Subscribe Watch on YouTube

Interactive resource

The API Testing Checklist.

A living checklist for testing any API thoroughly. Tick items as you go and your progress saves automatically. Add your own, filter by area, and export when you're done.

0%complete
0checked
45remaining
45total checks

Documentation & Planning

0/6
  • Make a list of the APIs or endpoints that need testing
  • Check that each API has a clear purpose, examples, parameters, and responses
  • Check that authentication, authorization, rate limits, and errors are documented
  • Check the user journey or workflow that depends on this API
  • Check whether any privacy, security, or industry rules apply
  • Decide which checks should be manual, automated, or supported by an API testing tool

Request Inputs

0/5
  • Check that the right HTTP method and URL are used for each endpoint
  • Check that required headers such as Content-Type and Authorization are handled correctly
  • Try valid, invalid, and missing path or query parameters
  • Check that required body fields cannot be missing
  • Check that wrong field names, wrong types, extra fields, and incomplete bodies are handled safely

Response & Status

0/5
  • Check that successful requests return the right 2xx status
  • Check that failed requests return the right 4xx or 5xx status
  • Check that the response body has the expected fields, types, and values
  • Check that response headers such as Content-Type are correct
  • Check that response time stays within the agreed limit

Authentication & Authorization

0/5
  • Check that protected APIs reject requests without a token
  • Check that expired or invalid tokens are rejected
  • Check that token refresh or login expiry behaves as expected
  • Check that users cannot access another user's data
  • Check that admin-only actions are blocked for regular users

Security Checks

0/5
  • Try unsafe inputs such as scripts, SQL-like text, or special characters
  • Try changing IDs, prices, roles, or other values the user should not control
  • Check that unsupported methods and content types are rejected
  • Check that sensitive data is not returned in responses
  • Check that sensitive data is not exposed in error messages or logs

Data & Edge Cases

0/5
  • Check empty values, very long values, and special characters
  • Check zero, negative, minimum, and maximum numbers
  • Check pagination, sorting, and filtering
  • Check duplicate requests
  • Check optional, nullable, and default values

Workflow & State

0/5
  • Check that create requests actually create the record
  • Check that update requests only change the intended fields
  • Check that delete or archive requests behave as expected
  • Check that failed requests do not leave partial changes behind
  • Check that repeated PUT, PATCH, or DELETE requests are safe where they should be

Reliability & Limits

0/4
  • Check rate limiting or too-many-requests behavior
  • Check what happens when another service is slow or unavailable
  • Check that timeouts are handled cleanly
  • Check that error messages are clear enough to understand

Contracts & Compatibility

0/5
  • Check that the API still matches the documentation or schema
  • Check that field names have not changed unexpectedly
  • Check that field types are still the same
  • Check that older clients would still understand the response
  • Check that deprecated fields or versions are handled clearly