testing-api-tester
API Testing Guide
Comprehensive API validation covering functional correctness, security, and performance across all services and third-party integrations.
Test Strategy
When setting up API tests for a new service, create a base test class with shared auth, retry logic, and response validation helpers before writing individual test cases. This prevents duplicated setup code and ensures consistent assertion patterns across the suite.
See Test Suite for the full vitest + fetch test suite code.
Security Checklist
Cover the OWASP API Security Top 10 in every test suite:
- Authentication/Authorization: Test that unauthenticated requests return 401, and unauthorized requests return 403. Verify token expiration, refresh flows, and privilege escalation attempts.
- Input sanitization: Test SQL injection, XSS payloads, and command injection via query parameters, request bodies, and headers.
- Rate limiting: Verify that burst requests trigger 429 responses. Test per-user and per-IP limits.
- Mass assignment: Send unexpected fields in POST/PATCH requests and verify they are ignored.
- BOLA (Broken Object-Level Authorization): Request resources belonging to other users and verify 403/404 responses.
- SSRF: Test URL parameters with internal network addresses and verify they are rejected.
- Data encryption: Verify sensitive data is not returned in plaintext (e.g., passwords, tokens in response bodies).
Load Testing
Performance thresholds
- API response times under 200ms for 95th percentile
- Error rates below 0.1% under normal load
- System handles 10x normal traffic capacity without degradation
- Cache effectiveness validated (hit rates, performance impact)
Tools
- k6: Script-based load testing, integrates with CI/CD. Use for sustained load and spike tests.
- Locust: Python-based, good for complex user flows. Use for scenario-based load profiles.
- Run load tests in CI on every release branch. Flag any test exceeding 30 seconds for optimization or move to a nightly pipeline.
Endpoint Coverage
Maintain a test matrix mapping every route (method + path) to at least:
- One functional test (happy path)
- One negative-input test (validation, malformed data)
- One auth/authz test (missing token, wrong role)
Review the coverage matrix each sprint. Any gaps are flagged in CI as warnings.
Workflow
- API Discovery: Catalog all APIs with complete endpoint inventory. Analyze specs and contract requirements.
- Test Strategy: Design test strategy covering functional, performance, and security. Create test data management plan.
- Implementation: Build automated test suites (vitest + fetch, REST Assured, k6). Integrate into CI/CD with quality gates.
- Monitoring: Set up production API monitoring. Analyze results and continuously optimize test strategy.
Reference
HTTP Status Code Cheat Sheet
| Code | When to assert |
|---|---|
| 200 | Successful GET, PATCH |
| 201 | Successful POST (resource created) |
| 204 | Successful DELETE |
| 400 | Invalid input, malformed request |
| 401 | Missing or expired authentication |
| 403 | Authenticated but unauthorized |
| 404 | Resource not found |
| 409 | Conflict (duplicate resource) |
| 429 | Rate limit exceeded |
| 500 | Server error (should never appear in production tests) |
CI Integration
- Full test suite should complete in under 15 minutes.
- Run functional and security tests on every pull request.
- Run load tests on release branches.
- Any test exceeding 30 seconds is flagged for optimization.
Scripts
scripts/discover_endpoints.sh
Scan a project directory for API endpoint definitions across common frameworks: Express.js, FastAPI, Flask, and Spring Boot. Outputs a Markdown table with HTTP method, path, source file:line, and framework. Useful for building an endpoint coverage matrix.
scripts/discover_endpoints.sh ./src
scripts/discover_endpoints.sh /path/to/fastapi-project
scripts/generate_test_skeleton.py
Generate test skeleton files from an OpenAPI/Swagger JSON specification. Produces test stubs for each endpoint with method, path, expected status codes, and example request bodies. Supports pytest, vitest, and Playwright output formats.
scripts/generate_test_skeleton.py --spec openapi.json --framework vitest
scripts/generate_test_skeleton.py --spec swagger.json --framework pytest
More from peterhdd/agent-skills
engineering-senior-developer
Lead complex software implementation, architecture decisions, and reliable delivery across any modern technology stack. Use when you need pragmatic architecture tradeoffs, technical plan creation from ambiguous requirements, code quality improvements, production-safe rollout strategies, observability setup, or senior engineering judgment on maintainability, testing, and operational reliability.
63engineering-frontend-developer
Build modern web applications with React, Vue, Angular, or Svelte, focusing on performance and accessibility. Use when you need component library development, TypeScript UI implementation, responsive layouts with CSS Grid and Flexbox, Core Web Vitals optimization, service worker offline support, code splitting, ARIA accessibility, Storybook integration, or frontend API client architecture.
40engineering-backend-architect
Architect scalable backend systems, database schemas, APIs, and cloud infrastructure for robust server-side applications. Use when you need microservice vs monolith decisions, database indexing strategies, API versioning, event-driven architecture, ETL pipelines, WebSocket streaming, data modeling, query optimization, or cloud-native service design with high reliability and sub-20ms query performance.
40engineering-mobile-app-builder
Build native and cross-platform mobile applications for iOS and Android with optimized performance and platform integration. Use when you need SwiftUI or Jetpack Compose development, React Native or Flutter cross-platform apps, offline-first architecture, biometric authentication, push notifications, deep linking, app startup optimization, or mobile-specific UX patterns and gesture handling.
38engineering-system-designer
Design distributed systems, define architecture for scalability and reliability, or create system design documents. Use when you need component diagrams, data flow analysis, capacity planning, database sharding strategies, API contract design, failure mode analysis, CAP theorem tradeoffs, monolith-to-microservice migration, or architecture decision records for new or existing systems.
34engineering-rapid-prototyper
Build functional prototypes and MVPs at maximum speed to validate ideas through working software. Use when you need proof-of-concept development, rapid iteration on user feedback, no-code or low-code solutions, backend-as-a-service integration, A/B testing scaffolding, quick feature validation, or modular architectures designed for fast experimentation and learning.
33