# API Testing Playground — API Regression Checklist

A reusable checklist for the qa.codes API Testing Playground. Work through it
manually with Postman, then automate the rows that matter most.

## Authentication
- [ ] Valid login returns 200 with a token
- [ ] Invalid credentials return 401
- [ ] Missing credentials return 400 (not 500)
- [ ] Token is required on protected endpoints
- [ ] Expired token is rejected
- [ ] Refresh-token flow issues a new token

## Validation & status codes
- [ ] Required fields are enforced on create (empty/missing → 400)
- [ ] Validation failures return 4xx, never 200
- [ ] Unknown resource id returns 404
- [ ] Error responses use a consistent schema

## Products
- [ ] List returns 200 and the documented fields
- [ ] Category filter returns only matching products
- [ ] Pagination total matches the returned records
- [ ] Sort orders numerically (not as strings)
- [ ] Filter + sort can be combined

## Orders & authorization
- [ ] Order creation requires authentication (401 without token)
- [ ] A user can only access their own orders
- [ ] Retrying the same create does not duplicate the order (idempotency)
- [ ] Admin-only endpoints reject normal users
- [ ] Deleted objects no longer appear in list responses

## Non-functional
- [ ] Rate limiting is enforced after repeated requests
- [ ] Response times are within an acceptable threshold
- [ ] CORS / content-type headers are correct

> Tip: each failing row is a candidate bug report — capture request, expected vs
> actual response, and status code.