API Testing Checklist
APIs are the backbone of modern applications, and AI-generated APIs frequently have inconsistent response formats, missing validation, and broken error handling. This checklist covers the essential tests to ensure your API is reliable, secure, and well-documented.
Last updated: 2026-03-14
Endpoint Functionality
All CRUD operations work correctly
Test Create, Read, Update, and Delete operations for every resource and verify they produce the expected results.
Response formats are consistent
Verify that all endpoints return data in the same format with consistent field naming, pagination structure, and error shape.
HTTP status codes are appropriate
Verify that endpoints return 200 for success, 201 for creation, 400 for bad requests, 401 for unauthorized, and 404 for missing resources.
Pagination works correctly
Test paginated endpoints with various page sizes, navigate through all pages, and verify no items are duplicated or missing.
Filtering and sorting produce correct results
Apply different filter and sort parameters and verify the returned data matches the criteria.
Input Validation
Required fields are validated
Send requests with missing required fields and verify the API returns clear error messages identifying which fields are missing.
Data types are validated
Send strings where numbers are expected, arrays where objects are expected, and verify appropriate validation errors.
Boundary values are handled
Test with maximum and minimum values, empty strings, extremely long strings, and zero values to verify proper handling.
Malicious input is rejected
Send SQL injection, XSS payloads, and other attack strings to verify the API sanitizes or rejects them.
Authentication and Authorization
Unauthenticated requests are rejected on protected endpoints
Call protected endpoints without credentials and verify they return 401 Unauthorized.
Expired tokens are rejected
Use an expired authentication token and verify the API returns 401 rather than serving data.
Users cannot access other users' resources
Attempt to read or modify another user's data and verify the API returns 403 Forbidden.
Rate limiting is enforced
Send many requests in rapid succession and verify the API returns 429 Too Many Requests after exceeding the limit.
Error Handling
Error responses include helpful messages
Verify that error responses explain what went wrong and how to fix the request, not just an error code.
Server errors do not expose internal details
Trigger 500 errors and verify that stack traces, database queries, and file paths are not included in responses.
Non-existent endpoints return 404
Request endpoints that do not exist and verify a proper 404 response rather than a 500 error or HTML page.
Concurrent request handling is correct
Send simultaneous requests that modify the same resource and verify no data corruption or race conditions occur.
Frequently Asked Questions
What tools should I use for API testing?
Postman, Insomnia, or httpie are excellent for manual API testing. For automated testing, tools like Jest with supertest, pytest, or Playwright API testing provide programmatic access.
How do I test API rate limiting effectively?
Send requests in a loop with minimal delay and count how many succeed before receiving a 429 response. Verify the rate limit matches your configured threshold and that the response includes a Retry-After header.
Let human testers run through this checklist for you
Submit your app and our testers will find the bugs you missed. Starting at €15 per test.
Related checklists
Security Testing Checklist
Essential security testing checklist for AI-built applications. Cover authentication, input validation, data protection, and common vulnerabilities.
Read moreAuthentication Testing Checklist
Authentication testing checklist for AI-generated apps. Verify login, registration, password reset, OAuth, and session management work securely.
Read moreDatabase Testing Checklist
Database testing checklist for AI-generated applications. Verify data integrity, query performance, migrations, and backup procedures work correctly.
Read more