REST API Fundamentals for Testers
API testing is the fastest-growing skill in the SDET market. REST APIs are the backbone of every modern application — mobile apps, SPAs, microservices — and testing them directly (without the UI) is faster, more reliable, and catches bugs that UI testing misses entirely. This topic gives you the complete mental model for understanding and testing REST APIs.
REST API Core Concepts
- HTTP Methods: GET (read), POST (create), PUT (full update), PATCH (partial update), DELETE (remove)
- Status Codes: 200 OK, 201 Created, 204 No Content, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 500 Internal Server Error
- Request Anatomy: URL (endpoint), Method, Headers (Content-Type, Authorization, Accept), Query Params, Request Body (JSON)
- Response Anatomy: Status Code, Response Headers, Response Body (JSON/XML)
- Authentication: API Key, Bearer Token (JWT), Basic Auth, OAuth 2.0
- Content Types: application/json (most common), application/xml, multipart/form-data (file uploads)
- What to test in every API: Status code, Response schema, Data correctness, Performance (response time), Error messages, Security (auth enforcement)
What to Test for Every API Endpoint
// ══════════════════════════════════════════════════════════════
// Target API: GET /api/users/{id}
// ══════════════════════════════════════════════════════════════
// ── TEST 1: Happy Path — Valid User ID ────────────────────────
// GET /api/users/123
// Authorization: Bearer eyJhbGc...
// Expected:
// Status: 200 OK
// Body: {
// "id": 123,
// "name": "Alice Johnson",
// "email": "alice@example.com",
// "role": "user",
// "createdAt": "2024-01-15T10:30:00Z"
// }
// Assertions:
// ✅ status === 200
// ✅ body.id === 123 (correct user)
// ✅ body.email is a valid email format
// ✅ body.password is NOT present (security — never expose password hash)
// ✅ response time < 200ms
// ── TEST 2: Not Found — Non-Existent User ID ─────────────────
// GET /api/users/99999
// Expected:
// Status: 404 Not Found
// Body: { "error": "User not found", "code": "USER_NOT_FOUND" }
// Assertions:
// ✅ status === 404
// ✅ body.error contains "not found"
// ✅ body does NOT contain stack trace (security)
// ── TEST 3: Unauthorized — No Auth Header ─────────────────────
// GET /api/users/123 (without Authorization header)
// Expected:
// Status: 401 Unauthorized
// Body: { "error": "Authentication required" }
// ── TEST 4: Forbidden — Accessing Another User's Data ─────────
// GET /api/users/456 (authenticated as user 123)
// Expected:
// Status: 403 Forbidden (not 404 — user exists, but access denied)
// ── TEST 5: Invalid ID Format ─────────────────────────────────
// GET /api/users/abc (non-numeric ID)
// Expected:
// Status: 400 Bad Request
// Body: { "error": "Invalid user ID format" }
// ── TEST 6: SQL Injection in Path Parameter ────────────────────
// GET /api/users/1 OR 1=1
// Expected:
// Status: 400 Bad Request (not 200 with all users!)
// SQL injection must not executeCommon Mistakes
- Only testing the happy path — API testing's biggest value is in error paths (401, 403, 404, 400, 422, 500); test all of them
- Not testing response schema — an API returning 200 with wrong field names or types is still broken; always validate schema
- Ignoring response time — functional correctness is necessary but not sufficient; an API that takes 5 seconds per call will fail performance testing later
- Testing APIs only through the UI — UI tests are slow and brittle; API tests are 10-100x faster and should form the core of regression testing
Tip
Tip
Practice REST API Fundamentals for Testers in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
REST is the standard for modern web APIs
Practice Task
Note
Practice Task — (1) Write a working example of REST API Fundamentals for Testers from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with REST API Fundamentals for Testers is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready software testing code.
Key Takeaways
- API testing is the fastest-growing skill in the SDET market.
- HTTP Methods: GET (read), POST (create), PUT (full update), PATCH (partial update), DELETE (remove)
- Status Codes: 200 OK, 201 Created, 204 No Content, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 500 Internal Server Error
- Request Anatomy: URL (endpoint), Method, Headers (Content-Type, Authorization, Accept), Query Params, Request Body (JSON)