{"id":111233,"date":"2026-07-13T12:00:00","date_gmt":"2026-07-13T12:00:00","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=111233"},"modified":"2026-06-15T09:22:33","modified_gmt":"2026-06-15T09:22:33","slug":"i-let-ai-build-my-api-heres-what-happened-building-an-app-with-an-ai-llm-part-four","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/ai\/i-let-ai-build-my-api-heres-what-happened-building-an-app-with-an-ai-llm-part-four\/","title":{"rendered":"I let AI build my API. Here&#8217;s what happened (building an app with an AI LLM, part four)"},"content":{"rendered":"\n<p><strong>Building an API with AI is fast, but it&#8217;s not hands-off. In this article, Grant Fritchey uses Microsoft CoPilot and GitHub Copilot to generate a secure REST API for his built-by-AI application, dbRosetta, by connecting a PostgreSQL database to a future WordPress front end via Azure. Learn the full process, and discover exactly what worked &#8211; and what didn&#8217;t.<\/strong><\/p>\n\n\n\n<p>I don&#8217;t want to burden our support team (they&#8217;re awesome, but busy), so decided to initially host dbRosetta at <a href=\"https:\/\/www.scarydba.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ScaryDBA.com<\/a> \u2014 a site I control fully, where an accidental mistake won&#8217;t take down <a href=\"https:\/\/www.red-gate.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Redgate<\/a>. Before developing the next prompt, I discussed the project with <a href=\"https:\/\/copilot.microsoft.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft CoPilot <\/a>&#8211; one of my <a href=\"https:\/\/www.ibm.com\/think\/topics\/large-language-models\" target=\"_blank\" rel=\"noreferrer noopener\">LLM<\/a>s of choice for this project &#8211; and we agreed to split the next phase into two parts. First up:<strong> building an API (application programming interface.<\/strong>)<\/p>\n\n\n\n<p><em>This is the fourth part of Grant Fritchey&#8217;s <a href=\"https:\/\/www.red-gate.com\/simple-talk\/collections\/how-i-built-an-app-just-by-talking-to-an-ai-llm\/\" target=\"_blank\" rel=\"noreferrer noopener\">series on building an app and database almost entirely through an LLM.<\/a> The repo, including every prompt, lives <a href=\"https:\/\/github.com\/ScaryDBA\/dbRosetta\" target=\"_blank\" rel=\"noreferrer noopener\">on GitHub<\/a>.<\/em><\/p>\n\n\n\n<p><strong>Why an API?<\/strong> CoPilot explains it well:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>An API provides a secure, consistent way to expose dbRosetta&#8217;s database so applications and websites can interact with it without direct access to the underlying system. By adding this layer, we separate the database from the front-end, making it easier to build interactive features while keeping the data protected and portable.<\/em><\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n\n\n\n<p>If you&#8217;re just joining us, this is Part 4 of a <a href=\"https:\/\/www.red-gate.com\/simple-talk\/collections\/how-i-built-an-app-just-by-talking-to-an-ai-llm\/\" target=\"_blank\" rel=\"noreferrer noopener\">series where I&#8217;m building a database and application using LLMs<\/a> \u2014 writing everything myself, except where I explicitly call out the AI.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-generating-an-api-prompt-with-microsoft-copilot\">Generating an API prompt with Microsoft CoPilot<\/h2>\n\n\n\n<p>As a general rule, in this series I write prompts to the CoPilot LLM, which then generates a prompt for <a href=\"https:\/\/github.com\/features\/copilot\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub Copilot<\/a>. Here&#8217;s the exchange for this step:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-the-full-prompt-i-gave-microsoft-copilot\">The full prompt I gave Microsoft CoPilot<\/h4>\n\n\n\n<p><em>Let&#8217;s get started on the API for dbRosetta. I&#8217;d like you to generate a prompt for GitHub Copilot within VS Code using the agreed-upon structure. This prompt will define the steps needed to create an API within Azure that accesses our PostgreSQL database for dbRosetta.<\/em><\/p>\n\n\n\n<p><em>It will be a secure API to protect database access, providing mechanisms to query the stored information. The API will be designed to support a WordPress web page we&#8217;ll build later.<\/em><\/p>\n\n\n\n<p><em>We&#8217;ll need to incorporate the API and its code into our existing GitHub repository, with deployment handled via our existing GitHub Actions pipeline. We&#8217;ll also need a full test suite to validate the API is working correctly.<\/em><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-microsoft-copilot-responded-to-my-prompt\">How Microsoft CoPilot responded to my prompt<\/h4>\n\n\n\n<p><em><strong>Project: dbRosetta Secure API \u2014 Implementation Plan and Tasks<\/strong> <br><br><strong>Context:<\/strong> You are an expert backend engineer and DevOps automation assistant. Implement a secure, production-ready REST API for dbRosetta that runs in Azure, accesses our PostgreSQL database, and is consumable by a WordPress front end. All code must be TypeScript, follow best practices, include a full test suite, and integrate into the existing GitHub repository and GitHub Actions pipeline. <br><br>High-level Goals: <br><br><br>(1) Create a secure, well-documented REST API exposing read and query endpoints for dbRosetta PostgreSQL data. <br><br><br>(2) Use Azure-managed services and security best practices (Managed Identity, Key Vault, private endpoints, firewall rules). <br><br><br>(3) Integrate into the existing GitHub repo with a clear branch\/PR workflow and CI\/CD via existing GitHub Actions. <br><br><br>(4) Provide unit, integration, and end-to-end tests, plus a Postman collection and contract tests. <br><br><br>(5) Produce OpenAPI (Swagger) documentation and example client usage for WordPress. (Full prompt details in the <a href=\"https:\/\/github.com\/ScaryDBA\/dbRosetta\">GitHub repo<\/a>).<\/em><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-my-verdict-i-ll-be-honest-i-m-now-outside-my-comfort-zone\">My verdict? I&#8217;ll be honest: I&#8217;m now outside my comfort zone<\/h4>\n\n\n\n<p>I have no idea if the approach we&#8217;re following is entirely correct, and I&#8217;m fairly dependent on both AIs to get this right. I&#8217;m thinking more carefully about my own prompts and trying to be more prescriptive. The output looks right to me \u2014 so, over to <a href=\"https:\/\/code.visualstudio.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Visual Studio (VS) Code<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-building-the-api-with-microsoft-copilot\">Building the API with Microsoft CoPilot<\/h2>\n\n\n\n<p>After creating the markdown file for the prompt and pasting it into the VS Code chat window, GitHub Copilot didn&#8217;t waste time on discussion \u2014 it immediately started generating files, folders, and a <em>lot<\/em> of code. Within about two minutes, it claimed to be 70% complete and asked:<\/p>\n\n\n\n<p><strong><em>What would you like to do next?<\/em><\/strong><\/p>\n\n\n<div class=\"block-core-list\">\n<ol class=\"wp-block-list\">\n<li><em>Test what we have so far?<\/em><br><br><\/li>\n\n\n\n<li><em>Continue implementing the API routes?<\/em><br><br><\/li>\n\n\n\n<li><em>Focus on a specific component (tests, CI\/CD, documentation)?<\/em><br><br><\/li>\n\n\n\n<li><em>Something else?<\/em><\/li>\n<\/ol>\n<\/div>\n\n\n<p>I chose to test first, so I could understand where things stood. Helpfully, CoPilot told me exactly what to run:<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:tsql decode:true \">cd services\/dbrosetta-api\nnpm install\nnpm run docker:up\nnpm run prisma:generate\nnpm run dev\n# Visit http:\/\/localhost:3000\/docs<\/pre><\/div>\n\n\n\n<p>Which was great \u2014 until my first error. <a href=\"https:\/\/nodejs.org\/en\" target=\"_blank\" rel=\"noreferrer noopener\">Node.js<\/a> wasn&#8217;t installed locally, and the AI had never asked. No big deal; I told it the situation, and it simply walked me through the install.<\/p>\n\n\n\n<p>Then <code>npm install<\/code> gave me pause:<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:tsql decode:true \">npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory.\nnpm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported\nhusky - install command is DEPRECATED\nadded 928 packages, and audited 929 packages in 50s\n2 moderate severity vulnerabilities<\/pre><\/div>\n\n\n\n<p>Deprecated versions, deprecated functions. Honestly, I expected this kind of thing. I took the output to CoPilot, which explained that VS Code didn&#8217;t intentionally pick deprecated code \u2014 the warnings come from <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transitive_dependency\" target=\"_blank\" rel=\"noreferrer noopener\">transitive dependencies<\/a> in the toolchain that haven&#8217;t yet been updated. You can upgrade or override the offending dependencies, wait for upstream fixes, or suppress the risk with <a href=\"https:\/\/www.red-gate.com\/simple-talk\/devops\/ci-cd\/demystifying-continuous-integration-vs-continuous-delivery-part-1\/\" target=\"_blank\" rel=\"noreferrer noopener\">continuous integration (CI)<\/a> checks.<\/p>\n\n\n\n<p>Fair enough. And it&#8217;s a good reminder: this is exactly why I don&#8217;t think we need to worry about our jobs. We&#8217;re still very much necessary. The process is just a lot faster now.<\/p>\n\n\n\n<p>There was plenty more back and forth as we ran tests and uncovered coding errors and configuration problems \u2014 most <em>generated<\/em> by the LLM, but most also <em>fixed<\/em> by the LLM.<\/p>\n\n\n\n<p>In the middle of all this, I also had to switch <a href=\"https:\/\/www.red-gate.com\/simple-talk\/cloud\/azure\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure<\/a> subscriptions (long story). Thanks to the testing scaffolding already in place, the <a href=\"https:\/\/www.red-gate.com\/simple-talk\/collections\/migrating-from-on-prem-to-the-cloud-dba-stories\/\" target=\"_blank\" rel=\"noreferrer noopener\">migration<\/a> was surprisingly simple \u2014 if a bit long-winded.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion-can-an-ai-llm-build-an-api\">Conclusion: can an AI LLM build an API?<\/h2>\n\n\n\n<p><strong>I keep being reminded that the AI is like a brilliantly fast but very junior developer on the team. It generates code at lightning speed, and most of the time it works. But it makes silly mistakes, and someone steady needs to be in the loop to guide it toward a good result. <\/strong><\/p>\n\n\n\n<p>At one point, I forgot to update the IP address in the <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/postgresql\/getting-started-with-azure-database-for-postgresql-flexible-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure PostgreSQL<\/a> firewall \u2014 and when the tests failed, the AI was determined to do deep troubleshooting to find out why. I had to force it to reset once I&#8217;d fixed the actual problem. It also kept trying to bypass <a href=\"https:\/\/www.red-gate.com\/products\/flyway\/\" target=\"_blank\" rel=\"noreferrer noopener\">Redgate Flyway<\/a> &#8211; my tool of choice for this project &#8211; in favor of an internal tool, but I got my way in the end.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-in-summary-what-i-learned-from-building-an-api-with-ai\">In summary: what I learned from building an API with AI<\/h3>\n\n\n\n<p><strong>Once you leave your comfort zone, your dependency on the AI increases \u2014 and that&#8217;s worth knowing upfront.<\/strong> <br>The API work pushed into unfamiliar territory. The less you can independently verify the output, the more important it is to have tests that can do it for you.<\/p>\n\n\n\n<p><strong>AI-generated code will use deprecated dependencies.<\/strong> <br>Not because it&#8217;s careless, but because transitive dependencies in the toolchain haven&#8217;t been updated. It&#8217;s not a disaster, but it&#8217;s noise you need to be ready for \u2014 and it won&#8217;t warn you before you run the install.<\/p>\n\n\n\n<p><strong>The AI won&#8217;t ask about things you didn&#8217;t mention.<\/strong> <br>Node.js wasn&#8217;t installed locally. The AI never asked, never flagged it, and never factored it in. It just generated instructions that silently assumed it was there. Gaps in your environment are <em>your<\/em> problem to surface.<\/p>\n\n\n\n<p><strong>Let it troubleshoot \u2014 it&#8217;s good at it.<\/strong> <br>Most of the coding errors and configuration problems that surfaced during testing were generated by the AI and fixed by the AI. Feed it the error, it finds the cause. That loop is genuinely useful.<\/p>\n\n\n\n<p><strong>It will try to bypass your chosen tools if you don&#8217;t hold the line.<\/strong> <br>CoPilot made repeated attempts to use an internal migration tool instead of my tool of choice, Redgate Flyway. No dramatic argument \u2014 just quiet persistence. You have to be equally persistent in pushing back.<\/p>\n\n\n\n<p><strong>Leaving branches intact is worth it.<\/strong> <br>Deleting them hides the real shape of the work \u2014 the back-and-forth, the fixes, the iterations. Keeping them gives anyone following along a much more honest picture of how AI-assisted development actually works.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-last-word-copilot-s-assessment-of-where-dbrosetta-is-at-the-end-of-part-4\">The last word: CoPilot&#8217;s assessment of where dbRosetta is at the end of part 4<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>By completing this stage, we&#8217;ve established a secure and reliable bridge between dbRosetta&#8217;s PostgreSQL foundation and the broader ecosystem it will support. The API not only enforces best practices around authentication, input validation, and deployment hygiene, but also sets the stage for reproducible integrations with other platforms. <\/em><\/p>\n\n\n\n<p><em>With this layer in place, contributors and downstream applications can query the database confidently, knowing that access is protected and performance is monitored. This milestone transforms dbRosetta from a static repository of translations into a living service, ready to be consumed by the WordPress interface we&#8217;ll build next.<\/em><\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n\n\n\n<section id=\"my-first-block-block_cabd1f98e68aa5fe2042042c77cceb10\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Simple Talk is brought to you by Redgate Software<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            Take control of your databases with the trusted Database DevOps solutions provider. Automate with confidence, scale securely, and unlock growth through AI.                                    <\/div>\n            <\/div>\n                                            <a href=\"https:\/\/www.red-gate.com\/solutions\/overview\/\" class=\"btn btn--secondary btn--lg\" aria-label=\"Discover how Redgate can help you: Simple Talk is brought to you by Redgate Software\">Discover how Redgate can help you<\/a>\n                    <\/div>\n    <\/div>\n<\/section>","protected":false},"excerpt":{"rendered":"<p>Learn how to use Microsoft CoPilot and GitHub Copilot to build a secure REST API\u2014 covering Azure deployment, PostgreSQL integration, CI\/CD pipelines. Plus: what worked and what didn&#8217;t.&hellip;<\/p>\n","protected":false},"author":221792,"featured_media":106106,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[159169,143526,53,46],"tags":[159075,4168,4359,126409,159395,5765],"coauthors":[6785],"class_list":["post-111233","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-development","category-featured","category-data-security-privacy-compliance","tag-ai","tag-database","tag-development","tag-flyway","tag-how-i-built-an-app-ai-llm","tag-security-and-compliance"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/221792"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=111233"}],"version-history":[{"count":10,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111233\/revisions"}],"predecessor-version":[{"id":111263,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111233\/revisions\/111263"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/106106"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=111233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=111233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=111233"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=111233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}