How To Do API Testing | Best Practices (2024)

API Testing

What is API Testing?

API testing is a type of testing that is used to evaluate that the API functions as expected. Software testing professionals analyse and test the APIs and evaluate whether APIs meet the expectations or not and are secure, robust and reliable.

Why API testing is important?

API is an inherent part of any software application. It’s the “middleman” of the layers and systems within an application or software. API testing is essential as it ensures a reliable, safe, and secure connection between platforms. API testing enables us to find bugs at an early stage hence it is cost-effective. We can perform API testing within the application before GUI testing, core functionality can be tested to expose small errors so productivity is improved. Through API testing, we can also check for vulnerabilities by using a specific set of parameters to simulate various phishing attack techniques.

The Importance of API Testing

API testing ensures several benefits to a product. Some of them are listed below:

  1. API testing helps in identifying the problems at the integration phase to make sure that two different systems interact together correctly.
  2. API testing uncovers the performance bottlenecks like high response time.
  3. API testing ensures the desired operation is performed and API delivers the intended response.
  4. API testing helps detect and mitigate security issues such as SQL injection and cross-site scripting. This helps to ensure that the API is safe from common risks and that sensitive data is secure.
  5. API testing saves time and cost as it helps in detecting and fixing bugs at an early stage.

How to start with API testing

To proceed with API testing some important points to keep in mind.

  1. Understand the requirements in detail. Go through the required documentation and understand the API’s purpose.
  2. The next step is to identify the target audience.
  3. Understand the available endpoints for testing.
  4. Set up the test environment, and set the priorities.
  5. Define the test basis and input parameters.
  6. Create detailed test cases including both positive and negative scenarios.
  7. Carefully analyse the API testing tool considering the project requirements.
  8. Execute the tests and prepare detailed reports with pass, fail, skip, and blocked test cases.
  9. Repeat the execution to monitor the API in case of changes.
  10. Utilize automation tools and frameworks.

What should you test in an API | API testing Checklist

When we talk about API testing the first thing that comes to our mind is to validate the response codes and response body, but API testing is much more than that. Let’s try to decode what points should be considered while performing API testing.

1) HTTP status code verification

This is the most familiar test case while performing API testing. Validate that the API is returning the correct status code. Some common response codes are:

2xx (Success)

200: The Request has succeeded(GET/POST/HEAD).

201: The request has been fulfilled(POST/PUT).

204: The server successfully processed the request, but is not returning any content(DELETE).

3XX (Redirection)

301: Move permanently(GET/HEAD).

307: Temporary Redirect 

4XX(Client error)

400: Bad Request(Domain validation errors, missing data).

401: Invalid authentication token.

404: Not found(Does not exist or due to security reasons the service wants to mask).

429: Too many requests(Rate limiting)

5XX(Server errors)

500: Internal server error(General catch mechanism when server throws an exception).

503: Service unavailable(Server overloaded or down for maintenance).

504: Gateway Timeout

2) Payload Verification

Once status codes are verified. The next step is to verify the response Payload. First, validate that the response body is not null or empty which is a pretty basic test case. The response body can be JSON or XML. Next, we need to validate the important keys in the response body. For example, if we are hitting an API to create a new user then a unique user ID must be returned in the response body.

Refer to Sample JSON Response.

    "firstName": "John",
    "lastName" : "Doe", 
    "age": 35,
    "userID" : 1001,
    "eMail" : "[email protected]"

Refer to sample Test cases for the above JSON payload.

TC_1: Response body is not empty
TC_2: Verify Response body contains userID
TC_3: userID is not null or blank
TC_4: Verify Unique User Id is created every time.
TC_5: Verify New user can not be created with same eMail. Email should be unique.

3) Validate Response Headers

The API gateway checks header values for threatening content. Headers hold additional information about the response. For example, the content-type header tells the browser what type of content the body contains. If the content-type header is blank or missing then the browser attempts to display the source most appropriately. This can cause a security threat.

The content-length header tells the size of the response body. Checking this field may reveal wrong or missing content.

TC_6:Validate that Content-Type header exist in the response headers, and its value should match the expected content type (e.g., "application/json", "application/xml", "text/html", etc.

TC_7: Verify the reposne type. i.e if content-type = JSON then response should be JSON.

4) Schema Validation

One of the important tests that we often tend to ignore is schema validation. Schema validation ensures that the response format is the same as the expected one. Validation rules can be like that data is in the key/value pair. The key should be in double quotes and must be a string, the response includes arrays and objects. If the schema is of object type then if we send a non-object request we should get an error. Similarly, we can specify min items and max items validation on the schema. JSON schema validation can be done using Tiny validator in Postman or using any javascript library.

Refer to the below schema for the JSON Payload.

  "$schema": "",
  "type": "object",
  "properties": {
    "firstName": {
      "type": "string"
    "lastName": {
      "type": "string"
    "age": {
      "type": "integer"
    "userID": {
      "type": "integer"
    "eMail": {
      "type": "string"
  "required": [

We can validate this schema by following the below test cases.

Verify that the "first name" field exists and has a value of type string.

Verify that the "lastName" field exists and has a value of type string.

Verify that the "age" field exists and has a value of type integer.

Verify that the "userID" field exists and has a value of type integer.

Verify that the "Email" field exists and has a value of type integer.

Verify the length constraints of each field. For Example, UserId should be of a minimum of 4 numbers.

Verify that all fields are mandatory except the last name.

5) Authorization

Another test is to validate the authentication type. Multiple types of authentication are available such as basic auth, API key, Bearer token, and OAuth for security purposes. A few things can be validated for authorization like auth token expiration is set or if ‘Bearer’ needs to be appended with the token but still token is working without it. Ensure API refuses all unauthorized calls.

6) Performance testing

It is considered a good approach to perform the basic level of performance testing for API. We can check the response load time, and response size using Postman. In automation testing, custom methods can be written to perform these kinds of validations. For example, we can validate that the execution time is less than 200ms.

pm.test("Response time is less than 200ms", function () {

7) AAA Rule (Arrange, Act, Assert)

The famous AAA pattern of testing is to arrange all necessary preconditions and input, act on the test, and assert the expected result. Without good assertions and tests, it is impossible to have full confidence in API behaviour. Assertions are checked every time a test runs.


8) Negative TestCases

Negative testing is as important in API testing as in UI testing. For Example, attempt to create a resource with a name that already exists, or try to delete a resource that does not exist. Try to delete the user configuration without permission.

Attempt executing API with an expired token or try to use an unsupported method.

TC_01: Validate that if firstName is not provided then API should fail.
TC_02: Validate that if same email id is provided then API should fail with error code 500.

9) Destructive testing

This technique is used to intentionally fail the API to check the robustness and identify points of failure. For example intentionally send malformed request payload, overflow parameter values ex: if the title length is 50 characters make it 100, and send empty payloads.

TC_01: Validate that if user not able to access Invalid path/url.
TC_02: Ensure that Unsupported methods not hamper the server resources.

10) Integration Testing

As the API layer is the intermediate layer between the presentation layer and the internal layer, ensure that integration between third-party or internal services works properly. For example, an API can read or write some data in a database or any content management system then it should work properly to and fro.

11) Penetration testing

In Pen testing, an expert tries to attack the API to find out the weaknesses and vulnerabilities. SQL injections and cross-site scripting attacks are majorly used in Penetration testing.

API Testing Tools

Many tools are available in the market for API testing including paid tools. Some of the commonly used tools are mentioned below:

  • Postman
  • SoapUI
  • Apigee
  • Insomnia
  • Katalon Studio
  • Karate Framework

Some tools are available to write test scripts like Rest Assured, Rest Sharp and Super test. It depends on the requirement of which tool is a good fit. Ready-made tools like Postman are easy to use whereas writing your scripts gives you more freedom and flexibility.


This post covers the basic checklist related to API testing. However, there is an extensive range of testing techniques that can be used to ensure the reliability, security and robustness of the API’s.

Click here to learn API testing with Postman.

Discover more from AutomationQaHub

Subscribe now to keep reading and get access to the full archive.

Continue reading