How would you test a REST API endpoint?

Clarify first

• Which HTTP method and what does the endpoint do (create, read, update, delete)?
• Is authentication required, and what mechanism (Bearer token, API key, session cookie)?
• Is there a documented request and response schema (OpenAPI spec)?
• Is the endpoint rate-limited?

Functional

• Happy-path request returns the documented status code (200, 201, etc.) and a response body that matches the schema
• Filtering, sorting, or pagination parameters work as documented
• Idempotent methods (GET, PUT, DELETE) produce the same result when called multiple times with the same input
• Correct HTTP verb required: using GET on a POST-only endpoint returns 405

Negative / error handling

• Missing required fields in the request body → 400 with a meaningful, field-specific error message (not a stack trace)
• Invalid authentication token → 401; authenticated user accessing a forbidden resource → 403; nonexistent resource → 404
• Malformed JSON body → 400; wrong Content-Type header → 415
• Payload beyond the server's accepted size → 413

Edge & boundary

• Boundary values in request fields: max string length, zero, negative numbers, INT_MAX
• Unicode and emoji in string fields
• Concurrent identical POST requests — idempotency key prevents duplicate creation
• Very large response payload — streaming or pagination applied?

Security

• SQL/NoSQL injection in query params and request body
• Mass assignment: send extra unexpected fields in the body — are they silently stored? (e.g., sending "role": "admin" on a user update endpoint)
• BOLA/IDOR: access another user's resource by changing the resource ID in the path (/users/42 when authenticated as user 43)
• Verbose error messages: does a 500 response leak a stack trace, SQL query, or server path?

Contract / schema

• Response always matches the OpenAPI spec, including null vs absent fields, optional vs required, and enum values

Close: automate contract/schema validation (use a schema validator against every response), all status code paths, and security checks (IDOR, mass assignment). Keep exploratory for edge cases around spec ambiguity and undocumented behavior.