✨ Cursor & Windsurf

Cursor & Windsurf Rules 🤖

Use AI coding assistants like Cursor, Windsurf, or GitHub Copilot more effectively with ProtectMyAPI. Download our rules file to teach your AI assistant how to integrate our SDK correctly.

What are rules files? They’re instructions that teach AI assistants about your project’s patterns, APIs, and best practices. The AI reads these rules and generates better, more accurate code.

Quick Setup

Download the Rules File

Choose your AI assistant:

For Cursor:

# In your project root
curl -o .cursorrules https://raw.githubusercontent.com/protectmyapi/rules/main/.cursorrules

For Windsurf:

# In your project root
curl -o .windsurfrules https://raw.githubusercontent.com/protectmyapi/rules/main/.windsurfrules

Restart Your Editor

After adding the rules file, restart Cursor/Windsurf for the rules to take effect.

Start Coding!

Now when you ask the AI to help with ProtectMyAPI, it will:

  • Use the correct SDK methods
  • Follow security best practices
  • Generate platform-specific code
  • Handle errors properly

What’s Included

The rules file teaches your AI assistant:

TopicWhat the AI Learns
SDK InitializationCorrect setup for iOS, Android, Flutter, React Native
API CallsHow to make secure requests through the proxy
Error HandlingAll error types and how to handle them
Security ChecksWhen and how to use device attestation
Best PracticesToken storage, initialization timing, testing
AI ProvidersCorrect endpoints for 20+ AI providers

Example Prompts

Once you have the rules file, try these prompts:

"Add ProtectMyAPI to my iOS app"
"Make a secure OpenAI call using ProtectMyAPI"
"Handle all ProtectMyAPI errors in my Flutter app"
"Set up device attestation for Android"

The AI will generate correct, production-ready code because it understands our SDK.

Manual Setup

If you prefer to copy-paste, here’s the rules content:

Cursor Rules (.cursorrules)

# ProtectMyAPI SDK Rules
 
You are helping a developer integrate ProtectMyAPI - a secure API proxy for mobile apps that protects API keys and verifies device authenticity.
 
## Key Concepts
 
1. **App Token**: Identifies the app (at_xxx). Safe to include in client code.
2. **Device Attestation**: Cryptographic proof the request comes from a legitimate app on a real device.
3. **Secrets**: API keys stored server-side, never exposed to the client.
4. **Proxy Requests**: All API calls go through ProtectMyAPI's proxy which injects the real API keys.
 
## SDK Initialization
 
Always initialize early in the app lifecycle:
 
### iOS (Swift)
```swift
import ProtectMyAPI
 
// In AppDelegate or App init
ProtectMyAPI.configure(appToken: "at_your_token")

Android (Kotlin)

import com.protectmyapi.sdk.ProtectMyAPI
 
// In Application.onCreate()
ProtectMyAPI.initialize(
    context = this,
    appToken = "at_your_token"
)

Flutter

import 'package:protectmyapi/protectmyapi.dart';
 
// In main() before runApp()
await ProtectMyAPI.initialize(appToken: 'at_your_token');

React Native

import { ProtectMyAPI } from '@protectmyapi/react-native-sdk';
 
// Before app renders
await ProtectMyAPI.initialize({ appToken: 'at_your_token' });

Making Secure API Calls

Use the SDK’s request method, NOT direct HTTP calls:

// iOS
let response = try await ProtectMyAPI.shared.request(
    endpoint: "openai/v1/chat/completions",
    method: .post,
    body: ["model": "gpt-4", "messages": messages]
)
// Android
val response = ProtectMyAPI.request(
    endpoint = "openai/v1/chat/completions",
    method = HttpMethod.POST,
    body = mapOf("model" to "gpt-4", "messages" to messages)
)

Error Handling

Always handle these error types:

  • attestationFailed - Device verification failed
  • unauthorized - Invalid app token
  • rateLimited - Too many requests
  • secretNotFound - API key not configured
  • networkError - Connection issues

Security Best Practices

  1. Initialize SDK at app startup, not lazily
  2. Always use the SDK’s request method
  3. Test on real devices (simulators have limited attestation)
  4. Enable all security checks in production
  5. Never hardcode API keys in client code

Supported AI Providers

ProtectMyAPI proxies requests to 20+ providers:

  • OpenAI: openai/v1/...
  • Anthropic: anthropic/v1/...
  • Google: google/v1/...
  • And more…

The SDK automatically handles authentication headers.


---

## Windsurf Rules (`.windsurfrules`)

Same content as above - Windsurf uses the same format.

---

## MCP Server Alternative

For even deeper AI integration, use our [MCP Server](/mcp-server) which gives AI assistants direct access to your ProtectMyAPI dashboard - managing apps, secrets, and generating code.

<Cards>
  <Cards.Card title="📦 MCP Server" href="/mcp-server">
    Connect Claude Desktop directly to your dashboard
  </Cards.Card>
  <Cards.Card title="📱 iOS SDK" href="/ios">
    Full iOS integration guide
  </Cards.Card>
  <Cards.Card title="🤖 Android SDK" href="/android">
    Full Android integration guide
  </Cards.Card>
  <Cards.Card title="🦋 Flutter SDK" href="/flutter">
    Full Flutter integration guide
  </Cards.Card>
</Cards>

---

## Troubleshooting

### Rules Not Working?

1. **File location**: Must be in project root, not a subfolder
2. **File name**: Must be exactly `.cursorrules` or `.windsurfrules` (with the dot)
3. **Restart**: Restart your editor after adding the file
4. **Check syntax**: Ensure the file is valid Markdown

### AI Still Generating Wrong Code?

Be specific in your prompts:
- ❌ "Add AI to my app"
- ✅ "Add ProtectMyAPI OpenAI integration to my Swift iOS app"

The rules help, but clear prompts help more!
🤖 AI Coding Assistants🔌 MCP Server