API endpoint testing

tldr: API endpoint testing validates each endpoint's request, response, status codes, schemas, and edge cases. Done at the API layer, it is faster, more deterministic, and cheaper than end-to-end UI testing for the same logic.

What endpoint testing covers

For each endpoint, you verify:

  • Happy path. Valid request, expected response, correct status.
  • Error paths. Invalid input, missing auth, missing fields, wrong types.
  • Edge cases. Boundary values, very long inputs, unicode, empty arrays.
  • Auth and permissions. Authenticated vs unauthenticated, different roles.
  • Rate limiting. Requests inside and outside the rate limit.
  • Schema conformance. Response shape matches the documented schema.
  • Performance. Latency under expected load.

Most API testing tools handle the first four. Schema and performance often need additional layers.

Why test at the API layer

Three reasons API testing earns its place.

Speed. API tests run in milliseconds. UI tests run in seconds. For the same logic coverage, API tests cost orders of magnitude less.

Determinism. APIs do not have rendering bugs, animation timing, or browser quirks. Tests are reliable.

Coverage. Many flows are easier to cover at the API level than the UI. Edge cases that take three clicks in the UI take one line in an API test.

The trade-off: API tests do not verify the user experience. They verify the contract. Pair with UI testing for full coverage.

REST endpoint testing

For REST APIs, a test verifies these elements per endpoint:

- Method (GET, POST, PUT, PATCH, DELETE)
- URL pattern (including path parameters)
- Required headers (Auth, Content-Type, etc.)
- Request body schema
- Response body schema
- Status code
- Specific response fields where deterministic

Tools: Postman/Newman, REST Assured, Karate, supertest, Pytest with httpx, k6.

A working pattern: each endpoint has a test file with one test per status code (200, 400, 401, 404, 422, 500 if applicable).

GraphQL endpoint testing

GraphQL has one endpoint but many operations. Test each operation rather than the endpoint.

For each query and mutation:

  • Schema validity (the operation is valid against the SDL).
  • Argument validation (required args, type checks).
  • Authorization (who can run this operation).
  • Response shape (matches the type definition).
  • Resolver correctness (returns the right data).

Tools: Apollo Studio, Postman with GraphQL support, GraphQL.js's built-in test helpers, Relay Test Renderer.

GraphQL's introspection makes contract testing nearly automatic: the schema itself is the contract.

Schema validation

Beyond status codes and basic shape checks, schema validation enforces the response actually matches the documented schema.

Use tools that compare the response against an OpenAPI or JSON Schema spec. If the response has an extra field, a missing field, or a wrong type, the test fails.

This catches the silent breakage class: the API still returns 200, but a field was renamed and downstream consumers break. See API schema validation for the deeper guide.

Authentication and authorization

A complete test suite covers:

  • Endpoint with no auth (should return 401).
  • Endpoint with invalid auth (should return 401 or 403).
  • Endpoint with valid auth but wrong role (should return 403).
  • Endpoint with valid auth and right role (should return 200 with the expected data).
  • Cross-tenant access (user from tenant A accessing tenant B's data should fail).

Authorization bugs are a major source of security incidents. Test them thoroughly.

Performance and load testing endpoints

Two layers.

Per-request latency. Run the endpoint under typical conditions, verify it returns within an SLA. Tools: hey, wrk, Apache Bench.

Sustained load. Hammer the endpoint at expected peak traffic, verify it does not degrade. Tools: k6, Locust, Gatling, JMeter.

Set explicit thresholds. P95 under 200ms. P99 under 500ms. Failure rate under 0.1%. CI fails the build if thresholds regress.

How AI testing fits

Traditional API testing is more deterministic than UI testing, so AI's value-add is smaller. Where AI helps:

  • Generating test cases from an OpenAPI spec automatically.
  • Producing realistic edge-case inputs (long strings, unicode, boundary values).
  • Catching schema drift across versions.

For UI flows, the value-add is much higher. Bug0 focuses there. Pair with API-layer test tools for the contract layer.

FAQs

Should I test through the UI or directly against the API?

Both. API tests cover behavior cheaply. UI tests cover the user experience. They are complementary.

How many tests per endpoint?

Typically 5 to 15. One per status code, plus auth/permission variants, plus a few edge cases.

Do I need contract tests if I have endpoint tests?

Yes. Endpoint tests verify the API works. Contract tests verify the consumer and provider agree. Different bugs, different tools.

Where do API tests fit in CI?

Run them on every PR. They are fast and the failure mode is clear. Tools like Newman or Karate plug into most CI systems with a single line.

How does Bug0 fit API testing?

Bug0 tests the user-facing layer end to end. For pure API contracts, pair it with API-specific tooling like Pact or Karate.

Testing Types
Related Terms
View all terms

Ship every deploy with confidence.

Bug0 gives you a dedicated AI QA engineer that tests every critical flow, on every PR, with zero test code to maintain. 200+ engineering teams already made the switch.

From $2,500/mo. Full coverage in 7 days.

Go on vacation. Bug0 never sleeps. - Your AI QA engineer runs 24/7

Go on vacation.
Bug0 never sleeps.

Your AI QA engineer runs 24/7 — on every commit, every deploy, every schedule. Full coverage while you're off the grid.