Sunday, March 22, 2026

practical checklist for API testing

Here’s a practical checklist for API testing—especially useful for QA engineers working with tools like Postman, Playwright, or Pytest.

✅ 1. Status Code Validation

  • Check correct HTTP status:
    • 200 → success
    • 201 → created
    • 400 → bad request
    • 401 → unauthorized
    • 403 → forbidden
    • 404 → not found
    • 500 → server error

👉 Always verify expected vs actual.

✅ 2. Response Body Validation

  • Validate:
    • Required fields exist
    • Correct data types (string, int, boolean)
    • Correct values

  • Example:

    {
      "id": 101,
      "name": "Goat Feed",
      "price": 250
    }

✅ 3. Response Time (Performance)

  • API should respond within acceptable time
  • Example:
    • < 200 ms → good
    • < 1 sec → acceptable

✅ 4. Headers Validation

  • Check:
    • Content-Type (application/json)
    • Authentication headers
    • Caching headers

✅ 5. Authentication & Authorization

  • Test:
    • Valid token → success
    • Invalid token → fail
    • No token → fail

👉 Covers security basics.

✅ 6. Request Validation (Input Testing)

  • Test different inputs:
    • Valid data
    • Missing fields
    • Invalid data types
    • Boundary values

👉 Example:

  • price = -10 ❌
  • price = 0 ❌
  • price = 999999 ✅

✅ 7. CRUD Operations

Test all operations:

  • POST → create
  • GET → read
  • PUT/PATCH → update
  • DELETE → remove

👉 Verify full data lifecycle.

✅ 8. Error Handling

  • Check proper error messages:

    {
      "error": "Invalid ID"
    }
  • Should be clear and meaningful

✅ 9. Data Integrity

  • Data should remain consistent:
    • Create → fetch → verify same data
    • Update → verify changes
    • Delete → confirm removal

✅ 10. Idempotency

  • Repeating same request should not break system
  • Example:
    • DELETE multiple times → should not crash

✅ 11. Rate Limiting

  • Check:
    • Too many requests → blocked?
    • API returns 429 Too Many Requests

✅ 12. Security Testing (Basic)

  • Test:
    • SQL injection
    • Unauthorized access
    • Sensitive data exposure

✅ 13. Pagination & Filtering

  • Verify:
    • Page size
    • Page number
    • Filters work correctly

✅ 14. Schema Validation

  • Response matches expected schema
  • Use JSON schema validation in Postman or Pytest

✅ 15. Logging & Monitoring (Advanced)

  • Check logs for:
    • Errors
    • Failed requests
    • Debug info

🚀 Pro Tip (Real QA Mindset)

Don’t just test “happy path”
👉 Break the API:

  • Send wrong data
  • Send large payloads
  • Send repeated requests

By No comments:
Subscribe to: Comments (Atom)