APIs Test Catalog

This catalog is high-level enough to be independent from the underlying technology or architecture, such as REST, SOAP, or gRPC, and focuses on functional behavior rather than implementation details.

Request & Input Handling

• Failure to accept a valid request

• Failure to reject an invalid or malformed request

  • API accepts {"userId": "abc123"} when userId must be numeric

• Failure to handle missing required request elements

  • API creates a user even when email is omitted from the request

• Failure to handle unexpected request elements

  • API crashes or ignores the request when an extra field nickname is included

• Failure to handle an incorrect request structure

  • API fails when receiving nested JSON instead of a flat JSON object as expected

  • XML or other instead of JSON or vice versa

Routing & Endpoint Behavior

• Failure to handle unsupported HTTP methods

• Failure to gracefully handle incorrect (non-existing) endpoint paths

  • A request to /api/uer (typo in user) returns a server error instead of a 404 Not Found

Response Verification

• Failure to return the expected response structure

• Failure to return the correct HTTP status code (happens a lot)

• Failure to return meaningful error responses

• Failure to include required response fields

• Failure to handle empty or no-content responses (by client API)

State & Data Lifecycle

• Failure to create, update, or delete data as intended

• Failure to reflect state changes in subsequent requests

• Failure to handle repeated or duplicate requests correctly

• Failure to maintain data consistency across operations

• Also see Advanced State Testing and CRUD Testing for more test ideas.

Security

A large and complex field. Start with this GitHub Repo: awesome-api-security.

Recommended reading: Testing Web APIs by Mark Winteringham.

Also in Testing Books: Curated List.