qa.codes — API Negative Testing Matrix
On this page3 sections
MatrixIntermediate4-6 min reference

API Negative Testing Matrix

Positive tests prove the API works; negative tests prove it fails safely. This is a matrix of the inputs worth firing at any endpoint, the response you'd expect, and the assertion. Use it as a checklist seed — link to the full API testing checklist and input-validation guide below for depth.

The matrix

CategoryInputExpectedAssert
AuthNo / invalid token401Not 200 with empty data
AuthValid token, wrong scope/owner403Can't reach another user's data
Required fieldOmit a required field400 / 422Error names the field
TypeString where number expected400Not a 500
EnumValue outside the allowed set400Rejected, not coerced
Boundarymin−1, max+1, empty, very long400Limits enforced both ends
FormatBad email / date / UUID400Format validated
PayloadEmpty body, malformed JSON400Not a 500 stack trace
SizeOversized payload / array413 / 400Limit enforced
MethodWrong verb (PUT on read-only)405Allow header present
Content-TypeMissing / wrong415Not silently accepted
RateRapid repeat calls429Retry-After present
Not foundNonexistent id404Not 200 with null
InjectionSQL/script in a field400 + safe handlingNo execution, no leak

Golden rules

  • A bad request must never return 500 — that's the server crashing, not validating.
  • Error responses should be safe: no stack traces, SQL, or internal paths.
  • The status code must match the failure class (400 vs 401 vs 403 vs 404).

Common mistakes

  • Only testing valid input — most security and stability bugs live on the negative paths.
  • Accepting 200 with an empty/null body where 404/400 is correct.
  • Letting validation errors surface as 500s.
  • Skipping boundary values (off-by-one at min/max is the classic miss).

Injection and auth-bypass attacks belong in authorized security testing — this sheet covers the safe input-validation cases QA owns.

// Related resources

Templates & Checklists

Related cheat sheets

qa.codes/cheat-sheets/api-negative-testing-matrix