Series

API bugs QA should catch.

The recurring API defects worth finding by hand — and the ones worth automating after. APIs break in the same handful of ways on every project. This series walks the defect classes a tester should know cold: the everyday bugs, the list-endpoint traps, and where contracts and query language actually change how you test.

Who it's forAPI testersManual QA moving into API testingSDETs

// overview

Most API testing advice jumps straight to frameworks and assertions. This series goes the other way: it starts with the bugs. Learn the defect classes that recur on every API — wrong status codes, missing validation, broken pagination, fail-open filters, unstable sorts, and the auth gaps two accounts will expose — and you'll know what to look for before you write a line of automation.

The arc runs from the broad first pass to the specific traps: the everyday checklist, then the list-endpoint failures that hide behind “it returned 200”, and finally the structural questions — how REST and GraphQL change what you test, and where contract testing genuinely helps versus where the marketing oversells it.

By the end you'll have a hand-run pass that catches more real defects than a green suite, and a clear sense of which of those checks are worth automating.

// reading order

  1. Tutorials·13 June 2026 · 9 min read

    The 12 API bugs I check for first

    A high-value checklist: the twelve API bugs that surface most often, from wrong status codes to idempotency failures.

    api-testingchecklistbugs
  2. Deep dives·13 June 2026 · 8 min read

    API status codes testers should actually care about

    Skip the full registry — learn the dozen status codes that carry real meaning, what each promises, and how to spot when the code and the body disagree.

    api-testingstatus-codeshttp
  3. Tutorials·13 June 2026 · 8 min read

    API pagination, filtering, and sorting bugs

    The specific bugs that hide in paginated, filtered, and sorted endpoints — off-by-one pages, unstable sorts, and filter leaks.

    api-testingpaginationbugs
  4. Field notes·13 June 2026 · 8 min read

    How I test an API before the UI is ready

    The API ships weeks before the screen. Test it directly from the contract — the whole bad-input, auth, and edge class is open at the API and invisible once the UI hides it.

    api-testingshift-leftprocess
  5. Deep dives·28 October 2025 · 9 min read

    REST vs GraphQL testing: the actual differences

    Most 'REST vs GraphQL' content is about API design. The testing perspective is different — query construction, schema-aware tooling, the N+1-shaped test bug, and why GraphQL flips the test pyramid.

    api-testinggraphqlrestcomparison
  6. Deep dives·11 November 2025 · 10 min read

    Contract testing, explained without the Pact marketing

    Contract testing is two things wearing one name: a model and a tool. The model is genuinely useful; the marketing for the tool oversells where it fits. Here's the model, separated from any vendor's pitch.

    contract-testingpactapi-testingmicroservices

// RELATED QA.CODES RESOURCES

Checklist

Tool

Next seriesSecurity testing for QA