REST API Testing Strategies

Understanding key testing strategies for REST APIs

This article was entirely based on the original in English, written by the Sisense team. All credits go to them. This is a free translation and summary.

First concern: functional testing

  • We must ensure that we don’t have bugs.
  • Ensure that the functionality is in accordance with the specification.
  • Prevent merges and new releases from breaking what we already have.

What to verify in functional testing?

  1. Contract validation: Are the endpoints correct? Do resources reflect what the object brings? Are there functionality errors? Are relationships between resources okay? Do the verbs make sense?
  2. Verbs/Actions in testing: Validate the status code, JSON fields (in request and response), headers, check app behavior (if applicable), and performance (timing).
  3. Test scenario categories: Basic positive tests (happy path), positive tests with optional parameters, negative tests with valid inputs (e.g., existing email), negative tests with invalid inputs (e.g., null email), destructive tests, and security tests.
  4. Testing flows:
    • Test requests in isolation.
    • Test multi-step flows and requests.
    • Combined API and UI tests.

Ensuring non-functional tests

Security and authentication

Verify if these principles are respected:

  1. Deny-by-default: Access is denied unless specifically authorized.
  2. Fail securely: Unless explicit access is granted, access must be denied.
  3. Least privilege principle: A user should only receive the privileges necessary to complete their task.
  4. Rejection of all illegal inputs: Ensuring both positive and negative authorization tests.

Performance and Load

  • Performance: Validate response time, latency, and TTFB/TTLB.
  • Load testing: Verify if the system works under load in positive scenarios.
  • Stress testing: Verify if it fails gracefully under stress in negative scenarios.

Usability

  • For public APIs, ensure usability for users without prior knowledge of the system and verify if the documentation is correct.

Post migrated from Medium.