Overall - I really like the guidelines you've created here - it would be great to create this as a website and continually refine these guidelines and provide more motivations/reasons supporting the different guidelines.

1. I think the kebab vs Pascal vs camelCase vs snake_case rules are good to setup before starting a project. The specifics of which format to use where depend more on who the client vs developers are. E.g. if you are targeting the API to be used by front-end developers for a SPA - be javascript friendly which you are here. There used to be an SEO reason to use kebab vs snake_case but that's no longer the case. Also - snake case is slightly more readable http://www.cs.kent.edu/~jmaletic/papers/ICPC2010-CamelCaseUnderScoreClouds.pdf - so really it comes down to what the project decides is best to use and being CONSISTENT.

2. For #9 kebab case doesn't obfuscate table names - should remove this guideline

3. For #19 Can't use https/SSL/cookies/authorization headers and Access-Control-Allow-Origin: *



4. For #15 - the reason you don't want to pass tokens in the URL vs the header is that the URL is typically logged and the token would be visible in the logs whereas the header isn't typically logged and is easier to filter if you are logging request headers.

Biomedical Data Science/Text Mining