Protocol foundations
You can't test what you don't understand. Solidify HTTP, REST conventions, and the auth patterns every API in production uses.
HTTP and REST in depth
Most API bugs live in the gap between what the spec says and what the server actually returns. Knowing the protocol well lets you spot the gap.
You'll learn to
- Use every HTTP method correctly (and know which are idempotent)
- Read status code families and pick the right one for each scenario
- Use headers that change behaviour: Content-Type, Accept, Cache-Control
- Understand CORS, preflight requests, and same-origin policy
- Distinguish REST conventions from RESTful design principles
Authentication and authorisation patterns
Every API has auth. Knowing the patterns means you can test them without copying tokens from someone else's screenshot.
You'll learn to
- Test Basic, Bearer, and API-key authentication flows
- Walk through the four OAuth 2.0 flows and pick the right one
- Read JWT structure: header, payload, signature, claims
- Handle refresh tokens, expiry, and token rotation
- Test authorisation: roles, scopes, and resource-level permissions
Hands-on API testing
Move from sending requests by hand to running suites of API tests that catch regressions on every PR.
Postman fluency
Postman is where teams explore APIs and where stakeholders share examples. Even if your test suite lives in code, Postman is the lingua franca.
You'll learn to
- Build a collection with environments and variables
- Chain requests so one request's response feeds the next
- Write test scripts with pm.test and the chai assertion library
- Run collections in CI with Newman
- Document an API with Postman's collection runner output
Code-driven API tests
Postman is exploration. Code tests are what live in CI, get versioned, and catch contract breaks the second they ship.
You'll learn to
- Move from a Postman collection to a code-based test suite
- Write data-driven tests with parameterised fixtures
- Run tests in parallel safely (test isolation, idempotent fixtures)
- Test error paths and edge cases, not just the happy path
- Structure the suite so adding a new endpoint takes minutes, not hours
Schema validation and contract testing
When the API team changes a field type without telling you, schema validation tells you instantly. Contract testing tells the API team before they ship.
You'll learn to
- Validate JSON responses against a JSON Schema
- Generate API clients and types from an OpenAPI spec
- Write consumer-driven contract tests with Pact
- Decide when contract testing beats end-to-end testing (and when it doesn't)
- Wire contract verification into CI for both consumer and provider
Specialised API work
Cover the API shapes you'll meet beyond plain REST: GraphQL, gRPC, and the service boundaries inside a microservices architecture.
GraphQL testing
GraphQL flips a lot of REST assumptions. Same fundamentals, different failure modes.
You'll learn to
- Write queries, mutations, and subscriptions with variables
- Test fragments and nested type selections
- Spot N+1 query problems in test results
- Test errors: GraphQL's error format is unlike REST's
- Use GraphQL's introspection to generate test cases
gRPC and protobuf
OptionalBinary RPCs are common inside microservice meshes. Even if your team uses REST externally, you'll likely meet gRPC internally.
You'll learn to
- Read a `.proto` file and understand message and service definitions
- Test unary RPC calls with grpcurl or BloomRPC
- Test streaming RPCs (server, client, bidirectional)
- Know when teams pick gRPC over REST and what that means for testing
Microservices test boundaries
Microservices break the test pyramid in interesting ways. Knowing where to test each behaviour saves weeks of flaky end-to-end runs.
You'll learn to
- Place tests at the right layer: unit, integration, contract, end-to-end
- Use mocks, stubs, and fakes correctly (and know the difference)
- Simulate downstream services with Wiremock or Mockoon
- Test asynchronous flows: queues, events, eventual consistency
- Read the test pyramid honestly for a service-oriented codebase
Performance and security at the API layer
Load-test your APIs and check the most common security holes. You don't need to be a perf engineer or a pen-tester to do either competently.
Load-test your APIs with k6
If the API can't handle 10x current traffic, knowing about it before the launch is worth ten code reviews after.
You'll learn to
- Write a k6 script in JavaScript from scratch
- Stage ramp-ups: gradual, spike, soak, breakpoint
- Read p50, p95, p99 latency — and know why averages mislead
- Set thresholds that pass/fail the CI job
- Hook k6 results into CI and into Grafana dashboards
API security basics
You're not the AppSec team, but you're often the first line. Catching the obvious holes before they ship is high-leverage work.
You'll learn to
- Walk through the OWASP API Security Top 10
- Test for broken object-level authorisation (BOLA / IDOR)
- Spot mass assignment and excessive data exposure
- Recognise SSRF, command injection, and SQL injection patterns
- Draw the line: when to hand off to AppSec or a pen-tester