backend-developer

---
name: backend-developer
description: Comprehensive backend development for building production-ready server-side applications with multiple frameworks, databases, and deployment strategies. Use when building APIs, services, databases, or server infrastructure.
---

# Backend Developer Skill

## Purpose

Provides comprehensive expertise in server-side application development across multiple frameworks, languages, and deployment strategies. Specializes in building scalable APIs, database design, authentication systems, and production-ready backend infrastructure.

## When to Use

- Building REST or GraphQL APIs
- Designing database schemas and models
- Implementing authentication and authorization
- Setting up server infrastructure
- Creating microservices or monolithic backends
- Optimizing backend performance
- Deploying server applications to production
- Need multi-framework backend guidance (Express, FastAPI, Django, Spring)

## Quick Start

**Invoke this skill when:**
- Building server-side APIs (REST, GraphQL) in Node.js, Python, Java, or Go
- Implementing authentication/authorization (JWT, OAuth2, session-based)
- Designing database schemas and ORM integration
- Setting up backend testing (unit, integration, E2E)
- Implementing middleware (logging, validation, error handling)
- Deploying backend services to Kubernetes, AWS, GCP, or Azure
- Optimizing backend performance (caching, query optimization, rate limiting)

**Do NOT invoke when:**
- Only frontend development needed → Use frontend-developer or nextjs-developer
- Database-specific optimization required → Use database-optimizer or postgres-pro
- API design without implementation → Use api-designer
- GraphQL-specific architecture → Use graphql-architect
- DevOps/infrastructure only → Use devops-engineer or cloud-architect

## Framework Support

### Node.js/TypeScript
- Express.js, NestJS, Koa.js, Fastify

### Python
- FastAPI, Django, Flask, Tornado

### Java
- Spring Boot, Quarkus, Micronaut

### Go
- Gin, Echo, Fiber

## Decision Framework

### Backend Framework Selection

```
Backend Framework Selection
├─ JavaScript/TypeScript
│   ├─ Need rapid development + type safety → NestJS
│   ├─ Need lightweight/fast performance → Fastify
│   └─ Need simplicity + ecosystem → Express.js
│
├─ Python
│   ├─ Need async + high performance → FastAPI
│   └─ Need batteries-included → Django (+ DRF)
│
├─ Java
│   └─ Enterprise-ready → Spring Boot
│
└─ Go
    └─ High-performance services → Gin or Fiber
```

### Authentication Strategy Matrix

| Scenario | Strategy | Complexity | Security |
|----------|----------|------------|----------|
| Stateless API (mobile, SPA) | JWT | Low | Medium |
| Third-party login | OAuth 2.0 | Medium | High |
| Traditional web app | Session-based | Low | High |
| Microservices | JWT + API Gateway | High | High |
| Enterprise SSO | SAML 2.0 | High | Very High |

### Database & ORM Selection

```
Database & ORM Decision
├─ Relational (SQL)
│   ├─ Node.js/TypeScript
│   │   ├─ Need type safety + migrations → Prisma
│   │   └─ Need flexibility → TypeORM or Sequelize
│   ├─ Python
│   │   ├─ Async required → Tortoise ORM or SQLModel
│   │   └─ Sync / Django → Django ORM or SQLAlchemy
│   └─ Java
│       └─ JPA (Hibernate) or jOOQ
│
└─ NoSQL
    ├─ Document store → MongoDB (Mongoose for Node.js)
    └─ Key-value → Redis (caching, sessions)
```

## Best Practices

1. **Always validate input** - Use provided validation middleware
2. **Handle errors gracefully** - Use generated error handlers
3. **Write tests** - Use test templates for consistency
4. **Use environment variables** - Never hardcode secrets
5. **Implement logging** - Use provided logging configuration
6. **Monitor performance** - Set up metrics and alerts
7. **Security first** - Use provided authentication setup
8. **Version your API** - Follow versioning patterns
9. **Document your code** - Generate API docs automatically
10. **Deploy safely** - Use provided deployment scripts

## Common Patterns

### Repository Pattern
- Separation of concerns
- Easy testing
- Swappable implementations

### Service Layer
- Centralized business rules
- Transaction management
- Error handling

### Middleware Stack
- Authentication
- Authorization
- Validation
- Logging
- Error handling

## Troubleshooting

### Common Issues

**Database connection errors**
- Check connection string
- Verify database is running
- Check network connectivity
- Review connection pool settings

**Authentication failures**
- Verify JWT secret
- Check token expiration
- Validate token format
- Review middleware order

**Build failures**
- Check TypeScript configuration
- Verify dependencies are installed
- Review error messages
- Check for syntax errors

**Deployment issues**
- Verify Docker image builds
- Check Kubernetes pods
- Review logs
- Verify environment variables

## Quality Checklist

### Security
- [ ] Input validation on all endpoints (Zod/Joi)
- [ ] Password hashing (bcrypt cost 10+ or Argon2)
- [ ] SQL injection prevention (parameterized queries)
- [ ] Rate limiting on auth endpoints
- [ ] Security headers (Helmet.js)
- [ ] Environment variables for secrets

### Authentication & Authorization
- [ ] Strong JWT secret (256-bit)
- [ ] Short-lived access tokens (15min)
- [ ] Refresh token rotation
- [ ] Authorization checks on protected routes

### Error Handling
- [ ] Global error handler
- [ ] Async error handling (express-async-errors)
- [ ] Clear validation error messages
- [ ] 404 handling for unknown endpoints

### Performance
- [ ] Database connection pooling
- [ ] Query optimization (no N+1)
- [ ] Caching (Redis for sessions, rate limiting)
- [ ] Response compression (gzip/brotli)

### Testing
- [ ] Unit tests for services/repositories
- [ ] Integration tests for API endpoints
- [ ] >80% coverage for critical paths
- [ ] Separate test database

## Additional Resources

- **Detailed Technical Reference**: See [REFERENCE.md](REFERENCE.md)
- **Code Examples & Patterns**: See [EXAMPLES.md](EXAMPLES.md)