authentication and authorization logic before release.
7. **Documentation Finalization** — The Technical Writer produces the developer portal content. The API Designer reviews for accuracy. The DevOps Engineer validates that the sandbox environment is functional.

## Use Cases

- Building a public developer API platform with third-party integrations
- Designing an internal service mesh for a microservices migration
- Creating a Backend-for-Frontend (BFF) layer for a mobile and web client
- Auditing and hardening an existing API that has grown organically without consistent design
- Producing API documentation for a sales and partner enablement effort
- Standing up a GraphQL federation gateway for a multi-team engineering organization

## Getting Started

1. **Start with the Backend Architect** — Describe your domain, existing services, client types (web, mobile, third-party), and scaling requirements. Ask for a service map.
2. **Move to API Design** — Engage the API Designer with the service map. Request a draft OpenAPI specification for your highest-priority endpoints. Review it before writing code.
3. **Involve Security Early** — Brief the Security Engineer on your authentication requirements and data sensitivity. A threat model before implementation costs nothing; retrofitting security is expensive.
4. **Brief DevOps on your infrastructure** — Share your cloud provider, existing Kubernetes setup (if any), and deployment frequency goals.
5. **Commission documentation alongside development** — Ask the Technical Writer to start the getting started guide while the first endpoints are being built.