Backend Developer Checklist

Database & Schema

Migration created, not dashboard-only change
Table has UUID primary key
Table has created_at and updated_at timestamps
Table has created_by where ownership matters
Table has workspace_id / organization_id for multi-tenant apps
Table has deleted_at for soft delete if needed
Foreign keys defined with correct on delete behavior
Constraints added: not null, unique, check
Indexes added for workspace_id, created_by, status, created_at, and FK columns
Schema reviewed and naming follows snake_case plural convention

RLS

RLS enabled on table
SELECT policy added
INSERT policy added
UPDATE policy added
DELETE policy added or intentionally blocked
No policy uses using (true) without intent
No policy uses with check (true) without intent
auth.uid() used for ownership checks
Workspace membership table used for team/workspace checks
Policies tested as owner, admin, manager, member, viewer, non-member, anonymous

API / Function / Edge Function

API type chosen correctly: direct query, RPC, or Edge Function
Auth validation implemented
Role/permission check implemented
Input payload validation implemented for all fields
Validation exists at frontend hint, API check, and database constraint layers
Error responses are structured and consistent
No service_role key used in frontend-facing code
Logs added for important actions
Audit logs added for sensitive actions if required

For Edge Functions

CORS handling added
Method validation added and OPTIONS handled
JWT / auth header validated
Payload parsed and validated
Permission checked
Structured error response returned
Structured logs added
Webhook signature verified if webhook
Idempotency handled if webhook

Documentation

API name and purpose documented
Auth requirement documented
Required role documented
Request payload documented with all fields, types, and rules
Success response documented with example
Error responses documented: 401, 403, 422, 409, 500, etc.
RLS policies involved documented
Frontend implementation notes provided
Frontend sample code provided
Test cases listed

Testing

Authenticated success tested
Anonymous request tested
Expired token tested
Wrong role tested
Wrong workspace tested
Missing required field tested
Invalid field type tested
Duplicate record tested if unique constraint exists
RLS denial tested
External service failure tested if applicable
Staging verified before marking done

Database & Schema

RLS

API / Function / Edge Function

For Edge Functions

Documentation

Testing

Storage — If Files Are Involved