API Test Automation

Overview

Automate comprehensive API endpoint testing for REST and GraphQL APIs including request generation, response validation, schema compliance, authentication flows, and error handling. Supports Supertest (Node.js), REST-assured (Java), httpx/pytest (Python), Postman/Newman collections, and Pact for consumer-driven contract testing.

Prerequisites

API testing library installed (Supertest, REST-assured, httpx, or Postman/Newman)

API specification file (OpenAPI/Swagger YAML/JSON or GraphQL SDL)

Target API running in a test environment with seeded data

Authentication credentials or API keys for protected endpoints

JSON Schema validator (Ajv, jsonschema, or built-in framework assertions)

Instructions

Read the API specification and extract all endpoints:

Parse OpenAPI spec to catalog every path, HTTP method, request schema, and response schema.

For GraphQL APIs, introspect the schema to list queries, mutations, and subscriptions.

Document authentication requirements per endpoint (API key, Bearer token, OAuth, none).

Generate test cases for each endpoint:

Success cases

Send valid requests matching the schema and assert 200/201 responses.

Validation errors

Send requests with missing required fields, wrong types, and out-of-range values; assert 400 responses.

Authentication

Test with valid, expired, and missing credentials; assert 200, 401, and 403 respectively.

Not found

Request non-existent resources; assert 404 responses.

Idempotency

Send the same PUT/DELETE request twice and verify consistent behavior. Validate response structure against schemas: Assert response Content-Type matches expected (application/json, etc.). Validate response body against the OpenAPI response schema using JSON Schema validation. Check response headers (Cache-Control, Rate-Limit headers, CORS headers). Verify pagination metadata (total count, page number, next/previous links). Test CRUD lifecycle for resource endpoints: Create a resource (POST) and capture the ID. Read it back (GET) and verify all fields match. Update it (PUT/PATCH) and verify changes persisted. Delete it (DELETE) and verify subsequent GET returns 404. Test error handling and edge cases: Send excessively large payloads and verify 413 or graceful rejection. Send requests with unsupported Content-Types and verify 415. Test rate limiting by sending rapid sequential requests. Verify error response format is consistent (standard error schema). For GraphQL APIs, test specifically: Valid queries return expected data shapes. Invalid queries return descriptive error messages. Query depth limiting prevents deeply nested abuse queries. Mutation input validation matches schema constraints. Generate a test coverage report mapping endpoints to test cases. Output API test files organized by resource in tests/api/ Request/response examples for API documentation Schema compliance report for each endpoint Endpoint coverage matrix showing tested vs. untested endpoints and methods CI pipeline step running API tests against staging environment Error Handling Error Cause Solution Connection refused API server not running or wrong base URL Verify server is up with a health check before test suite starts; check BASE_URL config 401 on all requests Authentication token expired or misconfigured Refresh token in test setup; verify Authorization header format; check token scopes Schema validation fails unexpectedly API response includes extra fields not in spec Update OpenAPI spec to include new fields; use additionalProperties: true if expected Test data conflicts Another test modified or deleted the resource Use unique test data per test; create resources in beforeEach ; avoid shared fixtures Rate limit hit during test run Too many requests in quick succession Add delays between requests or use authenticated sessions with higher limits; run tests serially Examples Supertest REST API test suite: import request from 'supertest' ; import { app } from '../src/app' ; describe ( 'GET /api/products' , ( ) => { it ( 'returns a paginated product list' , async ( ) => { const res = await request ( app ) . get ( '/api/products?page=1&limit=10' ) . set ( 'Authorization' , Bearer ${ token } ) . expect ( 200 )

HTTP 200 OK . expect ( 'Content-Type' , / json / ) ; expect ( res . body . data ) . toBeInstanceOf ( Array ) ; expect ( res . body . data . length ) . toBeLessThanOrEqual ( 10 ) ; expect ( res . body . meta ) . toMatchObject ( { page : 1 , limit : 10 } ) ; } ) ; it ( 'returns 401 without authentication' , async ( ) => {

HTTP 401 Unauthorized await request ( app ) . get ( '/api/products' ) . expect ( 401 ) ;

HTTP 401 Unauthorized } ) ; } ) ; describe ( 'POST /api/products' , ( ) => { it ( 'creates a product with valid data' , async ( ) => { const res = await request ( app ) . post ( '/api/products' ) . set ( 'Authorization' , Bearer ${ token } ) . send ( { name : 'Widget' , price : 9.99 , category : 'tools' } ) . expect ( 201 ) ;

HTTP 201 Created expect ( res . body ) . toMatchObject ( { name : 'Widget' , price : 9.99 } ) ; expect ( res . body . id ) . toBeDefined ( ) ; } ) ; it ( 'returns 400 for missing required fields' , async ( ) => {

HTTP 400 Bad Request await request ( app ) . post ( '/api/products' ) . set ( 'Authorization' , Bearer ${ token } ) . send ( { name : 'Widget' } ) // missing price . expect ( 400 ) ;

HTTP 400 Bad Request } ) ; } ) ; GraphQL API test: it ( 'fetches user by ID' , async ( ) => { const query = query { user(id: "1") { id name email } } ; const res = await request ( app ) . post ( '/graphql' ) . send ( { query } ) . expect ( 200 ) ;

HTTP 200 OK expect ( res . body . data . user ) . toMatchObject ( { id : '1' , name : 'Alice' } ) ; expect ( res . body . errors ) . toBeUndefined ( ) ; } ) ; Resources Supertest: https://github.com/ladjs/supertest REST-assured (Java): https://rest-assured.io/ httpx (Python): https://www.python-httpx.org/ Newman (Postman CLI): https://learning.postman.com/docs/collections/using-newman-cli/ OpenAPI specification: https://spec.openapis.org/oas/v3.1.0 Ajv JSON Schema validator: https://ajv.js.org/