API Testing Checklist
- Make a list of the different APIs that exist in the organization, speak to stakeholders, and prioritize them
- Check that the APIs that exist are properly documented, written in a way that is easy to understand, and contain information such as:
- overview and purpose
- quick start guide and tutorials
- an example/sample of every call, every parameter, and responses for each call(errors included)
- user journey
- authentication and authorization
- rate limits
- code samples for commonly used languages
- schemas
- Define the types of tests that you want to run:
- Positive scenarios return a valid response
- Invalid requests return the correct error message
- Missing or invalid authorization token
- Missing required parameters
- Unsupported methods for endpoints
- Invalid path/url
- Invalid, incomplete or missing request body
- Incorrect field names in request body
- Error Handling
- Schema match
- Workflow and data persistence
- Response time
- Specific standards and regulations that it should meet
- Response Payload - valid JSON body, correct field names, types, and values
- Response Headers
- Application state before and after API call
- Security and authorization
- Invalid inputs
- Injection attacks
- Parameter tampering
- Unhandled HTTP methods
- Business logic vulnerabilities.
- Authentication Expiry
- Rate Limits
- Content-Type Validation
- Validate user inputs
- Take a look at this detailed API security checklist
- This Penetration checklist covers some great tips
- Evaluate and select an API testing tool.
- Think about the types of tests that you will want to perform and if there are any specific needs that the tool will need to meet.
- Tools will also vary based on if you want to only execute them manually vs using an automated script.
- With API test automation you will also have to decide on a programming language and select tools within that language.