Cursor For Backend APIs – Guide With Code Examples!

Developing backend APIs often means spending hours on repetitive tasks, writing boilerplate code, integrating databases, handling logging, and making sure endpoints behave consistently. These tasks slow down development and leave room for errors.

Cursor for Backend APIs solves this by automating the repetitive parts of backend development. With Cursor, you can generate fully functional Python or Node.js API scripts, connect databases, and implement logging, all in a fraction of the usual time.

In this guide, you’ll get step-by-step instructions to set up Cursor, generate your first APIs, apply advanced workflows, and use templates or runbooks. Our guide will help you streamline your backend workflow, reduce errors, and ship production-ready APIs faster.

Cursor For Backend APIs – TL;DR Quick Start

In the examples below, cursor generate / cursor run are shorthand for prompts executed inside the Cursor IDE or the Cursor Agent. These are illustrative prompts, not official pip/npm commands.

What Is Cursor and Why Does It Matter For Backend Engineers?

Cursor is a code-first AI tool designed to streamline backend API development. It reduces repetitive coding, automates boilerplate generation, and ensures consistent project structure. 

Engineers can focus on logic rather than setup, making API development faster and less error-prone.

Cursor’s Role in Backend Development

For backend engineers, repetitive tasks like creating endpoints, integrating databases, and writing logging routines consume valuable time. Cursor for Backend APIs addresses this by automating these processes with AI-generated code. 

You provide prompts describing the API functionality, and Cursor writes structured, production-ready scripts.

For example, instead of manually writing a login endpoint with JWT authentication, you can use a prompt:

Cursor creates the necessary code with proper routing, input validation, and logging, saving you hours. Example output:

# Example: login route (production-ready)
@router.post("/auth/login")
async def login(payload: LoginRequest):
    user = await UserService.authenticate(payload.email, payload.password)
    if not user:
        raise HTTPException(status_code=401, detail="Invalid credentials")
    token = jwt.create_access_token({"sub": str(user.id)})
    logger.info(f"Login attempt by {payload.email}")
    return {"access_token": token, "token_type": "bearer"}

# Example: login route (production-ready)
@router.post("/auth/login")
async def login(payload: LoginRequest):
    user = await UserService.authenticate(payload.email, payload.password)
    if not user:
        raise HTTPException(status_code=401, detail="Invalid credentials")
    token = jwt.create_access_token({"sub": str(user.id)})
    logger.info(f"Login attempt by {payload.email}")
    return {"access_token": token, "token_type": "bearer"}

Typical Backend API Challenges

Building APIs manually often comes with these challenges:

• Slow development: Writing boilerplate code for routes, controllers, and database models takes time.
• Debugging issues: Errors in code, missing validations, or inconsistent responses are common.
• Inconsistent endpoints: Naming conventions and project structures often vary between developers.
• Limited automation: Repetitive tasks like testing, logging, and documentation are time-consuming.

With Cursor, you can address these problems using prompts to generate endpoints, automated tests, and a consistent project structure. 

Cursor’s code-first templates provide a reliable starting point, while its workflow capabilities streamline repetitive API tasks. Engineers save time, reduce errors, and maintain backend engineering productivity.

Also Read: Cursor For Web Development

My Experience: Manual Coding vs. Cursor Speed & Accuracy

Benefits Of A Code-First Approach

A code-first approach prioritizes automated code generation and templates over manual UI-driven tools. The benefits for backend engineers include:

• Speed: Generate endpoints in minutes rather than hours.
• Consistency: Use the same naming conventions, logging, and database integrations across projects.
• Error reduction: Built-in validations, structured prompts, and testing scripts catch issues early.
• Scalability: Quickly expand small APIs into multi-endpoint projects using Cursor workflows.

For instance, a Python API project that would take 4–5 hours to scaffold manually can be generated in under 30 minutes with Cursor, including logging and database hooks. This allows engineers to focus on business logic rather than boilerplate code.

1. Set Up Cursor For Backend API Project

Before you can build APIs efficiently, you need a properly configured Cursor environment. This section guides you through installing Cursor, linking your repository, adding language and framework support, and verifying the setup with a sample project. 

Following these steps ensures a smooth workflow.

First Step, Install Cursor 

Cursor is available as a desktop IDE for macOS, Windows, and Linux. You can optionally install the Cursor CLI (cursor-agent) for command-line workflows.

Steps:

1. Download Cursor from cursor.com for your operating system.
2. Open your project folder in Cursor.
3. (Optional) Set up the Cursor CLI to run prompts from the terminal.

With Cursor installed, you are ready to start generating custom backend API scripts efficiently.

Link Your GitHub Or GitLab Repo

Cursor integrates with repositories to manage generated code. Linking your repo allows you to push code, maintain version control, and keep workflows organized.

Steps:

1. Open the Cursor and connect to your GitHub or GitLab account.
2. Authenticate and select the repository you want to link.

Add Language and Framework Support

Cursor supports multiple languages and backend frameworks. Configure your environment so that the generated endpoints match your stack.

Supported stacks:

• Python: Flask, FastAPI, Django
• Node.js: Express.js, NestJS
• Databases: PostgreSQL, MySQL, MongoDB

Steps in Cursor:

• Configure your project language (Python or Node.js)
• Add framework support (FastAPI, Express, etc.)
• Connect your database if needed

Verify Setup With A Sample Project

Testing your setup ensures Cursor works correctly. Create a sample project:

Use a Cursor prompt to generate a simple health check API endpoint:

Run the generated project:

Test the endpoint at http://localhost:8000/status. 

Backend Setup Performance

This small test confirms that Cursor is fully functional and ready for backend API development.

2. Create Your First Cursor Backend API 

Now that your Cursor environment is ready, it’s time to build your first backend API. This section walks you through defining the endpoint, generating code with a unique Cursor prompt, reviewing the output, and testing locally.

Define The API Purpose and Endpoint

Start by deciding the purpose of your API. For example, you might want a user authentication endpoint that verifies credentials and returns a JWT token. Defining the purpose clearly is essential for effective Cursor prompts.

Example endpoint definition:

• Route: /auth/login
• Method: POST
• Inputs: email, password
• Outputs: JWT token, user ID, status

Write down the functionality you need before generating code. This ensures Cursor produces a script tailored to your backend stack. Clear endpoint definitions also reduce debugging time and simplify integration with other services.

Cursor Prompts To Generate Code

Here’s how to generate a unique backend API script with Cursor. Using the endpoint above, we create a custom prompt inspired by Cursor directory ideas:

Cursor Prompt:

Cursor outputs a production-ready script with:

• Route definition
• Input validation
• Logging
• JWT token generation

Review Generated Code For Errors

Once Cursor generates the script, review it carefully:

• Check input validation to prevent invalid requests
• Ensure logging captures both success and error events
• Confirm JWT token generation uses secure keys
• Verify error handling returns proper HTTP responses

Mini-Checklist: Input validation correct Logging implemented JWT tokens generated securely Proper error handling

This review step prevents runtime errors and security issues. The cursor creates code quickly, but engineers must ensure best practices are followed.

Test Endpoint Locally

After verification, test your API locally:

1. Start FastAPI server:

2. Send a test request with curl or Postman:

3. Verify the response returns a valid JWT token and appropriate status.
4. Check logs for authentication attempts and error messages.

Metric Table Example

Testing ensures the endpoint is fully functional and ready for integration with your backend system.

Essential Security Practices

• Never include secrets inside prompts
• Add .env to .cursorignore
• Example environment variable loading:

Additional best practices for authentication endpoints:

• Use short-lived access tokens + refresh tokens
• Rate-limit login attempts and implement lockouts
• Avoid logging PII or secrets directly; sanitize logs

3. Advanced Backend API Workflows

Once your first endpoint is working, you can expand your backend with multi-endpoint APIs, database integration, and automated tests. Cursor helps you scale projects efficiently by generating scripts, workflows, and repeatable templates for complex backend API development.

Generate Multiple Endpoints At Once

Scaling APIs often requires several endpoints, such as CRUD operations for a user table. Instead of writing each manually, you can generate multiple endpoints using a single Cursor prompt.

Cursor Prompt Example:

Run In The Terminal:

Cursor outputs all four endpoints with proper routing, input validation, and logging. This approach saves hours and ensures consistent code structure across endpoints.

Integrate SQL or NoSQL databases

Backend APIs often need persistent storage. Cursor can help generate endpoints that integrate with databases like PostgreSQL, MySQL, or MongoDB. Below is a copy-pasteable example for a SQLAlchemy-based PostgreSQL/SQLite setup.

SQLAlchemy Model: Task

# models/task.py
from sqlalchemy import Column, Integer, String, Boolean
from database import Base

class Task(Base):
    __tablename__ = "tasks"
    id = Column(Integer, primary_key=True, index=True)
    title = Column(String, index=True)
    completed = Column(Boolean, default=False)

# models/task.py
from sqlalchemy import Column, Integer, String, Boolean
from database import Base

class Task(Base):
    __tablename__ = "tasks"
    id = Column(Integer, primary_key=True, index=True)
    title = Column(String, index=True)
    completed = Column(Boolean, default=False)

Database Session Dependency:

# database.py
from sqlalchemy import create_engine
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker

# Replace with your PostgreSQL or MySQL URL as needed
SQLALCHEMY_DATABASE_URL = "sqlite:///./test.db"

engine = create_engine(
    SQLALCHEMY_DATABASE_URL, connect_args={"check_same_thread": False}
)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()

def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()

# database.py
from sqlalchemy import create_engine
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker

# Replace with your PostgreSQL or MySQL URL as needed
SQLALCHEMY_DATABASE_URL = "sqlite:///./test.db"

engine = create_engine(
    SQLALCHEMY_DATABASE_URL, connect_args={"check_same_thread": False}
)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()

def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()

CRUD Endpoint Using Dependency:

# routers/tasks.py
from fastapi import APIRouter, Depends
from sqlalchemy.orm import Session
from models.task import Task
from database import get_db

router = APIRouter()

@router.post("/tasks")
def create_task(title: str, db: Session = Depends(get_db)):
    task = Task(title=title)
    db.add(task)
    db.commit()
    db.refresh(task)
    return task

@router.get("/tasks")
def list_tasks(db: Session = Depends(get_db)):
    return db.query(Task).all()

# routers/tasks.py
from fastapi import APIRouter, Depends
from sqlalchemy.orm import Session
from models.task import Task
from database import get_db

router = APIRouter()

@router.post("/tasks")
def create_task(title: str, db: Session = Depends(get_db)):
    task = Task(title=title)
    db.add(task)
    db.commit()
    db.refresh(task)
    return task

@router.get("/tasks")
def list_tasks(db: Session = Depends(get_db)):
    return db.query(Task).all()

Migration Hint with Alembic:

# Initialize Alembic migrations
alembic init alembic

# Create migration for Task table
alembic revision --autogenerate -m "create tasks table"

# Apply migration
alembic upgrade head

# Initialize Alembic migrations
alembic init alembic

# Create migration for Task table
alembic revision --autogenerate -m "create tasks table"

# Apply migration
alembic upgrade head

Schema Governance & Strict Validation

Use Pydantic models to enforce strict input validation.

Example Pydantic Model:

from pydantic import BaseModel, EmailStr, constr

class UserCreate(BaseModel):
    email: EmailStr
    password: constr(min_length=8)

    class Config:
        extra = "forbid"  # reject extra fields

from pydantic import BaseModel, EmailStr, constr

class UserCreate(BaseModel):
    email: EmailStr
    password: constr(min_length=8)

    class Config:
        extra = "forbid"  # reject extra fields

Invalid requests are rejected immediately, reducing errors and improving security.

Add Automated Unit Tests

Automated testing ensures your API behaves as expected. Cursor can generate test scripts alongside endpoints.

Cursor Prompt Example:

Example pytest file (tests/test_auth_login.py)

def test_login_success(client, test_user):
    resp = client.post("/auth/login", json={"email": test_user.email, "password": "correct"})
    assert resp.status_code == 200
    assert "access_token" in resp.json()

def test_login_invalid_credentials(client):
    resp = client.post("/auth/login", json={"email": "nope@example.com", "password": "wrong"})
    assert resp.status_code == 401

def test_login_success(client, test_user):
    resp = client.post("/auth/login", json={"email": test_user.email, "password": "correct"})
    assert resp.status_code == 200
    assert "access_token" in resp.json()

def test_login_invalid_credentials(client):
    resp = client.post("/auth/login", json={"email": "nope@example.com", "password": "wrong"})
    assert resp.status_code == 401

Benefits:

• Reduces manual QA time
• Catches bugs early
• Ensures consistent API behavior

Cursor Impact on Development Time:

Debugging and Log Management

Cursor can generate logging routines for each endpoint, capturing errors, warnings, and key events. Proper logging makes debugging easier and accelerates maintenance.

Cursor Prompt Example:

Generated Logs Allow You To:

• Track API usage and errors
• Identify failed requests quickly
• Maintain security and compliance logs

Checklist: Logs capture success/failure events Errors trigger alerts or console messages Logs are consistent across endpoints

Well-structured logging combined with Cursor automation reduces downtime, accelerates debugging, and improves backend engineering efficiency.

4. Use Templates and Runbooks For Backend APIs

Cursor becomes even more powerful when you layer your own templates, repeatable runbooks, and structured project layouts on top of its AI coding features. Let’s understand how it’s possible: 

Runbook Example – Add a New CRUD Module

A runbook is a structured set of instructions you store in Cursor to repeat common tasks like creating new endpoints or integrating auth.

Preconditions:

• Cursor installed and linked to repo
• Language/framework support added (Python/FastAPI)
• Database configured

Exact File Paths Cursor Should Generate:

/api/routers/users.py
/api/services/user_service.py
/api/schemas/user_schema.py
/tests/unit/test_users.py

/api/routers/users.py
/api/services/user_service.py
/api/schemas/user_schema.py
/tests/unit/test_users.py

Output Artifacts:

• CRUD routes for /users
• Pydantic schemas for input/output validation
• Service layer functions
• Unit tests for all CRUD operations

Cursor Prompt Example (Runbook):

Runbook: Add JWT authentication to this backend.

Steps:
1. Create /auth/login and /auth/verify routes.
2. Add Pydantic models: LoginRequest, LoginResponse.
3. Generate utility for creating + verifying JWT tokens.
4. Add tests for successful and failed verification.

Runbook: Add JWT authentication to this backend.

Steps:
1. Create /auth/login and /auth/verify routes.
2. Add Pydantic models: LoginRequest, LoginResponse.
3. Generate utility for creating + verifying JWT tokens.
4. Add tests for successful and failed verification.

Applying the Runbook in Cursor:

• Open Cursor IDE
• Navigate to your workspace or project folder
• Execute the runbook inside the agent using the stored prompt
• Cursor will generate endpoints, models, and tests according to the instructions

Create Reusable Templates

Templates are reusable project scaffolds that include routes, models, services, tests, and configuration files. They let you start a new project instantly from a clean, consistent base.

Cursor Prompt Example:

Cursor Generates:

• /routes/health.py
• /models/base.py
• /services/utils.py
• /tests/test_health.py
• config.py (logging + environment variables)

Storing Templates:

• Save the template inside your templates/ folder
• Future projects can use:

Apply Pre-Built Templates To New Projects

A runbook captures a repeatable workflow, such as setting up auth routes or integrating Stripe, and converts it into a structured, reusable prompt. Cursor’s Run feature allows you to execute these instructions in one step.

Cursor Runbook Example:

Run in Cursor:

This saves hours normally spent rewriting auth logic and ensures every API follows the same structure and security practices.

Customize Templates For Your Architecture

AI works best when files are cleanly separated. Cursor’s context window reads your directory and generates accurate code when the structure is predictable.

Recommended Folder Structure:

SELECT
  'Create backend project structure:',
  'backend/api/routers/',
  'backend/api/controllers/',
  'backend/api/schemas/',
  'backend/api/services/',
  'backend/core/config/',
  'backend/core/security/',
  'backend/core/logging/',
  'backend/tests/integration/',
  'backend/tests/unit/',
  'backend/runbooks/',
  'backend/infra/docker/',
  'backend/infra/migrations/';

SELECT
  'Create backend project structure:',
  'backend/api/routers/',
  'backend/api/controllers/',
  'backend/api/schemas/',
  'backend/api/services/',
  'backend/core/config/',
  'backend/core/security/',
  'backend/core/logging/',
  'backend/tests/integration/',
  'backend/tests/unit/',
  'backend/runbooks/',
  'backend/infra/docker/',
  'backend/infra/migrations/';

Cursor Prompt Example for Reorganization:

Cursor Will Automatically:

• Move files
• Fix import paths
• Update test references
• Clean unused modules

This turns messy codebases into cleanly structured projects ideal for ongoing AI-assisted development.

End-to-End Example: Authenticated CRUD Flow

Below is a complete, copy-pasteable example of a backend API implementing authenticated CRUD operations for a /tasks resource. It includes JWT authentication, logging, Alembic migration hints, Pydantic models, service layer abstraction, and unit tests. 

This single file can run immediately after installing dependencies like fastapi, uvicorn, sqlalchemy, pydantic, pytest, and python-jose.

# app.py
import os
from datetime import datetime, timedelta
from typing import List

from fastapi import FastAPI, HTTPException, Depends
from fastapi.security import OAuth2PasswordBearer
from jose import JWTError, jwt
from pydantic import BaseModel, EmailStr, constr
from sqlalchemy import create_engine, Column, Integer, String, Boolean
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker, Session
import logging

# -------------------------
# CONFIGURATION
# -------------------------
JWT_SECRET = os.getenv("JWT_SECRET", "supersecretkey")
ACCESS_TOKEN_EXPIRE_MINUTES = 30
DATABASE_URL = "sqlite:///./test.db"  # Replace with PostgreSQL/MySQL URL if needed

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

# -------------------------
# DATABASE SETUP
# -------------------------
engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()


def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()


# -------------------------
# DATABASE MODELS
# -------------------------
class Task(Base):
    __tablename__ = "tasks"
    id = Column(Integer, primary_key=True, index=True)
    title = Column(String, index=True)
    completed = Column(Boolean, default=False)


# -------------------------
# ALEMBIC MIGRATION HINT
# -------------------------
# 1. Initialize Alembic: alembic init alembic
# 2. Generate migration for Task table: alembic revision --autogenerate -m "create tasks table"
# 3. Apply migration: alembic upgrade head


# -------------------------
# Pydantic Schemas
# -------------------------
class TaskCreate(BaseModel):
    title: str
    completed: bool = False

    class Config:
        extra = "forbid"


class TaskOut(TaskCreate):
    id: int

    class Config:
        orm_mode = True


class User(BaseModel):
    email: EmailStr
    password: constr(min_length=8)


class Token(BaseModel):
    access_token: str
    token_type: str


# -------------------------
# JWT UTILS
# -------------------------
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")


def create_access_token(data: dict, expires_delta: int = ACCESS_TOKEN_EXPIRE_MINUTES):
    to_encode = data.copy()
    expire = datetime.utcnow() + timedelta(minutes=expires_delta)
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, JWT_SECRET, algorithm="HS256")


def verify_token(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, JWT_SECRET, algorithms=["HS256"])
        user_id: str = payload.get("sub")
        if user_id is None:
            raise HTTPException(status_code=401, detail="Invalid token")
        return user_id
    except JWTError:
        raise HTTPException(status_code=401, detail="Invalid token")


# -------------------------
# SERVICE LAYER
# -------------------------
class TaskService:
    @staticmethod
    def create_task(db: Session, task_data: TaskCreate) -> Task:
        task = Task(**task_data.dict())
        db.add(task)
        db.commit()
        db.refresh(task)
        logger.info(f"Task created: {task.title}")
        return task

    @staticmethod
    def list_tasks(db: Session) -> List[Task]:
        tasks = db.query(Task).all()
        logger.info(f"Fetched {len(tasks)} tasks")
        return tasks


# -------------------------
# FASTAPI APP
# -------------------------
app = FastAPI(title="End-to-End Authenticated CRUD Example")

# Create tables
Base.metadata.create_all(bind=engine)


@app.post("/auth/login", response_model=Token)
def login(user: User):
    # Dummy authentication for example purposes
    if user.email != "test@example.com" or user.password != "pass123":
        logger.warning(f"Failed login attempt for {user.email}")
        raise HTTPException(status_code=401, detail="Invalid credentials")
    access_token = create_access_token({"sub": user.email})
    logger.info(f"Successful login for {user.email}")
    return {"access_token": access_token, "token_type": "bearer"}


@app.post("/tasks", response_model=TaskOut)
def create_task(task: TaskCreate, db: Session = Depends(get_db), user: str = Depends(verify_token)):
    return TaskService.create_task(db, task)


@app.get("/tasks", response_model=List[TaskOut])
def get_tasks(db: Session = Depends(get_db), user: str = Depends(verify_token)):
    return TaskService.list_tasks(db)


# -------------------------
# PYTEST UNIT TESTS
# -------------------------
if __name__ == "__main__":
    import pytest
    from fastapi.testclient import TestClient

    client = TestClient(app)

    # Fixture: test login
    def test_login_success():
        resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        assert resp.status_code == 200
        assert "access_token" in resp.json()

    def test_login_failure():
        resp = client.post("/auth/login", json={"email": "wrong@example.com", "password": "wrong"})
        assert resp.status_code == 401

    def test_create_task():
        token_resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        token = token_resp.json()["access_token"]
        resp = client.post("/tasks", json={"title": "Test Task"}, headers={"Authorization": f"Bearer {token}"})
        assert resp.status_code == 200
        assert resp.json()["title"] == "Test Task"

    def test_get_tasks():
        token_resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        token = token_resp.json()["access_token"]
        resp = client.get("/tasks", headers={"Authorization": f"Bearer {token}"})
        assert resp.status_code == 200
        assert isinstance(resp.json(), list)

    pytest.main([__file__])

# app.py
import os
from datetime import datetime, timedelta
from typing import List

from fastapi import FastAPI, HTTPException, Depends
from fastapi.security import OAuth2PasswordBearer
from jose import JWTError, jwt
from pydantic import BaseModel, EmailStr, constr
from sqlalchemy import create_engine, Column, Integer, String, Boolean
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker, Session
import logging

# -------------------------
# CONFIGURATION
# -------------------------
JWT_SECRET = os.getenv("JWT_SECRET", "supersecretkey")
ACCESS_TOKEN_EXPIRE_MINUTES = 30
DATABASE_URL = "sqlite:///./test.db"  # Replace with PostgreSQL/MySQL URL if needed

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

# -------------------------
# DATABASE SETUP
# -------------------------
engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()


def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()


# -------------------------
# DATABASE MODELS
# -------------------------
class Task(Base):
    __tablename__ = "tasks"
    id = Column(Integer, primary_key=True, index=True)
    title = Column(String, index=True)
    completed = Column(Boolean, default=False)


# -------------------------
# ALEMBIC MIGRATION HINT
# -------------------------
# 1. Initialize Alembic: alembic init alembic
# 2. Generate migration for Task table: alembic revision --autogenerate -m "create tasks table"
# 3. Apply migration: alembic upgrade head


# -------------------------
# Pydantic Schemas
# -------------------------
class TaskCreate(BaseModel):
    title: str
    completed: bool = False

    class Config:
        extra = "forbid"


class TaskOut(TaskCreate):
    id: int

    class Config:
        orm_mode = True


class User(BaseModel):
    email: EmailStr
    password: constr(min_length=8)


class Token(BaseModel):
    access_token: str
    token_type: str


# -------------------------
# JWT UTILS
# -------------------------
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")


def create_access_token(data: dict, expires_delta: int = ACCESS_TOKEN_EXPIRE_MINUTES):
    to_encode = data.copy()
    expire = datetime.utcnow() + timedelta(minutes=expires_delta)
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, JWT_SECRET, algorithm="HS256")


def verify_token(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, JWT_SECRET, algorithms=["HS256"])
        user_id: str = payload.get("sub")
        if user_id is None:
            raise HTTPException(status_code=401, detail="Invalid token")
        return user_id
    except JWTError:
        raise HTTPException(status_code=401, detail="Invalid token")


# -------------------------
# SERVICE LAYER
# -------------------------
class TaskService:
    @staticmethod
    def create_task(db: Session, task_data: TaskCreate) -> Task:
        task = Task(**task_data.dict())
        db.add(task)
        db.commit()
        db.refresh(task)
        logger.info(f"Task created: {task.title}")
        return task

    @staticmethod
    def list_tasks(db: Session) -> List[Task]:
        tasks = db.query(Task).all()
        logger.info(f"Fetched {len(tasks)} tasks")
        return tasks


# -------------------------
# FASTAPI APP
# -------------------------
app = FastAPI(title="End-to-End Authenticated CRUD Example")

# Create tables
Base.metadata.create_all(bind=engine)


@app.post("/auth/login", response_model=Token)
def login(user: User):
    # Dummy authentication for example purposes
    if user.email != "test@example.com" or user.password != "pass123":
        logger.warning(f"Failed login attempt for {user.email}")
        raise HTTPException(status_code=401, detail="Invalid credentials")
    access_token = create_access_token({"sub": user.email})
    logger.info(f"Successful login for {user.email}")
    return {"access_token": access_token, "token_type": "bearer"}


@app.post("/tasks", response_model=TaskOut)
def create_task(task: TaskCreate, db: Session = Depends(get_db), user: str = Depends(verify_token)):
    return TaskService.create_task(db, task)


@app.get("/tasks", response_model=List[TaskOut])
def get_tasks(db: Session = Depends(get_db), user: str = Depends(verify_token)):
    return TaskService.list_tasks(db)


# -------------------------
# PYTEST UNIT TESTS
# -------------------------
if __name__ == "__main__":
    import pytest
    from fastapi.testclient import TestClient

    client = TestClient(app)

    # Fixture: test login
    def test_login_success():
        resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        assert resp.status_code == 200
        assert "access_token" in resp.json()

    def test_login_failure():
        resp = client.post("/auth/login", json={"email": "wrong@example.com", "password": "wrong"})
        assert resp.status_code == 401

    def test_create_task():
        token_resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        token = token_resp.json()["access_token"]
        resp = client.post("/tasks", json={"title": "Test Task"}, headers={"Authorization": f"Bearer {token}"})
        assert resp.status_code == 200
        assert resp.json()["title"] == "Test Task"

    def test_get_tasks():
        token_resp = client.post("/auth/login", json={"email": "test@example.com", "password": "pass123"})
        token = token_resp.json()["access_token"]
        resp = client.get("/tasks", headers={"Authorization": f"Bearer {token}"})
        assert resp.status_code == 200
        assert isinstance(resp.json(), list)

    pytest.main([__file__])

Organize The Project Structure 

When you find a prompt that works well, like generating CRUD, logs, auth, or database models, save it as a template. Cursor allows you to store it in a templates/ folder or in your Workspace Notes.

Cursor Prompt Example:

Now, whenever you need CRUD for a new entity (e.g., orders, payments, tasks), simply reuse your template with:

This keeps your backend consistent and drastically reduces repetitive coding.

Common Pitfalls and Best Practices

Even with powerful AI tools like Cursor, backend API development can go wrong if prompts are vague, files are disorganized, or generated code goes straight to production without review. 

These best practices help you avoid common mistakes and keep your APIs reliable, predictable, and maintainable.

1. Keeping Prompts Specific

One of the biggest pitfalls is using short, incomplete prompts. Cursor performs best when your instructions include the framework, file paths, data models, and expected behaviors. Vague prompts often produce code that needs heavy revisions.

What NOT To Do:

Add login.

Cursor Prompt:

This prompt gives Cursor the full context it needs to generate secure, predictable code.
Always include:

• File paths
• Models
• Behavior
• Tests
• Logging expectations

2. Testing Code Before Production

AI-generated code is fast, but it still needs validation. A common mistake is deploying code directly after the Cursor generates it. Instead, run tests locally, review logs, and check for edge-case failures.

Cursor Prompt For Auto-testing:

Local Test Run Example:

pytest -q

Look for failures related to:

• Missing imports
• Incorrect return types
• Validation errors
• Unexpected 500s

By reviewing tests before merging, you avoid runtime failures and keep your API stable during releases.

3. Version Controlling Generated Scripts

Another pitfall is letting Cursor-generated code overwrite existing files without tracking differences. Always treat AI-generated code the same way you treat manual code: track it, diff it, and review it.

Cursor Prompt For Safe Updates:

Use Git To Inspect Changes:

This prevents accidental regressions and ensures every AI-driven update remains auditable. It also helps teams understand changes during PR reviews instead of merging code blindly.

4. Maintaining Consistent Naming and Folder Structure

Inconsistent naming confuses both developers and AI tools. If your routes, models, or services follow different conventions, Cursor may misinterpret relationships or create duplicate logic.

Recommended Patterns:

• Routes: user_routes.py, order_routes.py
• Models: user.py, order.py
• Services: user_service.py, order_service.py

Cursor Prompt To Enforce Structure:

Keeping naming predictable improves prompt accuracy and ensures Cursor reads your codebase the way a developer would.

5. Documenting API Endpoints

Backend APIs break when documentation lags behind code changes. Developers push updates, but the docs stay outdated. Cursor can automate documentation so teams know how endpoints behave.

Cursor Documentation Prompt:

Use this for README.md or internal wikis.

With consistent documentation, onboarding becomes easier and cross-team communication improves, especially when multiple engineers contribute to the same backend.

Conclusion

Backend API development is faster and more predictable with Cursor. It automates repetitive coding tasks, generates structured templates, and keeps your project architecture consistent.

A code-first workflow means you ship reliable endpoints while keeping tests, logs, and documentation in sync. Cursor accelerates setup, endpoint generation, multi-route workflows, database integration, and automated tests. Unique prompts reduce errors and cut revision time.

With proper version control, organized folders, thorough testing, and clear prompts, you can maintain stable APIs as your app grows. Apply these practices, and you’ll have a repeatable, scalable backend process that saves time and keeps your team efficient.

BONUS: Final Checklist For Cursor Backend API Projects

Backend API Runbooks Pack (Download)!

Frequently Asked Questions (FAQs)