Inconsistent response envelopes — some routes returning { data: ... }, others returning raw objects, others using { success: true, result: ... } — force every API consumer to write bespoke error-handling logic per endpoint. This violates ISO-25010:2011 compatibility.interoperability and means a new integration can silently swallow errors that use the wrong shape. In practice, it produces bugs where a frontend assumes data is present but the route returned the payload at root level.
Medium because envelope inconsistency causes integration bugs and broken error handling but does not directly enable data exfiltration or service disruption.
Define a shared response helper at src/lib/api-response.ts and replace all direct Response.json() calls with it:
// src/lib/api-response.ts
export const apiSuccess = <T>(data: T, status = 200) =>
Response.json({ data }, { status })
export const apiError = (code: string, message: string, status: number) =>
Response.json({ error: { code, message } }, { status })
Success responses always carry { data: <payload> }; error responses always carry { error: { code, message } }. Import and use these in every route handler. This gives clients a single shape to handle and gives you a single place to add observability later.
saas-api-design.api-consistency.consistent-response-formatmedium{ data: ..., error: null } vs { success: true, result: ... } vs raw data with no wrapper. Also check error responses — do they consistently return { error: "message" } or { message: "..." } or raw strings or HTTP status codes only? Inconsistency means API consumers have to handle multiple shapes.{ data: ... }, others return raw objects, others return { success: ..., result: ... }. Error handling returns different shapes across routes.src/lib/api-response.ts and apply it everywhere. A simple, widely-used pattern is: success responses return { data: <payload> } and error responses return { error: { code: "ERROR_CODE", message: "Human-readable message" } }. Create a helper function (e.g., apiSuccess(data) and apiError(code, message, status)) and replace all direct Response.json() calls with it. This makes client-side handling consistent and simplifies error logging.