~/qa-guides

~/qa-guides/api-test-cases-checklist

>_ API Test Cases Checklist

A practical API test cases checklist with concrete positive, negative, validation, auth, permissions, CRUD, pagination, idempotency, error, security, and smoke scenarios.

APITest CasesBackendAutomationRegression

Published

Short answer

An API Test Cases Checklist is a practical list of positive, negative, validation, authentication, authorization, CRUD, pagination, error handling, security, integration, and smoke test case ideas for REST APIs and backend endpoints.

This article is not another general API testing guide. It is focused on specific API test cases that QA engineers, developers, and product teams can use when preparing manual API tests, automated API tests, regression suites, or release checks.

An API Testing Checklist answers: which API areas should be tested?

An API Test Cases Checklist answers: which specific scenarios should I execute?

For example:

  • send request without required field → expect 400 and clear validation error;
  • send request with another user’s resource ID → expect 403 or 404;
  • send duplicate POST with same idempotency key → expect one created record;
  • send expired token → expect 401;
  • call admin endpoint as regular user → expect 403;
  • send invalid JSON body → expect 400, not 500.

The main idea is: API test cases turn broad API testing areas into concrete, repeatable scenarios with request, expected status, expected response, and expected data result.

API Test Cases vs API Testing Checklist

An API Testing Checklist is a coverage map.

It usually includes areas like:

  • status codes;
  • request validation;
  • response schema;
  • authentication;
  • authorization;
  • CRUD;
  • pagination;
  • filtering;
  • sorting;
  • error handling;
  • performance;
  • security basics;
  • integration behavior.

An API Test Cases Checklist is a practical scenario list.

It includes concrete checks like:

  • GET /users/{id} with existing ID returns 200;
  • GET /users/{id} with nonexistent ID returns 404;
  • POST /users without required email returns 400;
  • POST /login with wrong password returns clear authentication error;
  • regular user tries admin endpoint and receives 403;
  • User A requests User B resource and receives 403 or 404;
  • same POST request sent twice does not create duplicate record;
  • invalid JSON body returns 400, not 500;
  • unsupported method returns 405;
  • expired token returns 401;
  • request over limit returns 429.

In simple terms:

API Testing Checklist = what areas to cover. API Test Cases Checklist = which specific test cases to run.

When to use API test cases

Use API test cases when you need repeatable, concrete API checks.

For example:

  • a new REST API is being released;
  • a new endpoint is added;
  • request validation changes;
  • response schema changes;
  • authentication changes;
  • permissions change;
  • CRUD logic changes;
  • pagination or filtering changes;
  • search endpoint changes;
  • API integration is added;
  • webhook-related endpoint changes;
  • rate limits are added;
  • file upload endpoint is added;
  • production API smoke testing is needed;
  • regression testing is needed after backend changes;
  • a bug fix needs a focused API retest;
  • automated API tests are being created.

For a small endpoint change, a few targeted test cases or a short API Smoke Testing Checklist may be enough. For a public API, partner API, payment API, multi-tenant SaaS API, or business-critical backend flow, use a broader test case set.

Short API Test Cases Checklist

If you need a quick API test pass, start with these test cases:

  • valid GET request returns 200;
  • GET with nonexistent ID returns 404;
  • valid POST creates a record and returns 201;
  • POST without required field returns 400;
  • POST with invalid data type returns 400;
  • invalid JSON body returns 400, not 500;
  • valid PATCH updates only allowed fields;
  • valid DELETE removes or archives resource according to rules;
  • request without token returns 401;
  • request with expired token returns 401;
  • regular user calling admin endpoint returns 403;
  • User A requesting User B resource returns 403 or 404;
  • unsupported HTTP method returns 405;
  • response body matches expected schema;
  • error response follows expected format;
  • list endpoint supports pagination;
  • filters return correct records;
  • sorting changes order, not result set;
  • duplicate POST does not create duplicate record;
  • same idempotency key returns safe result;
  • rate-limited request returns 429;
  • file upload rejects unsupported file type;
  • async job returns trackable status;
  • webhook-related event is processed once;
  • production API smoke test passes after release.

API Test Case Template

Use a consistent format for API test cases. It makes manual testing, automation, bug reporting, and regression easier.

Test case: Create user with valid data

Endpoint: POST /users

Precondition:

  • User does not already exist.
  • Tester has valid API access.

Request:

  • name: "Jane Doe"
  • email: "jane@example.com"
  • password: valid password

Expected status:

  • 201 Created

Expected response:

  • user ID is returned
  • email matches request
  • created timestamp is present
  • password is not returned

Expected data result:

  • user is created once in the database
  • user can be fetched by ID
  • no duplicate user is created

Negative check:

  • creating another user with the same email returns 409 or 400 according to product rules

A strong API test case usually includes:

  • test case title;
  • endpoint;
  • method;
  • preconditions;
  • request data;
  • headers/auth;
  • expected status code;
  • expected response body;
  • expected data result;
  • negative or edge check;
  • cleanup rule, if needed.

Full API Test Cases Checklist

1. Positive API test cases

Positive test cases check that the endpoint works with valid input.

Test case: Get existing user by ID

Endpoint: GET /users/{id}

Preconditions:

  • user exists;
  • requester has permission to view the user.

Steps:

  • send GET /users/{existingUserId}.

Expected result:

  • status is 200 OK;
  • response contains correct user ID;
  • response contains expected fields;
  • response does not contain sensitive fields such as password or token.

Test case: Create record with valid data

Endpoint: POST /resources

Preconditions:

  • requester is authenticated;
  • request body contains valid data.

Steps:

  • send valid POST request.

Expected result:

  • status is 201 Created;
  • response contains created record ID;
  • created record can be fetched by GET;
  • record is created once.

Test case: Update record with valid data

Endpoint: PATCH /resources/{id}

Preconditions:

  • resource exists;
  • requester has permission to update it.

Steps:

  • send PATCH request with allowed field.

Expected result:

  • status is 200 OK or expected success status;
  • updated field changes;
  • unchanged fields remain unchanged;
  • updated record can be fetched and verified.

Test case: Delete or archive existing record

Endpoint: DELETE /resources/{id}

Preconditions:

  • resource exists;
  • requester has permission to delete or archive it.

Steps:

  • send DELETE request.

Expected result:

  • status matches product convention: 200, 202, or 204;
  • resource is deleted, archived, or marked inactive according to rules;
  • repeated fetch returns expected state;
  • related data is not broken.

2. Negative API test cases

Negative test cases check how API behaves with invalid, missing, or unexpected input.

Test case: Get nonexistent resource

Endpoint: GET /users/{id}

Request:

  • use a valid-format ID that does not exist.

Expected result:

  • status is 404 Not Found;
  • response follows standard error format;
  • no stack trace or internal details are exposed.

Test case: Send invalid JSON body

Endpoint: POST /users

Request:

  • malformed JSON body.

Expected result:

  • status is 400 Bad Request;
  • error response is clear;
  • API does not return 500;
  • no record is created.

Test case: Send unsupported field

Endpoint: POST /users

Request:

  • valid required fields;
  • extra unexpected field.

Expected result:

  • unsupported field is rejected or ignored according to API rules;
  • protected data is not changed;
  • response does not expose internal model behavior.

Test case: Send empty request body

Endpoint: POST /users

Request:

  • empty body.

Expected result:

  • status is 400 Bad Request;
  • required field errors are returned;
  • no record is created.

3. Required field test cases

Required field test cases check whether missing required data is handled correctly.

Test case: Missing required email

Endpoint: POST /users

Request:

  • valid name;
  • missing email;
  • valid password.

Expected result:

  • status is 400 Bad Request;
  • error identifies missing email;
  • no user is created.

Test case: Missing required password

Endpoint: POST /users

Request:

  • valid name;
  • valid email;
  • missing password.

Expected result:

  • status is 400 Bad Request;
  • error identifies missing password;
  • no user is created.

Test case: Missing required path parameter

Endpoint: GET /orders/{id}

Request:

  • call incorrect path without required ID if route can be formed.

Expected result:

  • API returns safe error or route not found;
  • no internal routing details are exposed.

Test case: Missing required query parameter

Endpoint: GET /reports?from=&to=

Request:

  • omit required from or to date.

Expected result:

  • status is 400 Bad Request;
  • error explains missing date field;
  • no report is generated with incorrect default range.

4. Invalid data test cases

Invalid data test cases check type, format, length, and business validation.

Test case: Invalid email format

Endpoint: POST /users

Request:

  • email: not-an-email.

Expected result:

  • status is 400 Bad Request;
  • field-level validation error is returned;
  • no user is created.

Test case: Invalid date format

Endpoint: GET /reports?from=abc&to=xyz

Expected result:

  • status is 400 Bad Request;
  • error explains expected date format;
  • API does not return 500.

Test case: Invalid enum value

Endpoint: PATCH /orders/{id}

Request:

  • status: banana.

Expected result:

  • status is 400 Bad Request;
  • error lists or describes allowed values;
  • order status is not changed.

Test case: Field exceeds maximum length

Endpoint: POST /products

Request:

  • title longer than allowed limit.

Expected result:

  • status is 400 Bad Request;
  • error identifies max length;
  • no product is created.

Test case: Negative numeric value

Endpoint: POST /orders

Request:

  • quantity: -1.

Expected result:

  • status is 400 Bad Request;
  • quantity is rejected;
  • order is not created.

Test case: Zero value where positive value is required

Endpoint: POST /orders

Request:

  • quantity: 0.

Expected result:

  • status is 400 Bad Request;
  • no zero-quantity item is created.

5. Status code test cases

Status code test cases check whether API communicates results correctly.

Test case: Successful GET returns 200

Endpoint: GET /users/{id}

Expected result:

  • existing accessible resource returns 200 OK.

Test case: Successful POST returns 201

Endpoint: POST /users

Expected result:

  • created resource returns 201 Created;
  • response contains new resource ID.

Test case: Successful DELETE returns expected status

Endpoint: DELETE /resources/{id}

Expected result:

  • API returns 204 No Content, 200 OK, or another documented success code;
  • behavior matches API documentation.

Test case: Unauthorized request returns 401

Endpoint: protected endpoint.

Request:

  • no token.

Expected result:

  • status is 401 Unauthorized;
  • no protected data returned.

Test case: Forbidden request returns 403

Endpoint: admin endpoint.

Request:

  • regular user token.

Expected result:

  • status is 403 Forbidden;
  • action is not performed.

Test case: Unsupported method returns 405

Endpoint: POST /users/{id} where only GET is allowed.

Expected result:

  • status is 405 Method Not Allowed;
  • no state change happens.

Test case: Rate limit returns 429

Endpoint: sensitive or rate-limited endpoint.

Request:

  • exceed allowed request limit.

Expected result:

  • status is 429 Too Many Requests;
  • response follows rate limit format;
  • retry guidance is provided if supported.

6. Response schema test cases

Response schema test cases check whether response structure remains stable.

Test case: Required response fields are present

Endpoint: GET /users/{id}

Expected result:

  • required fields are present;
  • field names match documentation;
  • no required field is missing.

Test case: Data types are correct

Endpoint: GET /orders/{id}

Expected result:

  • ID is string or number according to schema;
  • amount is number;
  • status is string/enum;
  • created timestamp is valid datetime.

Test case: Nullable fields behave correctly

Endpoint: GET /profile

Preconditions:

  • optional phone number is not set.

Expected result:

  • field is null, absent, or empty according to schema;
  • behavior is consistent.

Test case: Array response structure is valid

Endpoint: GET /orders

Expected result:

  • response contains array or documented wrapper object;
  • each item follows expected schema.

Test case: Error response follows schema

Endpoint: any invalid request.

Expected result:

  • error code is present;
  • message is present;
  • field errors are present when relevant;
  • response format is consistent.

7. Authentication test cases

Authentication test cases check whether API accepts only valid credentials.

Test case: Request without token

Endpoint: protected endpoint.

Expected result:

  • status is 401 Unauthorized;
  • protected data is not returned.

Test case: Request with expired token

Endpoint: protected endpoint.

Expected result:

  • status is 401 Unauthorized;
  • error indicates token is expired or invalid according to product rules.

Test case: Request with invalid token

Endpoint: protected endpoint.

Request:

  • malformed or random token.

Expected result:

  • status is 401 Unauthorized;
  • no protected data returned;
  • no stack trace exposed.

Test case: Request with revoked token

Endpoint: protected endpoint.

Preconditions:

  • token was revoked or user logged out if revocation is supported.

Expected result:

  • request is rejected;
  • session/token rules are enforced.

Test case: Login with valid credentials

Endpoint: POST /login

Expected result:

  • status is 200 OK;
  • token/session returned according to product design;
  • sensitive data not exposed.

Test case: Login with wrong password

Endpoint: POST /login

Expected result:

  • status is 401 Unauthorized or documented auth error;
  • error message is clear but safe;
  • no token is issued.

8. Authorization and permission test cases

Authorization test cases check whether users can access only what they are allowed to access.

Test case: User A requests User B resource

Endpoint: GET /orders/{userBOrderId}

Preconditions:

  • User A and User B exist;
  • User B has an order.

Steps:

  • send request as User A for User B’s order.

Expected result:

  • status is 403 Forbidden or 404 Not Found according to product rules;
  • User B data is not returned.

Test case: Regular user calls admin endpoint

Endpoint: GET /admin/users

Request:

  • regular user token.

Expected result:

  • status is 403 Forbidden;
  • admin data is not returned.

Test case: Read-only user attempts update

Endpoint: PATCH /resources/{id}

Request:

  • read-only user token;
  • valid update body.

Expected result:

  • status is 403 Forbidden;
  • resource is not updated.

Test case: User tries to modify protected field

Endpoint: PATCH /users/{id}

Request:

  • role: admin.

Expected result:

  • protected field is ignored or rejected;
  • user role does not change;
  • response does not imply success for protected field.

Test case: Tenant A user accesses Tenant B resource

Endpoint: GET /workspaces/{tenantBResourceId}

Expected result:

  • access is denied;
  • no cross-tenant data is exposed.

9. CRUD API test cases

CRUD test cases check create, read, update, and delete behavior.

Test case: Create resource

Endpoint: POST /projects

Expected result:

  • status is 201 Created;
  • project is created once;
  • response contains project ID.

Test case: Read created resource

Endpoint: GET /projects/{id}

Expected result:

  • status is 200 OK;
  • returned data matches created project.

Test case: Update resource partially

Endpoint: PATCH /projects/{id}

Request:

  • update only name.

Expected result:

  • name changes;
  • other fields remain unchanged.

Test case: Replace resource if PUT is supported

Endpoint: PUT /projects/{id}

Expected result:

  • replacement behavior matches API documentation;
  • missing fields are handled according to rules.

Test case: Delete resource

Endpoint: DELETE /projects/{id}

Expected result:

  • resource is deleted, archived, or marked inactive according to product rules.

Test case: Delete already deleted resource

Endpoint: DELETE /projects/{id}

Expected result:

  • API handles repeated delete safely;
  • no server error occurs.

10. Pagination test cases

Pagination test cases check list endpoints.

Test case: Default pagination

Endpoint: GET /orders

Expected result:

  • default page size is applied;
  • response contains first page of results;
  • pagination metadata is correct if supported.

Test case: Custom page size

Endpoint: GET /orders?limit=20

Expected result:

  • up to 20 records returned;
  • limit is respected;
  • metadata is correct.

Test case: Page size above maximum

Endpoint: GET /orders?limit=999999

Expected result:

  • API caps limit or returns validation error;
  • endpoint does not return excessive data.

Test case: Next page

Endpoint: GET /orders?page=2 or cursor-based equivalent.

Expected result:

  • next page returns different records;
  • no duplicates from previous page unless expected;
  • no records are skipped.

Test case: Invalid page parameter

Endpoint: GET /orders?page=-1

Expected result:

  • status is 400 Bad Request or safe default behavior;
  • no server error.

11. Filtering and sorting test cases

Filtering and sorting test cases verify list behavior.

Test case: Filter by status

Endpoint: GET /orders?status=paid

Expected result:

  • only paid orders returned;
  • count matches expected data.

Test case: Filter by date range

Endpoint: GET /orders?from=2026-01-01&to=2026-01-31

Expected result:

  • only records in range returned;
  • boundary dates handled correctly.

Test case: Invalid filter value

Endpoint: GET /orders?status=banana

Expected result:

  • status is 400 Bad Request or documented behavior;
  • no server error.

Test case: Sort ascending

Endpoint: GET /orders?sort=created_at:asc

Expected result:

  • results sorted from oldest to newest.

Test case: Sort descending

Endpoint: GET /orders?sort=created_at:desc

Expected result:

  • results sorted from newest to oldest.

Test case: Invalid sort field

Endpoint: GET /orders?sort=password_hash:asc

Expected result:

  • invalid sort field rejected;
  • internal fields not exposed.

12. Search endpoint test cases

Search test cases verify query behavior.

Test case: Exact search query

Endpoint: GET /products/search?q=iphone

Expected result:

  • relevant products returned;
  • exact or close matches ranked appropriately.

Test case: Empty search query

Endpoint: GET /products/search?q=

Expected result:

  • behavior follows product rules;
  • no expensive unbounded response;
  • no server error.

Test case: Search with special characters

Endpoint: GET /products/search?q=%27%22%3C%3E

Expected result:

  • input handled safely;
  • no server error;
  • no injection-like behavior.

Test case: Search with no results

Endpoint: GET /products/search?q=nonexistentproductxyz

Expected result:

  • status is 200 OK;
  • empty result set returned;
  • no-results response format is clear.

13. Idempotency test cases

Idempotency test cases are important for create/payment/order actions.

Test case: Same POST with same idempotency key

Endpoint: POST /orders

Headers:

  • Idempotency-Key: abc-123

Steps:

  • send same request twice with same idempotency key.

Expected result:

  • only one order is created;
  • second response returns same result or safe idempotent response.

Test case: Same POST with different idempotency key

Endpoint: POST /orders

Steps:

  • send same request twice with different idempotency keys.

Expected result:

  • behavior follows product rules;
  • two records may be created if considered separate requests.

Test case: Idempotency key with changed body

Endpoint: POST /orders

Steps:

  • send request with idempotency key;
  • resend with same key but different body.

Expected result:

  • API rejects conflict or follows documented behavior;
  • no unsafe duplicate or inconsistent record appears.

14. Duplicate request test cases

Duplicate request test cases check repeated user or client actions.

Test case: Duplicate create request without idempotency

Endpoint: POST /orders

Steps:

  • send same request twice quickly.

Expected result:

  • duplicate behavior follows product rules;
  • no unintended duplicate if duplicates should be prevented.

Test case: Retry after timeout

Endpoint: critical create endpoint.

Steps:

  • simulate timeout after request;
  • resend request.

Expected result:

  • no duplicate record if operation actually succeeded;
  • client/server can reconcile final result.

Test case: Double submit from frontend

Endpoint: POST /checkout

Steps:

  • trigger double submit if possible.

Expected result:

  • no duplicate order/payment created;
  • backend enforces safety, not only UI.

15. Rate limit test cases

Rate limit test cases check abuse protection and resource control.

Test case: Exceed login request limit

Endpoint: POST /login

Steps:

  • send repeated failed login attempts.

Expected result:

  • API returns 429 or lockout behavior according to product rules;
  • error response is safe.

Test case: Exceed password reset limit

Endpoint: POST /password-reset

Steps:

  • send repeated reset requests.

Expected result:

  • rate limit or throttling applies;
  • no excessive email sending occurs.

Test case: Exceed export endpoint limit

Endpoint: POST /reports/export

Steps:

  • request many exports quickly.

Expected result:

  • API limits excessive requests;
  • no resource abuse occurs.

Test case: Normal user is not blocked too aggressively

Endpoint: common endpoint.

Steps:

  • perform normal expected user flow.

Expected result:

  • rate limit does not block regular usage.

16. Error response test cases

For deeper coverage of status codes, safe error schemas, field-level errors, request IDs, and logging, use the API Error Handling Testing Checklist.

Error test cases verify safe and consistent error handling.

Test case: Validation error format

Endpoint: any endpoint with invalid request.

Expected result:

  • error has consistent structure;
  • field errors are clear;
  • no stack trace appears.

Test case: Authentication error format

Endpoint: protected endpoint without token.

Expected result:

  • status is 401;
  • error format matches standard schema;
  • no sensitive info exposed.

Test case: Permission error format

Endpoint: forbidden resource/action.

Expected result:

  • status is 403 or 404;
  • error does not expose private resource details.

Test case: Server error does not leak internals

Endpoint: controlled error scenario in non-production.

Expected result:

  • no SQL details;
  • no stack trace;
  • no internal path;
  • error ID or correlation ID returned if supported.

17. Headers and content type test cases

Header and content type cases check request metadata.

Test case: Missing Content-Type

Endpoint: POST /users

Request:

  • JSON body without Content-Type.

Expected result:

  • API handles according to rules;
  • no unsafe parsing behavior.

Test case: Unsupported Content-Type

Endpoint: POST /users

Request:

  • Content-Type: text/plain

Expected result:

  • status is 415 Unsupported Media Type or documented error;
  • no record created.

Test case: Accept header behavior

Endpoint: any endpoint.

Request:

  • unsupported Accept header.

Expected result:

  • API returns documented response;
  • no server error.

Test case: Request ID / correlation ID

Endpoint: any endpoint.

Headers:

  • send request ID if supported.

Expected result:

  • request ID appears in logs or response according to product rules.

18. File upload API test cases

File upload cases check size, type, permissions, and errors.

Test case: Upload valid file

Endpoint: POST /files

Expected result:

  • status is success;
  • file is uploaded;
  • file ID is returned;
  • file belongs to correct user.

Test case: Upload unsupported file type

Endpoint: POST /files

Request:

  • unsupported file extension/type.

Expected result:

  • request is rejected;
  • error is clear;
  • file is not stored.

Test case: Upload file above size limit

Endpoint: POST /files

Expected result:

  • request is rejected;
  • error explains size limit;
  • no partial broken file remains.

Test case: Upload without permission

Endpoint: POST /files

Request:

  • user without upload permission.

Expected result:

  • status is 403 Forbidden;
  • file is not uploaded.

19. File download API test cases

Download cases check access control.

Test case: Download own file

Endpoint: GET /files/{id}

Expected result:

  • user can download own file;
  • content type and filename are correct.

Test case: Download another user’s file

Endpoint: GET /files/{otherUserFileId}

Expected result:

  • access is denied;
  • file content is not returned.

Test case: Download deleted file

Endpoint: GET /files/{deletedFileId}

Expected result:

  • status is 404 or documented behavior;
  • no stale file content returned.

20. Async job and long-running request test cases

Async cases check job creation, status, and completion.

Test case: Start async job

Endpoint: POST /exports

Expected result:

  • status is 202 Accepted or documented status;
  • job ID is returned;
  • job status can be checked.

Test case: Check async job status

Endpoint: GET /exports/{jobId}

Expected result:

  • status endpoint returns pending, processing, completed, or failed;
  • response follows schema.

Test case: Async job completes successfully

Preconditions:

  • export job was started.

Expected result:

  • job eventually completes;
  • output is available;
  • user can access only their own result.

Test case: Async job failure

Expected result:

  • failure status is visible;
  • error is clear;
  • retry or recovery path exists if supported.

21. Webhook-related API test cases

For full event delivery, signature, retry, duplicate, and out-of-order coverage, use the Webhook Testing Checklist.

Webhook-related cases check event-driven API behavior.

Test case: Receive valid webhook

Endpoint: POST /webhooks/provider

Request:

  • valid signature;
  • valid event payload.

Expected result:

  • status is 2xx;
  • event is processed;
  • related record is updated.

Test case: Webhook with invalid signature

Endpoint: POST /webhooks/provider

Request:

  • invalid signature.

Expected result:

  • request is rejected;
  • no side effect happens.

Test case: Duplicate webhook event

Endpoint: POST /webhooks/provider

Steps:

  • send same event twice with same event ID.

Expected result:

  • event processed once;
  • no duplicate order/payment/email created.

Test case: Out-of-order webhook event

Steps:

  • send newer status first;
  • send older status after.

Expected result:

  • final state remains correct;
  • older event does not overwrite newer final state.

22. Integration test cases

For broader cross-system workflows, data mapping, retries, reconciliation, and support visibility, use the API Integration Testing Checklist.

Integration cases check whether API behavior works across systems.

Test case: Create CRM lead through API

Endpoint: POST /leads

Expected result:

  • lead created in source system;
  • lead appears in CRM;
  • fields are mapped correctly.

Test case: Create order and sync to ERP

Endpoint: POST /orders

Expected result:

  • order created internally;
  • ERP receives order;
  • external order ID is stored;
  • data matches across systems.

Test case: Payment provider status updates order

Flow:

  • payment provider sends status update;
  • API processes event.

Expected result:

  • order status updates correctly;
  • no duplicate order or payment appears.

Test case: External API failure

Flow:

  • API calls external service;
  • external service returns error.

Expected result:

  • error is handled;
  • failure is logged;
  • no broken partial state is created.

23. Security basics test cases

For deeper security-specific coverage, use the REST API Security Testing Checklist.

Security basics test cases do not replace a REST API Security Testing Checklist, but they catch common issues.

Test case: User cannot access another user’s object

Endpoint: GET /orders/{otherUserOrderId}

Expected result:

  • status is 403 or 404;
  • data is not returned.

Test case: User cannot modify protected field

Endpoint: PATCH /users/{id}

Request:

  • role: admin

Expected result:

  • role is not changed;
  • request is rejected or field is ignored safely.

Test case: API does not return sensitive fields

Endpoint: GET /users/{id}

Expected result:

  • response does not contain password hash, tokens, API keys, or internal secrets.

Test case: Old API version does not bypass security

Endpoint: old version of protected endpoint.

Expected result:

  • same authorization rules apply;
  • old version does not expose sensitive fields.

Test case: CORS does not allow unexpected origin

Request:

  • call API from unauthorized origin if applicable.

Expected result:

  • browser access is blocked according to CORS rules.

24. Production API smoke test cases

For a dedicated post-deploy gate, use the API Smoke Testing Checklist.

Production smoke cases should be safe, short, and agreed in advance.

Test case: Production health endpoint

Endpoint: health endpoint.

Expected result:

  • API is available;
  • status is healthy;
  • no sensitive data exposed.

Test case: Production authentication smoke

Endpoint: login or token check endpoint.

Expected result:

  • valid test credentials work;
  • invalid credentials fail safely.

Test case: Production protected endpoint smoke

Endpoint: safe read-only endpoint.

Expected result:

  • valid user receives expected data;
  • unauthorized request is rejected.

Test case: Production safe write smoke, if approved

Endpoint: safe test create endpoint.

Expected result:

  • test record is created;
  • cleanup works;
  • no real customer data is affected.

Test case: Production logs and monitoring

Expected result:

  • test request appears in logs;
  • no error spike appears;
  • monitoring remains stable.

Best test data for API test cases

Good API test cases need reliable test data.

Prepare:

  • valid user;
  • invalid user;
  • admin user;
  • regular user;
  • read-only user;
  • User A and User B;
  • Tenant A and Tenant B;
  • existing resource;
  • nonexistent resource ID;
  • deleted resource;
  • archived resource;
  • resource in each important status;
  • valid request body;
  • invalid request body;
  • missing required fields;
  • duplicate data;
  • expired token;
  • invalid token;
  • valid API key;
  • revoked API key;
  • large payload;
  • edge-case dates;
  • special characters;
  • file samples if upload is supported.

Stable test data makes API testing faster, clearer, and easier to automate.

Automation candidates for API test cases

Many API test cases are excellent automation candidates.

Good automation candidates:

  • successful GET;
  • successful POST;
  • required field validation;
  • invalid data type;
  • schema validation;
  • auth required;
  • expired token;
  • permission boundary;
  • user cannot access another user’s resource;
  • pagination;
  • filtering;
  • sorting;
  • idempotency;
  • duplicate request prevention;
  • rate limit check in controlled environment;
  • webhook signature validation;
  • production read-only smoke.

Keep some scenarios manual or semi-manual:

  • exploratory security checks;
  • complex integration failures;
  • provider-specific webhook setup;
  • production-safe smoke requiring human approval;
  • unusual edge cases;
  • tests involving destructive actions.

A good API automation suite should be stable, fast, and focused on high-value scenarios.

Common mistakes

1. Writing broad checks instead of test cases

“Test validation” is not a test case. A useful API test case needs request data and expected result.

2. Testing only the happy path

Valid requests are important, but many API bugs appear in invalid input, permissions, duplicate requests, and error handling.

3. Not checking data result

A response can look correct while the database or downstream system is wrong. Verify the actual data result.

4. Ignoring authorization cases

API test cases should include role boundaries, user ownership, tenant isolation, and admin-only actions.

5. Not testing duplicate requests

Repeated POST, retry after timeout, double submit, or same idempotency key can create duplicate records if not tested.

6. Not checking error response format

Errors should be predictable, safe, and useful. They should not leak internals.

7. Not testing unsupported methods

Unexpected methods should not create side effects.

8. Not testing pagination and filtering

List endpoints often break in pagination, filters, sorting, and edge cases.

9. Not testing production smoke safely

Production smoke tests should be safe, approved, and use test data or read-only endpoints where possible.

10. Not converting bug fixes into regression test cases

If an API bug was fixed, add a test case that prevents it from coming back.

FAQ

What is an API Test Cases Checklist?

An API Test Cases Checklist is a practical list of specific API test scenarios.

It helps QA engineers, developers, and teams test positive flows, negative flows, validation, authentication, authorization, CRUD, pagination, filtering, errors, duplicate requests, idempotency, security basics, integration behavior, and production smoke.

How is an API Test Cases Checklist different from an API Testing Checklist?

An API Testing Checklist describes testing areas: status codes, schema, validation, auth, errors, performance, and security.

An API Test Cases Checklist gives concrete scenarios: send request without required field, call admin endpoint as regular user, send duplicate POST, use expired token, or request another user’s resource.

What should an API test case include?

A good API test case should include:

  • title;
  • endpoint;
  • HTTP method;
  • preconditions;
  • request headers;
  • request body or query parameters;
  • expected status code;
  • expected response body;
  • expected data result;
  • cleanup rule, if needed.

What are positive API test cases?

Positive API test cases use valid input and expected access.

Examples:

  • get existing user;
  • create user with valid data;
  • update allowed field;
  • delete own resource;
  • list records with valid pagination;
  • upload valid file.

What are negative API test cases?

Negative API test cases use invalid, missing, unauthorized, or unexpected input.

Examples:

  • missing required field;
  • invalid JSON;
  • invalid enum;
  • nonexistent ID;
  • expired token;
  • unauthorized access;
  • unsupported method;
  • duplicate request;
  • rate limit exceeded.

What are API validation test cases?

API validation test cases check required fields, data types, formats, length limits, enum values, numeric ranges, date ranges, file limits, and invalid body structure.

Example: POST /users without email should return 400 and field-level error.

What are API authorization test cases?

API authorization test cases check whether a user can access only allowed resources and actions.

Examples:

  • User A cannot access User B order;
  • regular user cannot call admin endpoint;
  • read-only user cannot update resource;
  • tenant A cannot access tenant B data.

What are API idempotency test cases?

API idempotency test cases check that repeated requests do not create duplicate side effects.

Example: send the same POST /orders twice with the same idempotency key. Expected result: only one order is created.

Should API test cases include security checks?

Yes, at least basic security checks.

Include tests for authentication, authorization, user ownership, protected fields, sensitive data exposure, unsafe methods, rate limits, and error messages.

For deeper security coverage, use a REST API Security Testing Checklist.

Should API test cases be automated?

Many API test cases should be automated, especially happy paths, validation, auth, permissions, schema checks, pagination, idempotency, and regression tests.

Manual testing is still useful for exploratory checks, complex integration behavior, provider setup, and production-safe smoke.

How do you know API test cases passed?

API test cases can be considered passed when:

  • valid requests return correct success responses;
  • invalid requests return safe errors;
  • status codes match expectations;
  • response schemas are correct;
  • data is created, updated, or deleted correctly;
  • authentication works;
  • authorization boundaries are enforced;
  • duplicates are prevented;
  • rate limits behave correctly;
  • errors do not expose internals;
  • no blocker or critical API issues remain.

Ready to turn this guide into a working QA project with statuses, comments, and CSV export?