Q23 of 37 · API testing

How would you test a deprecated endpoint that still needs to work for legacy clients?

API testingMidapideprecationlegacyheaders

Short answer

Short answer: Tag the test as 'legacy' or 'deprecated' so it's not confused with current API tests. Cover the documented behaviour, including the deprecation header (`Deprecation`, `Sunset`). Add a removal-date check that fails the test before the announced sunset to flush out lingering callers.

Detail

Deprecated endpoints are a fact of life. The test strategy needs to balance "keep it working for clients" with "make it visible that we'd like to remove it."

Tag the tests. Use TestNG groups, Pytest markers, Jest tags — whatever your framework supports — so deprecated tests are identifiable:

test.describe.skip('deprecated', () => {
  test('GET /v1/users (legacy)', ...);
});

(Or run with --grep deprecated to confirm they still pass when needed.)

Cover the contract you committed to. The endpoint still has paying customers — the tests still run. They cover:

  • Status code, response shape, key field values (same as live endpoints).
  • Backwards compatibility — fields that existed in v1 still exist; new fields are optional additions.
  • Auth behaviour — same auth model as documented at deprecation time.

Test the deprecation signal. Modern APIs surface deprecation through headers:

  • Deprecation: true (or Deprecation: <date>) — RFC 8594.
  • Sunset: Wed, 01 Apr 2026 23:59:59 GMT — the removal date.
  • Link: <https://api.example.com/v2/users>; rel="successor-version".
expect(res.headers()['deprecation']).toBeDefined();
expect(new Date(res.headers()['sunset'])).toBeAfter(new Date());

Add a sunset alarm. A test that fails before the announced sunset prompts the team to verify nothing still calls the endpoint:

test('endpoint sunset is in the future', async () => {
  const sunset = new Date('2026-09-01T00:00:00Z');
  const remaining = sunset.getTime() - Date.now();
  expect(remaining).toBeGreaterThan(30 * 24 * 60 * 60 * 1000);
  // Within 30 days of sunset → fail the test → trigger removal review
});

This is gentle pressure — the closer to sunset, the more visible the test. By the day-of, it forces a decision: extend the deprecation, or remove the endpoint.

Track legacy callers. Beyond tests, collect telemetry on who's still calling the deprecated endpoint:

  • Logs / metrics tagged with caller.
  • Reports of "top legacy callers, last 7 days" for product to chase.

This isn't strictly testing, but it's the QA-adjacent work that makes deprecation real.

The cultural piece: deprecated endpoints accumulate. A team with 50 deprecated endpoints, all passing tests, is in worse shape than one with 0 — every endpoint is a liability. Push for sunset enforcement. Endpoints that get extended past their sunset date should require explicit owner sign-off.

// WHAT INTERVIEWERS LOOK FOR

Tagging legacy tests, asserting on Deprecation/Sunset headers, the sunset-alarm pattern, and willingness to push for removal rather than indefinite extension.

// COMMON PITFALL

Letting deprecated endpoint tests sit alongside current ones with no flag. Future engineers think 'that's how we test users' and copy patterns from a deprecated v1 instead of v2.

// Related questions

How do you test an API that has rate limiting?

API testing

How do you handle backwards-compatible API changes that require client coordination?

API testing

How do you test that an API endpoint returns the correct response?

API testing