testing-api
API Testing
Test REST, GraphQL, gRPC, and other API endpoints for functionality, performance, and reliability.
When to use me
Use this skill when:
- Developing or consuming API services
- Testing API contracts and schemas
- Validating request/response formats
- Testing authentication and authorization
- Checking rate limiting and quotas
- Verifying error responses and status codes
- Performing contract testing between services
What I do
- Test API endpoints with various HTTP methods
- Validate request/response schemas and formats
- Test authentication mechanisms (OAuth, JWT, API keys)
- Verify error handling and status codes
- Check rate limiting and throttling behavior
- Test payload validation and error messages
- Perform contract testing with OpenAPI/Swagger
- Test API versioning and backward compatibility
Examples
# Test APIs with common tools
npx newman run collection.json # Postman collections
curl -X GET https://api.example.com/users
http GET https://api.example.com/users Authorization:"Bearer token"
# Run API tests with frameworks
npm run test:api # Supertest, Jest
pytest tests/api/ # Python requests/pytest
go test ./api/ # Go httptest
# Test with schema validation
npx ajv validate -s schema.json -d data.json
openapi-test --spec openapi.yaml --base-url https://api.example.com
# Load test APIs
npx autocannon -c 10 -d 30 https://api.example.com/users
wrk -t2 -c100 -d30s https://api.example.com/users
Output format
API Test Results:
──────────────────────────────
✅ GET /api/users
✓ Returns 200 OK
✓ Returns JSON array
✓ Includes pagination headers
✓ Respects limit parameter
❌ POST /api/users
✗ Missing required fields returns 400
Expected: {"error": "Missing email"}
Received: {"error": "Validation failed"}
⚠️ PUT /api/users/{id}
⚠️ Authentication required but not tested
Authentication Tests:
✓ Valid token returns 200
✗ Invalid token returns 401 (should return 403)
Summary: 15 endpoints tested, 12 passed, 2 failed, 1 skipped
Notes
- Test all HTTP methods supported by endpoints
- Validate response schemas against OpenAPI specs
- Test edge cases: empty arrays, null values, large payloads
- Verify CORS headers if applicable
- Test authentication flows thoroughly
- Consider contract testing for microservices
- Monitor API response times and latency
More from wojons/skills
adversarial-thinking
Apply systematic adversarial thinking patterns including devil's advocate, assumption busting, red teaming, and white hat security approaches
45devils-advocate
Challenge ideas, assumptions, and decisions by playing devil's advocate to identify weaknesses and prevent groupthink
41redteam
Think and act like an attacker to identify security vulnerabilities, weaknesses, and penetration vectors through adversarial security testing
37code-migration
Guide framework and library migrations with incremental strategies, breaking change analysis, compatibility testing, and automated migration tools
34observability-logging
Use logs as part of comprehensive observability strategy including metrics, traces, alerts, and dashboards for system understanding and operational excellence
34gap-analysis
Identify discrepancies between documented requirements and actual implementation through systematic comparison and analysis
34