API functional testing

tldr: API functional testing verifies each endpoint returns correct data, handles errors, enforces authentication and authorization, and matches its contract. It is faster and more deterministic than UI testing for the same logic, which is why most teams test as much as possible at the API layer.

What API functional testing actually checks

For each endpoint, six checks cover most needs.

  1. Happy path. Valid request returns the expected status code and response body.
  2. Schema conformance. The response matches the documented schema (OpenAPI, JSON Schema). See API schema validation.
  3. Error handling. Invalid input returns the correct error status and message.
  4. Authentication. Missing or invalid auth returns 401. Valid auth proceeds.
  5. Authorization. A user with insufficient permissions returns 403. Cross-tenant access is blocked.
  6. Edge cases. Boundary values, empty arrays, very long inputs, unicode, special characters.

The first three cover the bulk of testing. The last three catch the bugs that reach production.

Why API tests beat UI tests for the same logic

Three reasons.

Speed. API tests run in milliseconds. UI tests run in seconds. For the same logic coverage, API tests cost orders of magnitude less.

Determinism. APIs have no rendering bugs, animation timing, or browser quirks. Tests are reliable.

Maintenance. API contracts change less often than UI structure. Tests stay green longer.

The trade-off: API tests do not verify the user experience. Pair with UI testing for full coverage of user-facing behavior.

REST vs GraphQL

The mechanics differ, the principles stay the same.

REST

Test per endpoint and method. Each endpoint typically needs 5-15 tests: one per status code (200, 400, 401, 403, 404, 422, 500 if applicable), plus auth variants and edge cases.

Tools: Postman/Newman, REST Assured, Karate, supertest, Pytest with httpx.

GraphQL

Test per operation (query or mutation). The schema itself is the contract: introspection enforces shape.

For each operation:

  • Schema validity (operation parses against the SDL).
  • Argument validation (required args, type checks).
  • Authorization (who can run this operation).
  • Resolver correctness (returns the right data).

Tools: Apollo Studio, Postman with GraphQL support, GraphQL.js test helpers.

See API endpoint testing for the deeper per-endpoint guide.

What goes in the test, what doesn't

In scope:

  • Request/response shape
  • Status codes
  • Auth and authz
  • Error messages
  • Business logic visible at the API surface

Out of scope for functional tests:

  • Performance (use load tests)
  • Database internals (use database testing)
  • Cross-service flows (use integration or end-to-end tests)
  • UI behavior (use UI testing)

Mixing these scopes produces tests that are hard to maintain and slow to diagnose when they fail.

Negative testing matters

Most teams over-test the happy path and under-test failure modes.

For every endpoint, deliberately test:

  • Missing required fields
  • Wrong field types
  • Out-of-range values
  • Unauthorized requests
  • Excessive request size
  • Malformed JSON
  • Unicode and special characters in string fields

These are where most security and reliability bugs hide. A test suite that only validates correct inputs is half a test suite.

Test data and fixtures

Three patterns.

Inline fixtures. Test data declared inside the test. Simple but duplicative across tests.

Shared fixtures via factories. Functions that produce realistic test data on demand. Tools: Faker, factory_boy, fishery.

Database snapshots. A frozen state restored before each test run. Good for tests that depend on existing data, painful to keep current.

For modern API test suites, factories plus per-test cleanup tend to win.

How AI testing fits

AI testing platforms shine on UI flows. For pure API contracts, traditional test frameworks (Karate, Pact, REST Assured) remain stronger.

That said, Bug0 covers the end-to-end layer that touches APIs through the UI. A failed UI test against an API-driven feature gets reported with the failing network calls already captured. The API-level test still belongs in your unit/integration pipeline.

FAQs

How is API functional testing different from contract testing?

Functional testing verifies the API works correctly. Contract testing verifies provider and consumer agree on the shape. Often combined; functional is broader.

Should I test third-party APIs?

You should test your integration with them, against a sandbox or stubbed version. Testing the third party's correctness is their job, not yours.

How many tests per endpoint?

Typically 5 to 15. One per realistic status code, plus auth variants and a few edge cases.

What about idempotency?

Important for PUT, DELETE, and any retried operation. Run the same request twice, verify the result is the same after the second call.

How does Bug0 cover API testing?

Bug0 tests user-facing flows that go through APIs. For dedicated contract and functional API tests, pair Bug0 with API-specific tools like Pact, Karate, or REST Assured.

Testing Types
Related Terms
View all terms

Ship every deploy with confidence.

Bug0 gives you a dedicated AI QA engineer that tests every critical flow, on every PR, with zero test code to maintain. 200+ engineering teams already made the switch.

From $2,500/mo. Full coverage in 7 days.

Go on vacation. Bug0 never sleeps. The AI tests every commit, every deploy, every schedule. Your forward-deployed engineer reviews every failure and files the bugs. Coverage holds while you're off the grid.

Go on vacation.
Bug0 never sleeps.

The AI tests every commit, every deploy, every schedule. Your forward-deployed engineer reviews every failure and files the bugs. Coverage holds while you're off the grid.