DEV Community: muhammad Sanaev The latest articles on DEV Community by muhammad Sanaev (@muhammadjon_sanaev). https://dev.to/muhammadjon_sanaev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3893526%2F360faaf3-3a6c-441f-98ef-70e70b99b2c2.jpg DEV Community: muhammad Sanaev https://dev.to/muhammadjon_sanaev en The REST Assured Setup Nobody Shows You: Handling Auth Tokens That Expire Mid-Suite muhammad Sanaev Thu, 23 Apr 2026 06:27:07 +0000 https://dev.to/muhammadjon_sanaev/how-to-set-up-rest-assured-with-testng-and-maven-2026-guide-2o17 https://dev.to/muhammadjon_sanaev/how-to-set-up-rest-assured-with-testng-and-maven-2026-guide-2o17 <p>Most REST Assured tutorials show you a single given().when().then() against a sample API and call it done. That's fine for learning the syntax, but it doesn't cover what you actually need on a real project things like config per environment, clean test structure, and handling auth tokens that expire while the suite is running.</p> <p>I'm Mukhammadjon Sanaev, a QA Automation Engineer in San Francisco. I've worked across e-commerce, logistics, and sports tech. This post walks through a simple REST Assured + TestNG + Maven setup I'd use on day one of a new API testing project, plus one problem I ran into on a real checkout API that isn't in the tutorials.</p> <h2> What We're Building </h2> <p>A small Java project that:</p> <p>Uses REST Assured for API calls<br> Uses TestNG as the test runner<br> Runs against dev or staging with a single command<br> Handles an auth token that expires mid-run</p> <p>Examples are based on an e-commerce checkout API — the kind of thing you'd test at a Shopify- or Wayfair-style company. Nothing proprietary, just the shape of a real checkout flow.</p> <p>Project Structure<br> Keep it simple on day one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api-tests/ ├── pom.xml ├── testng.xml └── src/test/ ├── java/com/example/tests/ │ ├── BaseTest.java │ ├── TokenManager.java │ └── CheckoutTests.java └── resources/ └── config.properties </code></pre> </div> <p>Step 1: pom.xml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>xml<span class="nt">&lt;project&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.example<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>api-tests<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;properties&gt;</span> <span class="nt">&lt;maven.compiler.source&gt;</span>17<span class="nt">&lt;/maven.compiler.source&gt;</span> <span class="nt">&lt;maven.compiler.target&gt;</span>17<span class="nt">&lt;/maven.compiler.target&gt;</span> <span class="nt">&lt;/properties&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.rest-assured<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>rest-assured<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>5.4.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.testng<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>testng<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>7.10.2<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre> </div> <p>Step 2: Config File<br> Under src/test/resources/config.properties:<br> properties<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">base.url</span><span class="p">=</span><span class="s">https://api-dev.example.com</span> <span class="py">auth.url</span><span class="p">=</span><span class="s">https://auth-dev.example.com/oauth/token</span> <span class="py">client.id</span><span class="p">=</span><span class="s">your-client-id</span> <span class="py">client.secret</span><span class="p">=</span><span class="s">your-client-secret</span> </code></pre> </div> <p>Tip: don't commit real secrets to git. In a real project, read client.secret from an environment variable instead.</p> <p>Step 3: BaseTest<br> Sets the base URL for every test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">javapublic</span> <span class="kd">class</span> <span class="nc">BaseTest</span> <span class="o">{</span> <span class="nd">@BeforeSuite</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setup</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RestAssured</span><span class="o">.</span><span class="na">baseURI</span> <span class="o">=</span> <span class="s">"https://api-dev.example.com"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Step 4: The Auth Problem<br> Here's the naive way to handle auth, which most tutorials show:<br> java// Fetch the token once, reuse forever<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">given</span><span class="o">()</span> <span class="o">.</span><span class="na">auth</span><span class="o">().</span><span class="na">basic</span><span class="o">(</span><span class="s">"client"</span><span class="o">,</span> <span class="s">"secret"</span><span class="o">)</span> <span class="o">.</span><span class="na">post</span><span class="o">(</span><span class="s">"/auth/token"</span><span class="o">)</span> <span class="o">.</span><span class="na">jsonPath</span><span class="o">().</span><span class="na">getString</span><span class="o">(</span><span class="s">"access_token"</span><span class="o">);</span> </code></pre> </div> <p>This works for 10 tests. It breaks when your suite gets bigger.<br> The Problem<br> On one project, our API tokens expired after 15 minutes. Our regression suite took about 22 minutes to run. The first batch of tests passed fine, then around test 140 everything started failing with 401 Unauthorized — not because the code was wrong, but because the token had expired halfway through the run.<br> The fix isn't to make the suite shorter. The fix is making the framework aware that tokens expire.<br> The Fix: A Simple TokenManager</p> <p>java<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">TokenManager</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="n">token</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">Instant</span> <span class="n">expiresAt</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getToken</span><span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="nc">Instant</span><span class="o">.</span><span class="na">now</span><span class="o">().</span><span class="na">isAfter</span><span class="o">(</span><span class="n">expiresAt</span><span class="o">))</span> <span class="o">{</span> <span class="n">refresh</span><span class="o">();</span> <span class="o">}</span> <span class="k">return</span> <span class="n">token</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">refresh</span><span class="o">()</span> <span class="o">{</span> <span class="nc">Response</span> <span class="n">response</span> <span class="o">=</span> <span class="n">given</span><span class="o">()</span> <span class="o">.</span><span class="na">formParam</span><span class="o">(</span><span class="s">"grant_type"</span><span class="o">,</span> <span class="s">"client_credentials"</span><span class="o">)</span> <span class="o">.</span><span class="na">formParam</span><span class="o">(</span><span class="s">"client_id"</span><span class="o">,</span> <span class="s">"your-client-id"</span><span class="o">)</span> <span class="o">.</span><span class="na">formParam</span><span class="o">(</span><span class="s">"client_secret"</span><span class="o">,</span> <span class="s">"your-client-secret"</span><span class="o">)</span> <span class="o">.</span><span class="na">post</span><span class="o">(</span><span class="s">"https://auth-dev.example.com/oauth/token"</span><span class="o">);</span> <span class="n">token</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="na">jsonPath</span><span class="o">().</span><span class="na">getString</span><span class="o">(</span><span class="s">"access_token"</span><span class="o">);</span> <span class="kt">int</span> <span class="n">expiresIn</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="na">jsonPath</span><span class="o">().</span><span class="na">getInt</span><span class="o">(</span><span class="s">"expires_in"</span><span class="o">);</span> <span class="c1">// Refresh 60 seconds early to avoid edge cases</span> <span class="n">expiresAt</span> <span class="o">=</span> <span class="nc">Instant</span><span class="o">.</span><span class="na">now</span><span class="o">().</span><span class="na">plusSeconds</span><span class="o">(</span><span class="n">expiresIn</span> <span class="o">-</span> <span class="mi">60</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Two things worth noting:</p> <p>The 60-second buffer. If you refresh exactly when the token expires, you can still hit a race condition with the server clock. Refreshing a bit early avoids that.<br> It only refreshes when needed. Most tests just grab the cached token.</p> <p>Using It<br> Every API call pulls a fresh token through TokenManager:<br> javapublic class CheckoutTests extends BaseTest {<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Test</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">getCart_returnsItems</span><span class="o">()</span> <span class="o">{</span> <span class="n">given</span><span class="o">()</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">,</span> <span class="s">"Bearer "</span> <span class="o">+</span> <span class="nc">TokenManager</span><span class="o">.</span><span class="na">getToken</span><span class="o">())</span> <span class="o">.</span><span class="na">pathParam</span><span class="o">(</span><span class="s">"cartId"</span><span class="o">,</span> <span class="s">"cart-123"</span><span class="o">)</span> <span class="o">.</span><span class="na">when</span><span class="o">()</span> <span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"/cart/{cartId}"</span><span class="o">)</span> <span class="o">.</span><span class="na">then</span><span class="o">()</span> <span class="o">.</span><span class="na">statusCode</span><span class="o">(</span><span class="mi">200</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="s">"items"</span><span class="o">,</span> <span class="n">hasSize</span><span class="o">(</span><span class="n">greaterThan</span><span class="o">(</span><span class="mi">0</span><span class="o">)));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Step 5: Running It<br> testng.xml:</p> <p>xml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;!DOCTYPE suite SYSTEM "https://testng.org/testng-1.0.dtd"&gt;</span> <span class="nt">&lt;suite</span> <span class="na">name=</span><span class="s">"API Tests"</span><span class="nt">&gt;</span> <span class="nt">&lt;test</span> <span class="na">name=</span><span class="s">"Checkout"</span><span class="nt">&gt;</span> <span class="nt">&lt;classes&gt;</span> <span class="nt">&lt;class</span> <span class="na">name=</span><span class="s">"com.example.tests.CheckoutTests"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/classes&gt;</span> <span class="nt">&lt;/test&gt;</span> <span class="nt">&lt;/suite&gt;</span> </code></pre> </div> <p>Run:<br> bash<br> </p> <p><code>mvn test</code><br> </p> <p>That's it a working API test suite that doesn't fall over when tokens expire.<br> What I'd Add Next<br> This is a starting point, not the finished framework. Once the basics work, I'd add:</p> <p>Separate config files for dev, staging, and prod<br> JSON schema validation on responses<br> An HTML report like Allure or Extent Reports<br> CI/CD integration with Jenkins or GitHub Actions</p> <p>The Takeaway<br> The tricky parts of API automation aren't the tools REST Assured, TestNG, and Maven are straightforward once you've set them up once. The tricky parts are the problems that only show up when a real suite runs against a real API: auth tokens expiring, environment config drift, response schemas changing silently.<br> If you're setting this up for the first time, start small. Get one test running, handle auth properly, then grow from there.</p> testing java qa automation