API Bugs

Required Field Is Accepted as Missing

An API endpoint declares a field as required in its documentation or schema but accepts a request where that field is absent, null, or an empty string, and proceeds as if the operation succeeded. Records are created or updated with missing data, silently violating the intended data model.

MediumBeginnerAPI testingManual testing

// UNDERSTAND

// Symptoms

  • A POST request with a documented required field omitted returns a success response
  • Records appear in the database with null, undefined, or empty-string values in required fields
  • Downstream processes that depend on the required field fail or produce corrupt output
  • No validation error is returned despite the missing field
  • Frontend form validation blocks submission but the API accepts the same payload directly

// Root Cause

  • The backend validation schema omits the required check, or uses a permissive validator that treats null and empty string as valid values for the field
  • The field has a server-side default that silently fills in a null or empty-string placeholder when the field is absent — masking the omission instead of signalling it
  • Required validation is implemented in the frontend form but is not duplicated in the backend API handler — the API is assumed to be called only through the UI
  • The OpenAPI or JSON Schema contract declares the field required, but no validation middleware enforces the contract at runtime

// Where It Appears

  • User registration endpoints where email or username should be required
  • Order creation endpoints where delivery address or item list should be required
  • Event or booking creation where a date or participant count is documented as required
  • Any endpoint generated from an OpenAPI spec where validation middleware is absent or misconfigured

// REPRODUCE & TEST

// How to Reproduce

  1. 01Identify a POST or PUT endpoint and its documented required fields (e.g. POST /api/users requires an email field)
  2. 02Construct a valid request body, then remove the email field key entirely (not empty string — completely absent)
  3. 03Send the request and observe the HTTP response status code
  4. 04If the response indicates success, retrieve the created record using the ID from the response and inspect the email field value

// Test Data Needed

  • API endpoint URL and documentation listing the required fields
  • A valid bearer token for authentication
  • A way to send raw HTTP requests with controlled payloads (Postman or curl)
  • Access to retrieve or view the resulting record after creation

// Manual Testing Ideas

  • Remove each required field from a valid request one at a time and check the response status
  • Send the field with an explicit null value ({"email": null}) and observe whether it is accepted
  • Send the field as an empty string ("") and confirm whether validation rejects it
  • Submit a completely empty body {} to the endpoint
  • After a successful response with a missing field, view the record in the UI or database to see what was stored

// API Testing Ideas

  • Send a valid POST /api/users with all required fields present; confirm the response is 201 Created
  • Send the same request with the email field key entirely omitted from the body
  • Assert the response is 400 Bad Request or 422 Unprocessable Entity — not 201
  • Send the request again with email set to null explicitly
  • Assert the response is still 400 or 422 — not 201
  • Send the request with email set to an empty string
  • Assert the response is still 400 or 422 — not 201

// Automation Idea

For each required field in the API schema, generate three test cases: field omitted entirely, field set to null, field set to empty string. Assert all three return 400 or 422. After each failing attempt, query the resource list to confirm no record was created.

// Expected Result

A request missing a required field returns 400 Bad Request or 422 Unprocessable Entity, with the response body naming the missing field.

// Actual Result (Example)

A POST /api/users request with the email field omitted returns 201 Created, and the resulting user record has a null email value.

// REPORT IT

Example Bug Report

Title
POST /api/users accepts a missing email field and creates a user record with null email
Severity
Medium
Environment
Staging environment Postman Admin bearer token
Steps to Reproduce
  1. 01Obtain a valid admin bearer token
  2. 02Send POST /api/users with a valid body but with the email field key entirely omitted
  3. 03Observe the HTTP response status code and body; note the created user ID
  4. 04Send GET /api/users/{id} using the ID from the response and inspect the email field value
Expected Result
The API returns 400 Bad Request with a message indicating the email field is required.
Actual Result
The API returns 201 Created; GET /api/users/{id} shows the user was created with a null email value.
Impact
Users created without an email address cannot receive password reset links, order confirmations, or notification emails, leading to broken account flows and increased support volume.

// RELATED

// Glossary Terms

Status Code

// Related Bugs

API Returns 200 for Validation Failure

API Bugs

High

API Accepts Requests Without Rate Limiting

API Bugs

Medium