How to Scaffold Django REST Framework APIs Using AI Prompt Architect

Django REST Framework (DRF) is powerful but has a steep learning curve. Serializers, ViewSets, Routers, Permissions, and Filters all need to work together consistently. Without a Master Prompt, AI assistants often mix function-based views with class-based views, use inconsistent serializer patterns, and forget permission classes.

The DRF Consistency Problem

# ❌ Without Master Prompt — inconsistent patterns
# View 1: Function-based
@api_view(['GET'])
def user_list(request):
    users = User.objects.all()
    return Response(UserSerializer(users, many=True).data)

# View 2: Class-based, different response format
class ProjectViewSet(viewsets.ModelViewSet):
    queryset = Project.objects.all()
    serializer_class = ProjectSerializer
    # No permissions, no filtering, no pagination

Step 1: Define Your DRF Architecture

framework: Django 5.x + DRF 3.15
language: Python 3.12+

conventions:
  - ModelViewSet for all CRUD resources
  - Separate serializers: List, Detail, Create, Update
  - IsAuthenticated default, custom permissions per-action
  - django-filter for all list endpoints
  - PageNumberPagination (page_size=20)
  - Factory Boy + pytest for testing

project_structure:
  apps/
    users/
      models.py
      serializers.py
      views.py
      permissions.py
      filters.py
      tests/
    projects/
      ...

Step 2: Generated ViewSet Pattern

# apps/projects/views.py — Generated pattern
from rest_framework import viewsets, permissions, status
from rest_framework.decorators import action
from rest_framework.response import Response
from django_filters.rest_framework import DjangoFilterBackend

from .models import Project
from .serializers import ProjectListSerializer, ProjectDetailSerializer, ProjectCreateSerializer
from .permissions import IsProjectOwnerOrReadOnly
from .filters import ProjectFilter

class ProjectViewSet(viewsets.ModelViewSet):
    permission_classes = [permissions.IsAuthenticated, IsProjectOwnerOrReadOnly]
    filter_backends = [DjangoFilterBackend]
    filterset_class = ProjectFilter

    def get_queryset(self):
        return Project.objects.filter(
            organisation__members=self.request.user
        ).select_related('owner').prefetch_related('tags')

    def get_serializer_class(self):
        if self.action == 'list':
            return ProjectListSerializer
        if self.action in ('create', 'update', 'partial_update'):
            return ProjectCreateSerializer
        return ProjectDetailSerializer

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)

Key Takeaways

1. ViewSets everywhere — consistency trumps flexibility for CRUD resources
2. Action-specific serializers — list views return minimal data, detail views return full data
3. Permissions per-action — use get_permissions() for fine-grained access control
4. Always filter and paginate — never return unbounded querysets
5. Factory Boy for tests — deterministic test data with minimal boilerplate

When exposing your DRF API to AI-powered clients, it is critical to implement defences against prompt injection. Read our in-depth guide: Prompt Injection Defence: Security Best Practices for Production LLM Apps.