API Testing Checklist: From Status Codes to AI-Powered Automation
API testing demands a systematic approach—validating status codes, response structure, edge cases, and authentication. Postman excels for manual testing, while Jest + axios fits seamlessly into CI/CD pipelines. AI accelerates test case generation from OpenAPI specs, analyzes responses, and identifies edge data patterns.
Key API Testing Categories
API testing spans multiple critical areas. Skipping any risks undetected bugs in production.
Status Codes
Verify the code matches the expected scenario:
| Scenario | Expected Code |
|----------|---------------|
| Successful creation | 201 |
| Resource not found | 404 |
| Insufficient permissions | 403 |
| Not authenticated | 401 |
| Invalid data | 400/422 |
| Server error | 500 |
Common pitfall: returning 200 with an error in the body—this violates REST principles.
Response Structure
- Required fields are present.
- Data types match expectations (e.g., number instead of string).
- Nested objects aren’t null.
- Arrays aren’t confused with objects.
Edge Cases
Test boundary conditions:
- Empty request body.
- Missing required field.
- Empty string in a field.
- Numbers: 0, negative values, MAX_INT.
- Strings: 1 character, max length, special characters, SQL/XSS payloads.
Authentication & Headers
- No token: 401.
- Expired token: 401.
- Invalid token: 403.
- Read-only user on write operation: 403.
Headers: Content-Type, CORS, rate-limiting.
Testing in Postman
Use the Tests tab for JavaScript scripts after receiving a response.
Basic Assertions
// Status and response time
pm.test("Status 200", () => {
pm.response.to.have.status(200);
});
pm.test("Response <500ms", () => {
pm.expect(pm.response.responseTime).to.be.below(500);
});
// Content-Type
pm.test("JSON", () => {
pm.response.to.have.header("Content-Type", "application/json; charset=utf-8");
});
Structure and Types
const response = pm.response.json();
pm.test("id is present", () => {
pm.expect(response).to.have.property("id");
});
pm.test("id is a number", () => {
pm.expect(response.id).to.be.a("number");
});
pm.test("email is not empty", () => {
pm.expect(response.email).to.be.a("string").and.not.empty;
});
Negative: No Token
pm.test("401 without token", () => {
pm.response.to.have.status(401);
});
const response = pm.response.json();
pm.expect(response).to.have.property("message");
Save the token from /login into an environment variable: pm.environment.set("auth_token", response.token);. Reference it as {{auth_token}} in headers.
Automated Tests with Jest + axios
For CI/CD, write tests in code. Example for /users/:id:
const axios = require("axios");
const BASE_URL = "https://api.example.com";
const TOKEN = process.env.API_TOKEN;
const client = axios.create({
baseURL: BASE_URL,
headers: { Authorization: `Bearer ${TOKEN}` }
});
describe("GET /users/:id", () => {
test("Get user by ID", async () => {
const response = await client.get("/users/1");
expect(response.status).toBe(200);
expect(response.data).toMatchObject({
id: expect.any(Number),
email: expect.any(String),
name: expect.any(String),
});
});
test("404 for non-existent user", async () => {
await expect(client.get("/users/999999"))
.rejects.toMatchObject({
response: { status: 404 }
});
});
test("401 without token", async () => {
await expect(axios.get(`${BASE_URL}/users/1`))
.rejects.toMatchObject({
response: { status: 401 }
});
});
});
Run with: npx jest user.test.js.
Universal Checklist
Positive Scenarios:
- Valid data → correct status.
- Response structure matches documentation.
- Required fields present.
- Correct data types.
- Response time within limits.
Negative Cases:
- No auth → 401.
- Wrong token → 403.
- Missing field → 400/422.
- Incorrect type → 400/422.
- Non-existent resource → 404.
- Empty body → validation error.
Edge Cases:
- Min/max values.
- Zero or negative numbers.
- Empty strings.
- Special characters/Unicode.
- Long strings.
Security:
- SQL injection.
- XSS.
- IDOR (ID guessing).
AI-Powered Automation
AI generates test cases from OpenAPI specs—positive, negative, and edge cases—in Jest format.
Prompt: "Generate tests for POST /users based on schema [schema]. Use realistic data."
Auto-analyze responses using LLMs:
async function validateWithAI(prompt, response) {
// Call Claude/GPT to assess relevance
// ...
return data.content[0].text.trim() === "YES";
}
Generate edge data: AI suggests RTL text, emojis, invisible Unicode characters.
AI doesn’t replace business logic understanding (e.g., discount ≤ 100 for non-premium users).
What Matters Most
- Validate status codes strictly per scenario—never use 200 for errors.
- Test response structure and types using JSONPath-like assertions.
- Automate negative and edge cases in CI/CD using Jest/axios.
- Leverage AI for repetitive tasks: test generation, analysis, edge data.
- Use the checklist as a mandatory template for every endpoint.
— Editorial Team
No comments yet.