~/qa-guides/api-test-cases-checklist
>_ API Test Cases Checklist
A practical API test cases checklist with concrete positive, negative, validation, auth, permissions, CRUD, pagination, idempotency, error, security, and smoke scenarios.
Short answer
An API Test Cases Checklist is a practical list of positive, negative, validation, authentication, authorization, CRUD, pagination, error handling, security, integration, and smoke test case ideas for REST APIs and backend endpoints.
This article is not another general API testing guide. It is focused on specific API test cases that QA engineers, developers, and product teams can use when preparing manual API tests, automated API tests, regression suites, or release checks.
An API Testing Checklist answers: which API areas should be tested?
An API Test Cases Checklist answers: which specific scenarios should I execute?
For example:
- send request without required field → expect
400and clear validation error; - send request with another user’s resource ID → expect
403or404; - send duplicate
POSTwith same idempotency key → expect one created record; - send expired token → expect
401; - call admin endpoint as regular user → expect
403; - send invalid JSON body → expect
400, not500.
The main idea is: API test cases turn broad API testing areas into concrete, repeatable scenarios with request, expected status, expected response, and expected data result.
API Test Cases vs API Testing Checklist
An API Testing Checklist is a coverage map.
It usually includes areas like:
- status codes;
- request validation;
- response schema;
- authentication;
- authorization;
- CRUD;
- pagination;
- filtering;
- sorting;
- error handling;
- performance;
- security basics;
- integration behavior.
An API Test Cases Checklist is a practical scenario list.
It includes concrete checks like:
GET /users/{id}with existing ID returns200;GET /users/{id}with nonexistent ID returns404;POST /userswithout required email returns400;POST /loginwith wrong password returns clear authentication error;- regular user tries admin endpoint and receives
403; - User A requests User B resource and receives
403or404; - same
POSTrequest sent twice does not create duplicate record; - invalid JSON body returns
400, not500; - unsupported method returns
405; - expired token returns
401; - request over limit returns
429.
In simple terms:
API Testing Checklist = what areas to cover. API Test Cases Checklist = which specific test cases to run.
When to use API test cases
Use API test cases when you need repeatable, concrete API checks.
For example:
- a new REST API is being released;
- a new endpoint is added;
- request validation changes;
- response schema changes;
- authentication changes;
- permissions change;
- CRUD logic changes;
- pagination or filtering changes;
- search endpoint changes;
- API integration is added;
- webhook-related endpoint changes;
- rate limits are added;
- file upload endpoint is added;
- production API smoke testing is needed;
- regression testing is needed after backend changes;
- a bug fix needs a focused API retest;
- automated API tests are being created.
For a small endpoint change, a few targeted test cases or a short API Smoke Testing Checklist may be enough. For a public API, partner API, payment API, multi-tenant SaaS API, or business-critical backend flow, use a broader test case set.
Short API Test Cases Checklist
If you need a quick API test pass, start with these test cases:
- valid
GETrequest returns200; GETwith nonexistent ID returns404;- valid
POSTcreates a record and returns201; POSTwithout required field returns400;POSTwith invalid data type returns400;- invalid JSON body returns
400, not500; - valid
PATCHupdates only allowed fields; - valid
DELETEremoves or archives resource according to rules; - request without token returns
401; - request with expired token returns
401; - regular user calling admin endpoint returns
403; - User A requesting User B resource returns
403or404; - unsupported HTTP method returns
405; - response body matches expected schema;
- error response follows expected format;
- list endpoint supports pagination;
- filters return correct records;
- sorting changes order, not result set;
- duplicate
POSTdoes not create duplicate record; - same idempotency key returns safe result;
- rate-limited request returns
429; - file upload rejects unsupported file type;
- async job returns trackable status;
- webhook-related event is processed once;
- production API smoke test passes after release.
API Test Case Template
Use a consistent format for API test cases. It makes manual testing, automation, bug reporting, and regression easier.
Test case: Create user with valid data
Endpoint: POST /users
Precondition:
- User does not already exist.
- Tester has valid API access.
Request:
- name: "Jane Doe"
- email: "jane@example.com"
- password: valid password
Expected status:
- 201 Created
Expected response:
- user ID is returned
- email matches request
- created timestamp is present
- password is not returned
Expected data result:
- user is created once in the database
- user can be fetched by ID
- no duplicate user is created
Negative check:
- creating another user with the same email returns 409 or 400 according to product rules
A strong API test case usually includes:
- test case title;
- endpoint;
- method;
- preconditions;
- request data;
- headers/auth;
- expected status code;
- expected response body;
- expected data result;
- negative or edge check;
- cleanup rule, if needed.
Full API Test Cases Checklist
1. Positive API test cases
Positive test cases check that the endpoint works with valid input.
Test case: Get existing user by ID
Endpoint: GET /users/{id}
Preconditions:
- user exists;
- requester has permission to view the user.
Steps:
- send
GET /users/{existingUserId}.
Expected result:
- status is
200 OK; - response contains correct user ID;
- response contains expected fields;
- response does not contain sensitive fields such as password or token.
Test case: Create record with valid data
Endpoint: POST /resources
Preconditions:
- requester is authenticated;
- request body contains valid data.
Steps:
- send valid
POSTrequest.
Expected result:
- status is
201 Created; - response contains created record ID;
- created record can be fetched by
GET; - record is created once.
Test case: Update record with valid data
Endpoint: PATCH /resources/{id}
Preconditions:
- resource exists;
- requester has permission to update it.
Steps:
- send
PATCHrequest with allowed field.
Expected result:
- status is
200 OKor expected success status; - updated field changes;
- unchanged fields remain unchanged;
- updated record can be fetched and verified.
Test case: Delete or archive existing record
Endpoint: DELETE /resources/{id}
Preconditions:
- resource exists;
- requester has permission to delete or archive it.
Steps:
- send
DELETErequest.
Expected result:
- status matches product convention:
200,202, or204; - resource is deleted, archived, or marked inactive according to rules;
- repeated fetch returns expected state;
- related data is not broken.
2. Negative API test cases
Negative test cases check how API behaves with invalid, missing, or unexpected input.
Test case: Get nonexistent resource
Endpoint: GET /users/{id}
Request:
- use a valid-format ID that does not exist.
Expected result:
- status is
404 Not Found; - response follows standard error format;
- no stack trace or internal details are exposed.
Test case: Send invalid JSON body
Endpoint: POST /users
Request:
- malformed JSON body.
Expected result:
- status is
400 Bad Request; - error response is clear;
- API does not return
500; - no record is created.
Test case: Send unsupported field
Endpoint: POST /users
Request:
- valid required fields;
- extra unexpected field.
Expected result:
- unsupported field is rejected or ignored according to API rules;
- protected data is not changed;
- response does not expose internal model behavior.
Test case: Send empty request body
Endpoint: POST /users
Request:
- empty body.
Expected result:
- status is
400 Bad Request; - required field errors are returned;
- no record is created.
3. Required field test cases
Required field test cases check whether missing required data is handled correctly.
Test case: Missing required email
Endpoint: POST /users
Request:
- valid name;
- missing email;
- valid password.
Expected result:
- status is
400 Bad Request; - error identifies missing email;
- no user is created.
Test case: Missing required password
Endpoint: POST /users
Request:
- valid name;
- valid email;
- missing password.
Expected result:
- status is
400 Bad Request; - error identifies missing password;
- no user is created.
Test case: Missing required path parameter
Endpoint: GET /orders/{id}
Request:
- call incorrect path without required ID if route can be formed.
Expected result:
- API returns safe error or route not found;
- no internal routing details are exposed.
Test case: Missing required query parameter
Endpoint: GET /reports?from=&to=
Request:
- omit required
fromortodate.
Expected result:
- status is
400 Bad Request; - error explains missing date field;
- no report is generated with incorrect default range.
4. Invalid data test cases
Invalid data test cases check type, format, length, and business validation.
Test case: Invalid email format
Endpoint: POST /users
Request:
- email:
not-an-email.
Expected result:
- status is
400 Bad Request; - field-level validation error is returned;
- no user is created.
Test case: Invalid date format
Endpoint: GET /reports?from=abc&to=xyz
Expected result:
- status is
400 Bad Request; - error explains expected date format;
- API does not return
500.
Test case: Invalid enum value
Endpoint: PATCH /orders/{id}
Request:
- status:
banana.
Expected result:
- status is
400 Bad Request; - error lists or describes allowed values;
- order status is not changed.
Test case: Field exceeds maximum length
Endpoint: POST /products
Request:
- title longer than allowed limit.
Expected result:
- status is
400 Bad Request; - error identifies max length;
- no product is created.
Test case: Negative numeric value
Endpoint: POST /orders
Request:
- quantity:
-1.
Expected result:
- status is
400 Bad Request; - quantity is rejected;
- order is not created.
Test case: Zero value where positive value is required
Endpoint: POST /orders
Request:
- quantity:
0.
Expected result:
- status is
400 Bad Request; - no zero-quantity item is created.
5. Status code test cases
Status code test cases check whether API communicates results correctly.
Test case: Successful GET returns 200
Endpoint: GET /users/{id}
Expected result:
- existing accessible resource returns
200 OK.
Test case: Successful POST returns 201
Endpoint: POST /users
Expected result:
- created resource returns
201 Created; - response contains new resource ID.
Test case: Successful DELETE returns expected status
Endpoint: DELETE /resources/{id}
Expected result:
- API returns
204 No Content,200 OK, or another documented success code; - behavior matches API documentation.
Test case: Unauthorized request returns 401
Endpoint: protected endpoint.
Request:
- no token.
Expected result:
- status is
401 Unauthorized; - no protected data returned.
Test case: Forbidden request returns 403
Endpoint: admin endpoint.
Request:
- regular user token.
Expected result:
- status is
403 Forbidden; - action is not performed.
Test case: Unsupported method returns 405
Endpoint: POST /users/{id} where only GET is allowed.
Expected result:
- status is
405 Method Not Allowed; - no state change happens.
Test case: Rate limit returns 429
Endpoint: sensitive or rate-limited endpoint.
Request:
- exceed allowed request limit.
Expected result:
- status is
429 Too Many Requests; - response follows rate limit format;
- retry guidance is provided if supported.
6. Response schema test cases
Response schema test cases check whether response structure remains stable.
Test case: Required response fields are present
Endpoint: GET /users/{id}
Expected result:
- required fields are present;
- field names match documentation;
- no required field is missing.
Test case: Data types are correct
Endpoint: GET /orders/{id}
Expected result:
- ID is string or number according to schema;
- amount is number;
- status is string/enum;
- created timestamp is valid datetime.
Test case: Nullable fields behave correctly
Endpoint: GET /profile
Preconditions:
- optional phone number is not set.
Expected result:
- field is
null, absent, or empty according to schema; - behavior is consistent.
Test case: Array response structure is valid
Endpoint: GET /orders
Expected result:
- response contains array or documented wrapper object;
- each item follows expected schema.
Test case: Error response follows schema
Endpoint: any invalid request.
Expected result:
- error code is present;
- message is present;
- field errors are present when relevant;
- response format is consistent.
7. Authentication test cases
Authentication test cases check whether API accepts only valid credentials.
Test case: Request without token
Endpoint: protected endpoint.
Expected result:
- status is
401 Unauthorized; - protected data is not returned.
Test case: Request with expired token
Endpoint: protected endpoint.
Expected result:
- status is
401 Unauthorized; - error indicates token is expired or invalid according to product rules.
Test case: Request with invalid token
Endpoint: protected endpoint.
Request:
- malformed or random token.
Expected result:
- status is
401 Unauthorized; - no protected data returned;
- no stack trace exposed.
Test case: Request with revoked token
Endpoint: protected endpoint.
Preconditions:
- token was revoked or user logged out if revocation is supported.
Expected result:
- request is rejected;
- session/token rules are enforced.
Test case: Login with valid credentials
Endpoint: POST /login
Expected result:
- status is
200 OK; - token/session returned according to product design;
- sensitive data not exposed.
Test case: Login with wrong password
Endpoint: POST /login
Expected result:
- status is
401 Unauthorizedor documented auth error; - error message is clear but safe;
- no token is issued.
8. Authorization and permission test cases
Authorization test cases check whether users can access only what they are allowed to access.
Test case: User A requests User B resource
Endpoint: GET /orders/{userBOrderId}
Preconditions:
- User A and User B exist;
- User B has an order.
Steps:
- send request as User A for User B’s order.
Expected result:
- status is
403 Forbiddenor404 Not Foundaccording to product rules; - User B data is not returned.
Test case: Regular user calls admin endpoint
Endpoint: GET /admin/users
Request:
- regular user token.
Expected result:
- status is
403 Forbidden; - admin data is not returned.
Test case: Read-only user attempts update
Endpoint: PATCH /resources/{id}
Request:
- read-only user token;
- valid update body.
Expected result:
- status is
403 Forbidden; - resource is not updated.
Test case: User tries to modify protected field
Endpoint: PATCH /users/{id}
Request:
- role:
admin.
Expected result:
- protected field is ignored or rejected;
- user role does not change;
- response does not imply success for protected field.
Test case: Tenant A user accesses Tenant B resource
Endpoint: GET /workspaces/{tenantBResourceId}
Expected result:
- access is denied;
- no cross-tenant data is exposed.
9. CRUD API test cases
CRUD test cases check create, read, update, and delete behavior.
Test case: Create resource
Endpoint: POST /projects
Expected result:
- status is
201 Created; - project is created once;
- response contains project ID.
Test case: Read created resource
Endpoint: GET /projects/{id}
Expected result:
- status is
200 OK; - returned data matches created project.
Test case: Update resource partially
Endpoint: PATCH /projects/{id}
Request:
- update only name.
Expected result:
- name changes;
- other fields remain unchanged.
Test case: Replace resource if PUT is supported
Endpoint: PUT /projects/{id}
Expected result:
- replacement behavior matches API documentation;
- missing fields are handled according to rules.
Test case: Delete resource
Endpoint: DELETE /projects/{id}
Expected result:
- resource is deleted, archived, or marked inactive according to product rules.
Test case: Delete already deleted resource
Endpoint: DELETE /projects/{id}
Expected result:
- API handles repeated delete safely;
- no server error occurs.
10. Pagination test cases
Pagination test cases check list endpoints.
Test case: Default pagination
Endpoint: GET /orders
Expected result:
- default page size is applied;
- response contains first page of results;
- pagination metadata is correct if supported.
Test case: Custom page size
Endpoint: GET /orders?limit=20
Expected result:
- up to 20 records returned;
- limit is respected;
- metadata is correct.
Test case: Page size above maximum
Endpoint: GET /orders?limit=999999
Expected result:
- API caps limit or returns validation error;
- endpoint does not return excessive data.
Test case: Next page
Endpoint: GET /orders?page=2 or cursor-based equivalent.
Expected result:
- next page returns different records;
- no duplicates from previous page unless expected;
- no records are skipped.
Test case: Invalid page parameter
Endpoint: GET /orders?page=-1
Expected result:
- status is
400 Bad Requestor safe default behavior; - no server error.
11. Filtering and sorting test cases
Filtering and sorting test cases verify list behavior.
Test case: Filter by status
Endpoint: GET /orders?status=paid
Expected result:
- only paid orders returned;
- count matches expected data.
Test case: Filter by date range
Endpoint: GET /orders?from=2026-01-01&to=2026-01-31
Expected result:
- only records in range returned;
- boundary dates handled correctly.
Test case: Invalid filter value
Endpoint: GET /orders?status=banana
Expected result:
- status is
400 Bad Requestor documented behavior; - no server error.
Test case: Sort ascending
Endpoint: GET /orders?sort=created_at:asc
Expected result:
- results sorted from oldest to newest.
Test case: Sort descending
Endpoint: GET /orders?sort=created_at:desc
Expected result:
- results sorted from newest to oldest.
Test case: Invalid sort field
Endpoint: GET /orders?sort=password_hash:asc
Expected result:
- invalid sort field rejected;
- internal fields not exposed.
12. Search endpoint test cases
Search test cases verify query behavior.
Test case: Exact search query
Endpoint: GET /products/search?q=iphone
Expected result:
- relevant products returned;
- exact or close matches ranked appropriately.
Test case: Empty search query
Endpoint: GET /products/search?q=
Expected result:
- behavior follows product rules;
- no expensive unbounded response;
- no server error.
Test case: Search with special characters
Endpoint: GET /products/search?q=%27%22%3C%3E
Expected result:
- input handled safely;
- no server error;
- no injection-like behavior.
Test case: Search with no results
Endpoint: GET /products/search?q=nonexistentproductxyz
Expected result:
- status is
200 OK; - empty result set returned;
- no-results response format is clear.
13. Idempotency test cases
Idempotency test cases are important for create/payment/order actions.
Test case: Same POST with same idempotency key
Endpoint: POST /orders
Headers:
Idempotency-Key: abc-123
Steps:
- send same request twice with same idempotency key.
Expected result:
- only one order is created;
- second response returns same result or safe idempotent response.
Test case: Same POST with different idempotency key
Endpoint: POST /orders
Steps:
- send same request twice with different idempotency keys.
Expected result:
- behavior follows product rules;
- two records may be created if considered separate requests.
Test case: Idempotency key with changed body
Endpoint: POST /orders
Steps:
- send request with idempotency key;
- resend with same key but different body.
Expected result:
- API rejects conflict or follows documented behavior;
- no unsafe duplicate or inconsistent record appears.
14. Duplicate request test cases
Duplicate request test cases check repeated user or client actions.
Test case: Duplicate create request without idempotency
Endpoint: POST /orders
Steps:
- send same request twice quickly.
Expected result:
- duplicate behavior follows product rules;
- no unintended duplicate if duplicates should be prevented.
Test case: Retry after timeout
Endpoint: critical create endpoint.
Steps:
- simulate timeout after request;
- resend request.
Expected result:
- no duplicate record if operation actually succeeded;
- client/server can reconcile final result.
Test case: Double submit from frontend
Endpoint: POST /checkout
Steps:
- trigger double submit if possible.
Expected result:
- no duplicate order/payment created;
- backend enforces safety, not only UI.
15. Rate limit test cases
Rate limit test cases check abuse protection and resource control.
Test case: Exceed login request limit
Endpoint: POST /login
Steps:
- send repeated failed login attempts.
Expected result:
- API returns
429or lockout behavior according to product rules; - error response is safe.
Test case: Exceed password reset limit
Endpoint: POST /password-reset
Steps:
- send repeated reset requests.
Expected result:
- rate limit or throttling applies;
- no excessive email sending occurs.
Test case: Exceed export endpoint limit
Endpoint: POST /reports/export
Steps:
- request many exports quickly.
Expected result:
- API limits excessive requests;
- no resource abuse occurs.
Test case: Normal user is not blocked too aggressively
Endpoint: common endpoint.
Steps:
- perform normal expected user flow.
Expected result:
- rate limit does not block regular usage.
16. Error response test cases
For deeper coverage of status codes, safe error schemas, field-level errors, request IDs, and logging, use the API Error Handling Testing Checklist.
Error test cases verify safe and consistent error handling.
Test case: Validation error format
Endpoint: any endpoint with invalid request.
Expected result:
- error has consistent structure;
- field errors are clear;
- no stack trace appears.
Test case: Authentication error format
Endpoint: protected endpoint without token.
Expected result:
- status is
401; - error format matches standard schema;
- no sensitive info exposed.
Test case: Permission error format
Endpoint: forbidden resource/action.
Expected result:
- status is
403or404; - error does not expose private resource details.
Test case: Server error does not leak internals
Endpoint: controlled error scenario in non-production.
Expected result:
- no SQL details;
- no stack trace;
- no internal path;
- error ID or correlation ID returned if supported.
17. Headers and content type test cases
Header and content type cases check request metadata.
Test case: Missing Content-Type
Endpoint: POST /users
Request:
- JSON body without
Content-Type.
Expected result:
- API handles according to rules;
- no unsafe parsing behavior.
Test case: Unsupported Content-Type
Endpoint: POST /users
Request:
Content-Type: text/plain
Expected result:
- status is
415 Unsupported Media Typeor documented error; - no record created.
Test case: Accept header behavior
Endpoint: any endpoint.
Request:
- unsupported
Acceptheader.
Expected result:
- API returns documented response;
- no server error.
Test case: Request ID / correlation ID
Endpoint: any endpoint.
Headers:
- send request ID if supported.
Expected result:
- request ID appears in logs or response according to product rules.
18. File upload API test cases
File upload cases check size, type, permissions, and errors.
Test case: Upload valid file
Endpoint: POST /files
Expected result:
- status is success;
- file is uploaded;
- file ID is returned;
- file belongs to correct user.
Test case: Upload unsupported file type
Endpoint: POST /files
Request:
- unsupported file extension/type.
Expected result:
- request is rejected;
- error is clear;
- file is not stored.
Test case: Upload file above size limit
Endpoint: POST /files
Expected result:
- request is rejected;
- error explains size limit;
- no partial broken file remains.
Test case: Upload without permission
Endpoint: POST /files
Request:
- user without upload permission.
Expected result:
- status is
403 Forbidden; - file is not uploaded.
19. File download API test cases
Download cases check access control.
Test case: Download own file
Endpoint: GET /files/{id}
Expected result:
- user can download own file;
- content type and filename are correct.
Test case: Download another user’s file
Endpoint: GET /files/{otherUserFileId}
Expected result:
- access is denied;
- file content is not returned.
Test case: Download deleted file
Endpoint: GET /files/{deletedFileId}
Expected result:
- status is
404or documented behavior; - no stale file content returned.
20. Async job and long-running request test cases
Async cases check job creation, status, and completion.
Test case: Start async job
Endpoint: POST /exports
Expected result:
- status is
202 Acceptedor documented status; - job ID is returned;
- job status can be checked.
Test case: Check async job status
Endpoint: GET /exports/{jobId}
Expected result:
- status endpoint returns pending, processing, completed, or failed;
- response follows schema.
Test case: Async job completes successfully
Preconditions:
- export job was started.
Expected result:
- job eventually completes;
- output is available;
- user can access only their own result.
Test case: Async job failure
Expected result:
- failure status is visible;
- error is clear;
- retry or recovery path exists if supported.
21. Webhook-related API test cases
For full event delivery, signature, retry, duplicate, and out-of-order coverage, use the Webhook Testing Checklist.
Webhook-related cases check event-driven API behavior.
Test case: Receive valid webhook
Endpoint: POST /webhooks/provider
Request:
- valid signature;
- valid event payload.
Expected result:
- status is
2xx; - event is processed;
- related record is updated.
Test case: Webhook with invalid signature
Endpoint: POST /webhooks/provider
Request:
- invalid signature.
Expected result:
- request is rejected;
- no side effect happens.
Test case: Duplicate webhook event
Endpoint: POST /webhooks/provider
Steps:
- send same event twice with same event ID.
Expected result:
- event processed once;
- no duplicate order/payment/email created.
Test case: Out-of-order webhook event
Steps:
- send newer status first;
- send older status after.
Expected result:
- final state remains correct;
- older event does not overwrite newer final state.
22. Integration test cases
For broader cross-system workflows, data mapping, retries, reconciliation, and support visibility, use the API Integration Testing Checklist.
Integration cases check whether API behavior works across systems.
Test case: Create CRM lead through API
Endpoint: POST /leads
Expected result:
- lead created in source system;
- lead appears in CRM;
- fields are mapped correctly.
Test case: Create order and sync to ERP
Endpoint: POST /orders
Expected result:
- order created internally;
- ERP receives order;
- external order ID is stored;
- data matches across systems.
Test case: Payment provider status updates order
Flow:
- payment provider sends status update;
- API processes event.
Expected result:
- order status updates correctly;
- no duplicate order or payment appears.
Test case: External API failure
Flow:
- API calls external service;
- external service returns error.
Expected result:
- error is handled;
- failure is logged;
- no broken partial state is created.
23. Security basics test cases
For deeper security-specific coverage, use the REST API Security Testing Checklist.
Security basics test cases do not replace a REST API Security Testing Checklist, but they catch common issues.
Test case: User cannot access another user’s object
Endpoint: GET /orders/{otherUserOrderId}
Expected result:
- status is
403or404; - data is not returned.
Test case: User cannot modify protected field
Endpoint: PATCH /users/{id}
Request:
role: admin
Expected result:
- role is not changed;
- request is rejected or field is ignored safely.
Test case: API does not return sensitive fields
Endpoint: GET /users/{id}
Expected result:
- response does not contain password hash, tokens, API keys, or internal secrets.
Test case: Old API version does not bypass security
Endpoint: old version of protected endpoint.
Expected result:
- same authorization rules apply;
- old version does not expose sensitive fields.
Test case: CORS does not allow unexpected origin
Request:
- call API from unauthorized origin if applicable.
Expected result:
- browser access is blocked according to CORS rules.
24. Production API smoke test cases
For a dedicated post-deploy gate, use the API Smoke Testing Checklist.
Production smoke cases should be safe, short, and agreed in advance.
Test case: Production health endpoint
Endpoint: health endpoint.
Expected result:
- API is available;
- status is healthy;
- no sensitive data exposed.
Test case: Production authentication smoke
Endpoint: login or token check endpoint.
Expected result:
- valid test credentials work;
- invalid credentials fail safely.
Test case: Production protected endpoint smoke
Endpoint: safe read-only endpoint.
Expected result:
- valid user receives expected data;
- unauthorized request is rejected.
Test case: Production safe write smoke, if approved
Endpoint: safe test create endpoint.
Expected result:
- test record is created;
- cleanup works;
- no real customer data is affected.
Test case: Production logs and monitoring
Expected result:
- test request appears in logs;
- no error spike appears;
- monitoring remains stable.
Best test data for API test cases
Good API test cases need reliable test data.
Prepare:
- valid user;
- invalid user;
- admin user;
- regular user;
- read-only user;
- User A and User B;
- Tenant A and Tenant B;
- existing resource;
- nonexistent resource ID;
- deleted resource;
- archived resource;
- resource in each important status;
- valid request body;
- invalid request body;
- missing required fields;
- duplicate data;
- expired token;
- invalid token;
- valid API key;
- revoked API key;
- large payload;
- edge-case dates;
- special characters;
- file samples if upload is supported.
Stable test data makes API testing faster, clearer, and easier to automate.
Automation candidates for API test cases
Many API test cases are excellent automation candidates.
Good automation candidates:
- successful
GET; - successful
POST; - required field validation;
- invalid data type;
- schema validation;
- auth required;
- expired token;
- permission boundary;
- user cannot access another user’s resource;
- pagination;
- filtering;
- sorting;
- idempotency;
- duplicate request prevention;
- rate limit check in controlled environment;
- webhook signature validation;
- production read-only smoke.
Keep some scenarios manual or semi-manual:
- exploratory security checks;
- complex integration failures;
- provider-specific webhook setup;
- production-safe smoke requiring human approval;
- unusual edge cases;
- tests involving destructive actions.
A good API automation suite should be stable, fast, and focused on high-value scenarios.
Common mistakes
1. Writing broad checks instead of test cases
“Test validation” is not a test case. A useful API test case needs request data and expected result.
2. Testing only the happy path
Valid requests are important, but many API bugs appear in invalid input, permissions, duplicate requests, and error handling.
3. Not checking data result
A response can look correct while the database or downstream system is wrong. Verify the actual data result.
4. Ignoring authorization cases
API test cases should include role boundaries, user ownership, tenant isolation, and admin-only actions.
5. Not testing duplicate requests
Repeated POST, retry after timeout, double submit, or same idempotency key can create duplicate records if not tested.
6. Not checking error response format
Errors should be predictable, safe, and useful. They should not leak internals.
7. Not testing unsupported methods
Unexpected methods should not create side effects.
8. Not testing pagination and filtering
List endpoints often break in pagination, filters, sorting, and edge cases.
9. Not testing production smoke safely
Production smoke tests should be safe, approved, and use test data or read-only endpoints where possible.
10. Not converting bug fixes into regression test cases
If an API bug was fixed, add a test case that prevents it from coming back.
FAQ
What is an API Test Cases Checklist?
An API Test Cases Checklist is a practical list of specific API test scenarios.
It helps QA engineers, developers, and teams test positive flows, negative flows, validation, authentication, authorization, CRUD, pagination, filtering, errors, duplicate requests, idempotency, security basics, integration behavior, and production smoke.
How is an API Test Cases Checklist different from an API Testing Checklist?
An API Testing Checklist describes testing areas: status codes, schema, validation, auth, errors, performance, and security.
An API Test Cases Checklist gives concrete scenarios: send request without required field, call admin endpoint as regular user, send duplicate POST, use expired token, or request another user’s resource.
What should an API test case include?
A good API test case should include:
- title;
- endpoint;
- HTTP method;
- preconditions;
- request headers;
- request body or query parameters;
- expected status code;
- expected response body;
- expected data result;
- cleanup rule, if needed.
What are positive API test cases?
Positive API test cases use valid input and expected access.
Examples:
- get existing user;
- create user with valid data;
- update allowed field;
- delete own resource;
- list records with valid pagination;
- upload valid file.
What are negative API test cases?
Negative API test cases use invalid, missing, unauthorized, or unexpected input.
Examples:
- missing required field;
- invalid JSON;
- invalid enum;
- nonexistent ID;
- expired token;
- unauthorized access;
- unsupported method;
- duplicate request;
- rate limit exceeded.
What are API validation test cases?
API validation test cases check required fields, data types, formats, length limits, enum values, numeric ranges, date ranges, file limits, and invalid body structure.
Example: POST /users without email should return 400 and field-level error.
What are API authorization test cases?
API authorization test cases check whether a user can access only allowed resources and actions.
Examples:
- User A cannot access User B order;
- regular user cannot call admin endpoint;
- read-only user cannot update resource;
- tenant A cannot access tenant B data.
What are API idempotency test cases?
API idempotency test cases check that repeated requests do not create duplicate side effects.
Example: send the same POST /orders twice with the same idempotency key. Expected result: only one order is created.
Should API test cases include security checks?
Yes, at least basic security checks.
Include tests for authentication, authorization, user ownership, protected fields, sensitive data exposure, unsafe methods, rate limits, and error messages.
For deeper security coverage, use a REST API Security Testing Checklist.
Should API test cases be automated?
Many API test cases should be automated, especially happy paths, validation, auth, permissions, schema checks, pagination, idempotency, and regression tests.
Manual testing is still useful for exploratory checks, complex integration behavior, provider setup, and production-safe smoke.
How do you know API test cases passed?
API test cases can be considered passed when:
- valid requests return correct success responses;
- invalid requests return safe errors;
- status codes match expectations;
- response schemas are correct;
- data is created, updated, or deleted correctly;
- authentication works;
- authorization boundaries are enforced;
- duplicates are prevented;
- rate limits behave correctly;
- errors do not expose internals;
- no blocker or critical API issues remain.