api-testing
API Testing (Playwright + REST Assured)
Comprehensive API testing skill covering both Playwright TypeScript (request fixture, Supertest, Zod) and Java (REST Assured, AssertJ, JSON Schema Validator). Provides deep domain expertise for the api-tester-specialist agent.
When to Use This Skill
- Create API tests for REST or GraphQL endpoints
- Validate request/response schemas (Zod, JSON Schema)
- Test authentication flows (OAuth2, JWT, API keys, Bearer tokens)
- Verify error handling (400, 401, 403, 404, 409, 422, 500)
- Test pagination, filtering, sorting edge cases
- Validate idempotency for PUT/DELETE operations
- Contract testing between services
- Rate limiting validation
Prerequisites
| Stack | Requirements |
|---|---|
| TypeScript | Node.js 18+, @playwright/test or supertest, zod |
| Java | Java 21+, REST Assured 5.x, AssertJ, Jackson, json-schema-validator |
Core Principles
- Schema validation on every response — never trust an unvalidated response
- Test all HTTP status codes — happy path AND error states
- Auth testing is mandatory — verify 401/403 for protected endpoints
- Data-driven — test with valid, invalid, boundary, and empty values
- Stateless where possible — each test cleans up or uses unique data
Quick Reference — Playwright
import { test, expect } from "@playwright/test";
test("GET /api/users returns 200 with valid schema", async ({ request }) => {
const response = await request.get("/api/users");
expect(response.ok()).toBeTruthy();
const body = await response.json();
expect(body).toMatchObject({ data: expect.any(Array) });
});
Quick Reference — REST Assured
import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;
import java.util.List;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
@Test
@DisplayName("GET /api/users returns 200 with valid schema")
void getUsers() {
String token = "test-token";
given()
.header("Authorization", "Bearer " + token)
.when()
.get("/api/users")
.then()
.statusCode(200)
.body("data", is(instanceOf(List.class)))
.body("data.size()", greaterThan(0));
}
Common Rationalizations
Common shortcuts and "good enough" excuses that erode test quality — and the reality behind each.
| Rationalization | Reality |
|---|---|
| "Schema validation is overkill" | Without schema validation, a silent field rename becomes a production incident. Validate every response. |
| "Happy path testing is enough" | Error states (400, 401, 403, 404, 409, 500) are where real failures happen. Test all status codes. |
| "Auth tests can wait" | Unauthenticated access to protected endpoints is a security vulnerability, not a backlog item. |
| "This endpoint won't change" | APIs evolve. Contract tests catch breaking changes before they reach production. |
| "Manual API testing with Postman is sufficient" | Manual testing isn't repeatable, can't run in CI, and doesn't scale. Automate API tests. |
| "Idempotency doesn't matter" | Duplicate requests happen in production. Without idempotency testing, you get duplicate records and charges. |
References
| Document | Content |
|---|---|
| REST API Patterns | CRUD, pagination, filtering, error patterns |
| Playwright API Testing | Request fixture, Supertest, TypeScript patterns |
| REST Assured Testing | REST Assured, AssertJ, Java patterns |
| Schema Validation | Zod (TS), JSON Schema (Java), strict vs loose |
| Contract Testing | Request/response contracts, idempotency, versioning |
Templates
- Playwright API Spec — starter test file for API testing
- REST Assured Test — starter Java test class
Scripts
- API Health Check — validate API endpoints respond correctly
Troubleshooting
| Issue | Solution |
|---|---|
| 401 on authenticated endpoints | Verify token is fresh; check expiry; re-authenticate |
| Flaky API tests | Add retry logic; check for rate limiting; use unique test data |
| Schema validation too strict | Use .passthrough() (Zod) or additionalProperties: true for flexible fields |
| Timeout on slow endpoints | Increase timeout in request options; check for server load |
Verification
After completing this skill's workflow, confirm:
- All CRUD operations tested — POST, GET, PUT, PATCH, DELETE covered for the resource
- Status codes verified — Success (2xx) AND error codes (4xx, 5xx) tested
- Schema validation in place — Every response validated against a schema (Zod or JSON Schema)
- Authentication tested — 401 returned for protected endpoints without valid credentials
- Idempotency verified — PUT/DELETE produce same result when called multiple times
- Edge cases covered — Empty payloads, invalid types, boundary values, SQL injection attempts
- All tests pass — Playwright API tests or REST Assured tests exit successfully
More from fugazi/test-automation-skills-agents
playwright-e2e-testing
End-to-end, API, and responsive testing for web applications using Playwright with TypeScript. Use when asked to write, run, debug, or maintain Playwright (@playwright/test) TypeScript tests for UI behavior, form submissions, user flows, API validation, responsive design, or visual regression. Covers browser automation, network interception, mocking, Page Object Model, fixtures, and parallel execution.
157qa-manual-istqb
ISTQB Foundation Level (CTFL) aligned QA toolkit for manual and automated testing. Use when asked to create test plans, test strategies, test conditions, test cases, bug reports, defect logs, regression suites, traceability matrices, or exploratory charters. Supports risk-based testing, test design techniques (equivalence partitioning, boundary value analysis, decision tables, state transitions), test estimation, static testing reviews, and test process management. Includes Playwright automation guidance for test implementation.
58qa-test-planner
Comprehensive QA toolkit for creating test plans, manual test cases, automated Playwright tests, regression suites, and bug reports. Uses safe, non-executable templates following skill best practices. Ideal for QA Automation engineers.
58a11y-playwright-testing
Accessibility testing for web applications using Playwright (@playwright/test) with TypeScript and axe-core. Use when asked to write, run, or debug automated accessibility checks, keyboard navigation tests, focus management, ARIA/semantic validations, screen reader compatibility, or WCAG 2.1 Level AA compliance testing. Covers axe-core integration, POUR principles (perceivable, operable, understandable, robust), color contrast, form labels, landmarks, and accessible names.
39webapp-playwright-testing
Browser automation toolkit using Playwright MCP for testing web applications. Use when asked to navigate pages, click elements, fill forms, take screenshots, verify UI components, check console logs, debug frontend issues, or validate responsive design. Supports live browser interaction and accessibility snapshots.
38webapp-selenium-testing
Browser automation toolkit using Selenium WebDriver with Java and JUnit 5. Use for creating, debugging, or running Selenium tests, implementing Page Object Model, handling explicit waits, capturing screenshots, or setting up Maven test projects. Supports Chrome, Firefox, and Edge.
20