checklists

API Testing Checklist.

API Testing A thorough checklist for testing REST APIs covering endpoints, HTTP methods, status codes, request validation, response schema, authentication, authorization, pagination, filtering, error handling, security basics, and OpenAPI/documentation conformance.

sections

items

3–4 hours

time

QA engineersSDETsAutomation engineersDevelopers

When to use this checklist

When testing a new API endpoint or a new API version before it ships
As a regression suite for a stable API that is being refactored
During a third-party API integration review
Before signing off a microservice for production deployment
As a reference when authoring Postman collections or Playwright API tests

This checklist covers every layer of API quality: correct HTTP semantics, request and response schema fidelity, authentication and authorisation enforcement, pagination and filtering correctness, error response consistency, and security hygiene. It assumes a JSON REST API but most items also apply to GraphQL endpoints. Items marked automationCandidate are well-suited to a Playwright APIRequestContext or Supertest suite running in CI.

0/44

Endpoint Discovery & HTTP Methods

0/4

Verify that each endpoint exists, supports the correct HTTP methods, and rejects unsupported ones cleanly.

Each documented endpoint returns a non-404 response for a valid requestCriticalfunctionalauto
For every endpoint in the OpenAPI spec, send a minimal valid request and assert the status code is not 404 or 405. Catch documentation drift early — if the spec says GET /users exists, the server must agree.
Unsupported HTTP methods return 405 with an Allow headerHighnegativeauto
Send a DELETE to a read-only resource (e.g. DELETE /users if only GET is supported). Expect exactly HTTP 405 and an Allow response header listing the supported methods (e.g. 'Allow: GET, HEAD').
GET endpoints also respond correctly to HEAD (body-less) and OPTIONS (CORS preflight)Mediumfunctionalauto
A HEAD request to a GET endpoint must return identical headers to a GET but with no body. An OPTIONS request to a cross-origin endpoint must return the CORS headers your client expects.
Trailing slash variants resolve consistently — either redirect or serve the same responseLowedge-caseauto
Request GET /users and GET /users/. Both should behave identically (both 200, or 200 + 301 redirect to the canonical form). Inconsistency causes client-side bugs when frameworks normalise URLs differently.

Request Validation

0/6

Confirm the API validates all incoming data and rejects malformed or missing fields with descriptive errors.

Omitting a required request body field returns 400 with a field-specific error messageCriticalnegativeauto
Send a POST/PUT with a required field removed. Expect HTTP 400 and a JSON error body that names the missing field (e.g. {"error": "'email' is required"}). A generic 'Bad Request' string is not sufficient.
Sending form-encoded or XML body to a JSON endpoint returns 415 Unsupported Media TypeHighnegativeauto
POST to a JSON-only endpoint with Content-Type: application/x-www-form-urlencoded. The API should return 415, not silently parse partial data or return 500.
Fields with wrong types are rejected — strings are not silently cast to numbersHighnegativeauto
Send a numeric field as a string (e.g. {"age": "twenty-five"}) and a boolean as "true" (string). The API should return 400 with a type-mismatch message, not silently coerce or return NaN.
Unknown fields in the request body are either ignored or rejected — not stored and reflected backCriticalsecurityauto
Send a POST with an extra field not in the schema (e.g. {"role": "admin"}). The API must either strip it silently or return 400. If it stores and returns the extra field, a mass-assignment vulnerability exists.
Path parameters reject SQL injection and traversal payloadsCriticalsecurityauto
Try GET /users/1' OR '1'='1 and GET /users/../admin. Expect 400 or 404, never a 200 with unexpected data. Check the server does not log the raw unescaped string in a way that could cause log injection.
Oversized request bodies are rejected with 413 Payload Too LargeMediumedge-caseauto
Send a request body larger than the server's configured limit (try 10 MB for APIs with a 1 MB limit). Expect 413, not a timeout or an OOM-induced 500.

Response Schema & Consistency

0/5

Assert that every response matches its documented schema and that the API is internally consistent.

Successful responses match the OpenAPI/JSON Schema definition exactlyCriticalfunctionalauto
Validate every 2xx response body against the schema defined in the OpenAPI spec using a JSON Schema validator. Required fields must always be present; optional fields must conform to their declared types when present.
JSON responses carry Content-Type: application/json; charset=utf-8Highfunctionalauto
Inspect the Content-Type response header. APIs returning JSON without declaring it cause silent parsing failures in typed clients and strict HTTP parsers.
Empty collections return [] not null, and absent optional fields are omitted not set to nullHighedge-caseauto
GET /users when no users exist should return {"users": []} not {"users": null}. An optional field like 'avatar' should be absent from the JSON entirely when not set, not present with value null — unless the schema explicitly allows null.
All date/time fields are formatted as ISO 8601 strings in UTCMediumfunctionalauto
Assert that date fields like 'createdAt' and 'updatedAt' match the pattern /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$/. Mixed formats (Unix timestamps, US-formatted dates) in the same API are a frequent source of client-side bugs.
Repeated identical GET requests return identical data (or a documented stale-read window)Mediumfunctionalauto
Send the same GET request 3 times in succession and compare response bodies. Differences are acceptable only if the endpoint is explicitly documented as non-deterministic (e.g. random sampling). Status codes must be identical.

Authentication

0/5

Verify that protected endpoints enforce authentication and that tokens are validated correctly.

Requests without an Authorization header return 401, not 200 or 403Criticalsecurityauto
Send a request to any protected endpoint with the Authorization header omitted entirely. Expect HTTP 401 Unauthorized — not 200 with an empty payload, not 403, and not a redirect to a login page (for APIs).
Expired JWT returns 401 with a WWW-Authenticate header indicating the token is expiredCriticalsecurityauto
Forge or generate a JWT with an exp claim in the past. Send it to a protected endpoint. Expect 401 and ideally a WWW-Authenticate: Bearer error=invalid_token, error_description='Token expired' header.
A JWT with a tampered signature returns 401Criticalsecurityauto
Take a valid JWT, decode the payload, change a claim (e.g. sub or role), re-encode (without re-signing), and send it. The server must reject it with 401 — it must not read the unverified payload.
Tokens issued with limited scopes cannot access endpoints outside those scopesHighsecurityauto
Use a token granted only the 'read:profile' scope to call a 'write:posts' endpoint. Expect 403, confirming the token scope is checked, not just the token's validity.
Using a refresh token more than once after it has been rotated returns 401Highsecurityauto
If the API implements refresh token rotation: call /token/refresh with a valid refresh token (obtaining a new pair), then call /token/refresh again with the same old refresh token. The second call must return 401 and ideally invalidate the new tokens too (token family invalidation).

Authorization (Access Control)

0/4

Verify that users can only access and modify resources they are permitted to.

User A cannot read, update, or delete a resource owned by User BCriticalsecurityauto
Create two accounts: User A and User B. User B creates a resource. Authenticate as User A and attempt GET, PUT, PATCH, and DELETE on User B's resource. Each must return 403 (or 404 if the API prefers to hide existence).
A regular user cannot access admin-only endpoints even with a valid sessionCriticalsecurityauto
Authenticate as a non-admin user and call endpoints documented as admin-only (e.g. GET /admin/users, DELETE /users/:id). Expect 403, confirming role checks are enforced server-side — not just hidden from the UI.
Sequential or guessable IDs do not allow horizontal access to other users' data (IDOR)Criticalsecurityauto
As User A, note the resource ID returned by the API (e.g. /orders/1042). Try incrementing or decrementing it: GET /orders/1041. If this returns User B's order, an Insecure Direct Object Reference vulnerability exists.
Read-only API keys or tokens cannot perform write operationsHighsecurityauto
If the API supports token scopes or roles, issue a read-only credential and attempt POST/PUT/PATCH/DELETE. Every write endpoint must return 403.

Pagination, Filtering & Sorting

0/7

Confirm that collection endpoints handle large datasets correctly and that cursor/offset parameters behave as documented.

Collection endpoints apply a default page size when no pagination params are sentHighfunctionalauto
Call GET /users with no query parameters. The response should include a bounded result set (e.g. 20 items) plus pagination metadata (total, next cursor, or next page link). It must not return all records unbounded.
The last page of results returns the correct remaining items and no 'next' cursorHighedge-caseauto
Paginate through a collection to the final page. The response should contain only the remaining items (possibly fewer than the page size), and the 'next' link or cursor should be absent or null — not an empty page.
Negative, zero, or excessively large page size values return 400Mediumnegativeauto
Request GET /users?limit=-1, GET /users?limit=0, and GET /users?limit=100000. Expect 400 for invalid values and a capped result (e.g. max 100 items) for the oversized request — not a full table scan.
Filter parameters narrow the result set to only matching recordsHighfunctionalauto
Request GET /users?status=active. Every record in the response body must have status === 'active'. Verify with at least one filter that has a known count of matching records.
Filtering on an unknown field returns 400, not a silently empty result setMediumnegativeauto
Request GET /users?nonexistent_field=value. Expect 400 with a message indicating the field is unrecognised — not 200 with an empty array, which would mask typos in client code.
sort_by and order parameters return results in the correct orderMediumfunctionalauto
Request GET /users?sort_by=created_at&order=asc. Assert that consecutive records have non-decreasing created_at values. Then flip to desc and assert non-increasing. Include a test with equal values (same timestamp) to verify stable sort behaviour.
sort_by parameter rejects arbitrary column names to prevent SQL column injectionCriticalsecurityauto
Request GET /users?sort_by=1;DROP+TABLE+users--. Expect 400, not a 500 or — worse — a successful query. The API must validate sort_by against an allowlist of permitted column names.

Error Response Consistency

0/4

Verify that all error responses use consistent HTTP status codes and a uniform JSON error body format.

All 4xx and 5xx responses return a JSON body, never HTML or a plain stringCriticalnegativeauto
Trigger validation errors, authentication failures, and not-found cases. Every error response must return Content-Type: application/json with a structured body — not an HTML error page from the framework or a raw string like 'Unauthorized'.
The API never returns HTTP 200 with an error bodyCriticalnegativeauto
Check all error paths — invalid input, auth failure, not-found. The status code must reflect the error semantics. Returning {"success": false, "error": "Not found"} with HTTP 200 breaks HTTP clients that branch on status code.
Error responses in production never expose stack traces, internal paths, or SQL queriesCriticalsecurityauto
Trigger a server error (e.g. by sending a malformed request that causes an unhandled exception). The 500 response body must not contain a stack trace, file system path, or database query. These are valid in development but must be suppressed in production.
All error responses share the same JSON error schema (e.g. {code, message, details})Highfunctionalauto
Compare error bodies from validation errors, auth errors, and server errors. The top-level keys should be identical across all error types. Inconsistent error shapes force clients to write defensive parsing for every endpoint.

Security Basics

0/5

Verify that the API enforces rate limiting, uses secure headers, and does not leak sensitive data.

Rate-limited endpoints return 429 Too Many Requests after the threshold is exceededHighsecurityauto
Send N+1 requests in a short window (where N is the documented limit). Expect HTTP 429 with a Retry-After header on the N+1th request. Without rate limiting, credential-stuffing attacks and enumeration are trivial.
CORS headers do not allow arbitrary origins — Access-Control-Allow-Origin is not *Highsecurityauto
Send an OPTIONS preflight from a disallowed origin. The Access-Control-Allow-Origin header must not return * for credentialed requests. It should either reflect only the allowed origin or be absent.
Responses never include password hashes, internal IDs, or raw secret fieldsCriticalsecurityauto
Inspect GET /users/:id and GET /me responses. Fields like 'password', 'password_hash', 'secret', 'api_key', and 'internal_id' must not appear. Check both the successful and error paths.
HTTP requests are redirected to HTTPS — the API does not serve on port 80 in productionCriticalsecurityauto
Send a plain HTTP request to the API base URL. Expect a 301 or 308 redirect to the HTTPS equivalent. An API serving on HTTP exposes tokens in transit.
Authentication errors do not distinguish between 'user not found' and 'wrong password'Highsecurityauto
Send POST /auth/login with a nonexistent email, then with a valid email and wrong password. Both must return the same 401 response body. Differentiating them allows user enumeration attacks.

OpenAPI / Documentation Conformance

0/4

Confirm that the live API matches its OpenAPI spec — endpoints, schemas, and status codes must all agree.

The OpenAPI specification file is valid and passes schema lintingHighfunctionalauto
Run the spec through a validator (e.g. openapi-cli validate, Spectral) and assert zero errors. Warnings about missing descriptions or deprecated fields are acceptable; structural errors are not.
Every possible response code the API returns is documented in the specMediumfunctionalauto
For each endpoint, trigger all documented status codes (200, 201, 400, 401, 403, 404, 429, 500) and verify the spec lists each one with a correct schema. Undocumented status codes break generated client SDKs.
Request and response examples in the spec are themselves valid against their own schemasMediumfunctionalauto
Extract examples from the OpenAPI spec and validate each against the corresponding request/response schema. Stale or hand-crafted examples that violate the schema mislead API consumers.
Contract tests run on every CI build to catch schema drift before it reaches productionHighfunctionalauto
Use a tool like Schemathesis or Dredd to replay the OpenAPI spec against the running API and assert all endpoints conform. A spec that drifts from reality is worse than no spec.

Common Bugs

Returns HTTP 200 with an error body instead of a 4xx/5xx status

The API returns {"success": false, "error": "Not found"} with status 200. HTTP clients that branch on status code (axios interceptors, fetch response.ok) silently treat this as success. Every error condition must use the appropriate HTTP status code.

Expired or revoked tokens accepted because token expiry is not validated

The server only validates the JWT signature, not the exp claim. A token issued months ago with a valid signature continues to grant access indefinitely. Always validate exp, nbf, and any server-side revocation list.

IDOR via sequential integer IDs — user can access another user's data by incrementing the path param

GET /orders/1042 returns User A's order. GET /orders/1041 returns User B's order. The server checks that the user is authenticated but not that the resource belongs to the requesting user. Fix: enforce row-level ownership checks, and prefer UUIDs over sequential IDs.

Mass assignment — extra fields in POST body are accepted and persisted

Sending {"username": "alice", "role": "admin"} to a user-registration endpoint silently sets the role to admin because the ORM binds all incoming fields. Always use an explicit allowlist of permitted fields.

Unbounded collection endpoint returns all rows without pagination

GET /events with no limit parameter returns all 500,000 events in a single response, causing a 30-second timeout and eventual OOM. Always enforce a maximum page size server-side, regardless of what the client requests.

sort_by parameter accepts arbitrary values leading to SQL injection via ORDER BY clause

ORDER BY is a clause that many ORMs do not parameterise. Passing sort_by=1;DROP+TABLE+users-- can execute arbitrary SQL. Validate sort_by against a strict allowlist of permitted column names before building the query.

Recommended Tools

Postman

Comprehensive API client with collection runner, environment variables, and built-in test scripting. Good for exploratory testing and sharing requests with the team.

Bruno

Git-native API client that stores collections as plain files. Ideal for version-controlling API tests alongside the source code.

Hoppscotch

Open-source, browser-based API client. Useful for quick ad-hoc requests and teams that want a self-hosted alternative to Postman.

OWASP ZAP

Open-source DAST scanner. Point it at your API to automatically probe for OWASP Top 10 vulnerabilities including injection, auth bypass, and excessive data exposure.

JavaScript-based load testing tool. Use it to validate that your API holds up under the rate-limiting thresholds and pagination edge cases described in this checklist.

// Related resources