Xano — New API Endpoint Checklist | Development Standards

#	Section
1	Before You Build
2	Endpoint Naming
3	Step 1 — Auth Token Validation
4	Step 2 — Permission Check
5	Step 3 — Input Validation
6	Step 4 — Business Logic
7	Step 5 — Response Format
8	Reusable Functions
9	Documentation Requirements
10	Testing Requirements
11	Xano Endpoint Checklist — Before Marking Done

Before You Build

What does this endpoint do? (one clear sentence)
What HTTP method is correct? (GET / POST / PATCH / DELETE)
Who can call this? (authenticated users / specific role / public)
What inputs does it take?
What does it return on success?
What are the failure cases?
Does similar logic already exist in another endpoint? (extract to function if yes)
Does a Xano Function already exist for auth check, permission check, or shared logic?

Auth, Permission, and Validation

Auth token validated using Xano's built-in Auth Token middleware or precondition
If token is missing or invalid, return 401 AUTH_REQUIRED immediately
User record retrieved from the validated token — not from the request body
User's role read from the database (for example, workspace_members)
Role is not read from request body, query params, or token claims
Workspace membership verified before continuing
Every required field validated as not null and not empty
Format, enum, numeric, and date rules validated before business logic
Field-level validation errors returned with exact field names

Business Logic and Response Format

All database queries scoped to the authenticated user's workspace
Uniqueness checks performed before insert
Shared or repeated logic extracted to a Xano Function
No sensitive data returned in the response
All success responses include data and message
All error responses include status, code, and message
HTTP status codes are correct (not 200 for every response)

Code	Meaning	HTTP Status
`AUTH_REQUIRED`	Not authenticated	401
`FORBIDDEN`	No permission	403
`NOT_FOUND`	Resource does not exist	404
`DUPLICATE`	Already exists	409
`VALIDATION_ERROR`	Invalid or missing input	400
`BUSINESS_RULE_VIOLATION`	Logic rule failed	422
`SERVER_ERROR`	Unexpected error	500

Documentation and Testing Requirements

Endpoint name, method, URL, auth requirement, and inputs documented
Success response and all error cases documented with examples
Frontend call example provided
Tested for success, validation error, unauthenticated, forbidden, duplicate, and not-found cases
Tested using Xano's built-in test runner
All response fields verified before marking done

Xano — New API Endpoint Checklist

Contents

Before You Build

Auth, Permission, and Validation

Business Logic and Response Format

Documentation and Testing Requirements