June 18, 2026
REST API testing validates the behaviour of HTTP endpoints — the contracts that backend services expose to frontends, mobile clients, and third-party integrations. Because REST APIs are the integration boundary between systems, defects at this layer propagate to every consumer simultaneously. A broken authentication endpoint fails every client that depends on it. A schema change that removes a required field breaks every service that reads that field. Systematic REST API testing catches these defects before they reach integration environments or production.
A complete REST API test suite covers five categories. Success cases verify that correct input produces the expected response body, status code, and headers. Error cases verify that invalid input, missing parameters, and malformed requests produce the correct error status code (400, 422, or the appropriate 4xx) and a useful error message. Authorization cases verify that unauthenticated requests return 401, insufficiently authorized requests return 403, and cross-tenant requests are rejected. Boundary cases test minimum and maximum values, empty collections, null fields, and string length limits. Contract cases verify that the response schema matches the documented OpenAPI specification — no missing fields, no unexpected fields, and correct data types.
Authorization testing is the category most commonly skipped in practice and the one most likely to produce security defects. Every endpoint that returns or modifies user-specific data should be tested with: no authentication token (expect 401), a valid token for a different user (expect 403 or an empty result, not the other user's data), and an expired token (expect 401). For teams building a broader QA strategy, see the complete guide to software testing and Astaqc's test automation services.
The primary tools for REST API testing are Postman/Newman for collection-based testing with a GUI, REST Assured for Java-based programmatic API testing, Playwright and the fetch API for TypeScript-based API tests within an existing test framework, and k6 for load testing HTTP endpoints. The right choice depends on the team's existing language stack and whether API tests are standalone or integrated with end-to-end tests.
TestInspector supports REST API testing directly through its HTTP step commands — requestGET, requestPOST, requestPUT, requestPATCH, and requestDELETE — which accept URL, headers, and body parameters and produce responses that can be asserted with status_equals and body_equals assertions. This allows API tests to be defined alongside UI tests in the same suite, sharing variables, authentication tokens, and environment configuration without maintaining a separate toolchain.
Organise API tests by resource and operation: a folder or file per API resource (users, orders, products), and within each resource, tests for each HTTP method (GET, POST, PUT, PATCH, DELETE). This structure makes it easy to identify coverage gaps — if the orders folder has no DELETE tests, the delete endpoint has no test coverage. Within each operation, include success, error, authorization, and boundary tests as separate test cases.
Environment configuration — base URL, authentication credentials, test data identifiers — should be stored as variables rather than hardcoded in test definitions. This allows the same test suite to run against development, staging, and production environments by switching the environment variable set. In TestInspector, organization-level variables hold encrypted credentials that are injected into every test run without appearing in the test definition itself.
| Test Category | What to Assert | Common Defects Caught |
|---|---|---|
| Success cases | Status 200/201, response schema, field values | Wrong field names, missing fields, wrong data types |
| Error cases | Status 400/422, error message structure | Missing validation, unhelpful error messages |
| Authorization cases | Status 401/403 on invalid auth | Auth bypass, cross-tenant data leakage |
| Boundary cases | Behaviour at limits | Missing null checks, integer overflow, truncation bugs |
| Contract cases | Schema matches OpenAPI spec | Breaking changes, undocumented fields |
In microservices architectures, REST API tests for individual services are complemented by contract tests that verify the agreements between services. Consumer-driven contract testing (CDCT) using Pact defines the expected request and response format from the consumer's perspective and verifies it against the provider's implementation. This catches breaking changes before they propagate through a deployment — a provider change that breaks a consumer contract fails the contract test before the provider is deployed, without requiring a full integration environment.
Contract testing is most valuable for teams with multiple services that evolve independently. For teams with a single backend and a frontend consumer, a comprehensive REST API test suite with schema validation is often sufficient. For teams outsourcing backend QA, the outsourcing guide and Astaqc's QA team service cover API testing in managed engagements.
API tests should run before UI tests. API tests are faster and catch backend defects earlier in the pipeline. If an API test fails, the UI tests that depend on the same API will also fail — running API tests first surfaces the root cause quickly and prevents the slow UI test suite from running unnecessarily against a broken backend.
Store credentials as encrypted environment variables, not in the test definition. Before the main test sequence, run an authentication request (typically a POST to the login endpoint) and extract the returned token. Store the extracted token as a session variable and pass it as a Bearer token in subsequent test requests. This pattern works for JWT-based auth, session cookies, and API key-based auth with minor variations.
In REST API testing, the terms are often used interchangeably — an API test sends an HTTP request to a running service and asserts on the HTTP response, which by definition tests the integration between the test client and the server. A more precise distinction: API tests verify the HTTP interface of a service in isolation (with dependencies mocked or using a test database), while integration tests verify the collaboration between multiple services in a realistic environment. Both are valuable at different points in the test pyramid.
Test the first page with a known dataset and assert on the response body and pagination metadata (total count, next page cursor or offset). Test the boundary: a request for a page beyond the last page should return an empty items array and appropriate pagination metadata, not a 404 or an error. Test that the page size parameter is respected and that items are not duplicated or skipped between pages. For cursor-based pagination, verify that the cursor from one response retrieves the correct next page.
A REST API test suite that only verifies success responses is incomplete. Authorization failures, invalid input handling, and error response structures are where the majority of backend security and reliability defects hide — and they are consistently the most skipped category in practice.
June 18, 2026
Sign up to receive and connect to our newsletter
We founded ASTAQC as a tight-knit group of professional Software Testers and software developers.
Subscribe to our Newsletter
