Back to Home

API Testing: Checklist and Autotests

The article describes a systematic approach to API testing: check categories, examples in Postman and Jest+axios, checklist, role of AI in case generation. Suitable for middle/senior QA and dev.

API Tests: from Postman to AI Case Generation
Advertisement 728x90

API Testing Checklist: From Status Codes to AI-Powered Automation

API testing demands a systematic approach—validating status codes, response structure, edge cases, and authentication. Postman excels for manual testing, while Jest + axios fits seamlessly into CI/CD pipelines. AI accelerates test case generation from OpenAPI specs, analyzes responses, and identifies edge data patterns.

Key API Testing Categories

API testing spans multiple critical areas. Skipping any risks undetected bugs in production.

Status Codes

Verify the code matches the expected scenario:

Google AdInline article slot

| Scenario | Expected Code |

|----------|---------------|

| Successful creation | 201 |

Google AdInline article slot

| Resource not found | 404 |

| Insufficient permissions | 403 |

| Not authenticated | 401 |

Google AdInline article slot

| Invalid data | 400/422 |

| Server error | 500 |

Common pitfall: returning 200 with an error in the body—this violates REST principles.

Response Structure

  • Required fields are present.
  • Data types match expectations (e.g., number instead of string).
  • Nested objects aren’t null.
  • Arrays aren’t confused with objects.

Edge Cases

Test boundary conditions:

  • Empty request body.
  • Missing required field.
  • Empty string in a field.
  • Numbers: 0, negative values, MAX_INT.
  • Strings: 1 character, max length, special characters, SQL/XSS payloads.

Authentication & Headers

  • No token: 401.
  • Expired token: 401.
  • Invalid token: 403.
  • Read-only user on write operation: 403.

Headers: Content-Type, CORS, rate-limiting.

Testing in Postman

Use the Tests tab for JavaScript scripts after receiving a response.

Basic Assertions

// Status and response time
pm.test("Status 200", () => {
    pm.response.to.have.status(200);
});

pm.test("Response <500ms", () => {
    pm.expect(pm.response.responseTime).to.be.below(500);
});

// Content-Type
pm.test("JSON", () => {
    pm.response.to.have.header("Content-Type", "application/json; charset=utf-8");
});

Structure and Types

const response = pm.response.json();

pm.test("id is present", () => {
    pm.expect(response).to.have.property("id");
});

pm.test("id is a number", () => {
    pm.expect(response.id).to.be.a("number");
});

pm.test("email is not empty", () => {
    pm.expect(response.email).to.be.a("string").and.not.empty;
});

Negative: No Token

pm.test("401 without token", () => {
    pm.response.to.have.status(401);
});

const response = pm.response.json();
pm.expect(response).to.have.property("message");

Save the token from /login into an environment variable: pm.environment.set("auth_token", response.token);. Reference it as {{auth_token}} in headers.

Automated Tests with Jest + axios

For CI/CD, write tests in code. Example for /users/:id:

const axios = require("axios");

const BASE_URL = "https://api.example.com";
const TOKEN = process.env.API_TOKEN;

const client = axios.create({
    baseURL: BASE_URL,
    headers: { Authorization: `Bearer ${TOKEN}` }
});

describe("GET /users/:id", () => {

    test("Get user by ID", async () => {
        const response = await client.get("/users/1");

        expect(response.status).toBe(200);
        expect(response.data).toMatchObject({
            id: expect.any(Number),
            email: expect.any(String),
            name: expect.any(String),
        });
    });

    test("404 for non-existent user", async () => {
        await expect(client.get("/users/999999"))
            .rejects.toMatchObject({
                response: { status: 404 }
            });
    });

    test("401 without token", async () => {
        await expect(axios.get(`${BASE_URL}/users/1`))
            .rejects.toMatchObject({
                response: { status: 401 }
            });
    });

});

Run with: npx jest user.test.js.

Universal Checklist

Positive Scenarios:

  • Valid data → correct status.
  • Response structure matches documentation.
  • Required fields present.
  • Correct data types.
  • Response time within limits.

Negative Cases:

  • No auth → 401.
  • Wrong token → 403.
  • Missing field → 400/422.
  • Incorrect type → 400/422.
  • Non-existent resource → 404.
  • Empty body → validation error.

Edge Cases:

  • Min/max values.
  • Zero or negative numbers.
  • Empty strings.
  • Special characters/Unicode.
  • Long strings.

Security:

  • SQL injection.
  • XSS.
  • IDOR (ID guessing).

AI-Powered Automation

AI generates test cases from OpenAPI specs—positive, negative, and edge cases—in Jest format.

Prompt: "Generate tests for POST /users based on schema [schema]. Use realistic data."

Auto-analyze responses using LLMs:

async function validateWithAI(prompt, response) {
    // Call Claude/GPT to assess relevance
    // ...
    return data.content[0].text.trim() === "YES";
}

Generate edge data: AI suggests RTL text, emojis, invisible Unicode characters.

AI doesn’t replace business logic understanding (e.g., discount ≤ 100 for non-premium users).

What Matters Most

  • Validate status codes strictly per scenario—never use 200 for errors.
  • Test response structure and types using JSONPath-like assertions.
  • Automate negative and edge cases in CI/CD using Jest/axios.
  • Leverage AI for repetitive tasks: test generation, analysis, edge data.
  • Use the checklist as a mandatory template for every endpoint.

— Editorial Team

Advertisement 728x90

Read Next