A deploy goes out at 4 p.m. on a Friday. Unit tests pass, the container builds, and the rollout finishes cleanly. Then checkout starts returning 500s. The bug was not in the code path your unit tests covered. It was in the contract between two services, and your pipeline never exercised that conversation.
That is the gap test automation in DevOps should close. Unit tests validate isolated functions. End-to-end UI tests validate browser flows, but they are slow and often flaky. API tests sit in the middle: they validate the service contracts that your frontend, mobile apps, partner integrations, and microservices actually depend on.
π‘ If you build API tests in Apidog, the headless runner for CI/CD is the Apidog CLI. The same test scenario you author in the desktop app can run unchanged in your pipeline.
What test automation in DevOps actually means
DevOps is a loop: plan, code, build, test, release, deploy, operate, monitor, and then back to planning. Test automation means tests run automatically at the points where they catch defects cheapest, instead of being a manual checklist before release.
The principle is shift-left testing: move feedback closer to the moment a developer makes a change. A contract bug caught on a pull request usually takes minutes to fix. The same bug in production means rollback, incident response, and a postmortem.
Treat test automation as layers, not as one giant bucket:
- Unit tests: validate a single function or module in isolation.
- API and integration tests: validate HTTP responses, service contracts, and cross-service behavior.
- End-to-end tests: validate user flows through the full system.
API tests are the practical middle layer. They run faster than UI tests, avoid browser flakiness, and validate the interfaces other systems rely on. For the fundamentals of what to assert, see API testing automation.
Where API tests fit in the DevOps lifecycle
You do not need the same API test suite everywhere. Use different scopes at different stages.
1. During development: local and pre-commit
Developers should be able to run relevant API scenarios against a local or dev environment before pushing code.
Typical local workflow:
# Start your service locally
npm run dev
# Run the relevant API scenario against the local environment
apidog run \
--access-token "$APIDOG_ACCESS_TOKEN" \
-t 605067 \
-e "$LOCAL_ENV_ID" \
-r cli
Use this stage for fast feedback:
- Validate response status codes.
- Check required fields and types.
- Verify request chaining, such as creating a resource and then reading it back.
If you are new to scenario authoring, how to write test scenarios with Apidog explains chaining requests and reusing values from earlier responses.
2. On pull requests: the merge gate
This is the highest-value place to run API tests.
On every pull request:
- Build the service.
- Start or deploy it to a test environment.
- Run API scenarios.
- Fail the PR if any assertion fails.
A failing API check should block the merge. This catches contract regressions while the author still has the change fresh in mind.
3. After build: integration and contract checks
After the artifact is built and deployed to staging or an integration environment, run a broader API suite.
This is where you validate real wiring:
- Does the payments service still accept the order service request body?
- Does pagination still return the field your client reads?
- Does an auth token issued by one service work against another service?
- Do error responses still match the documented contract?
This stage catches cross-service breakage that unit tests cannot see. The same principles apply from broader API testing automation.
4. At deploy time: smoke tests
A deploy is not complete just because the rollout finished. You need proof the new version can serve critical traffic.
Keep deploy-time smoke tests small:
- Authenticate.
- Read critical user data.
- Hit health-critical endpoints.
- Validate status code and response shape.
- Roll back if the smoke test fails.
Example:
apidog run \
--access-token "$APIDOG_ACCESS_TOKEN" \
-t "$SMOKE_SCENARIO_ID" \
-e "$PROD_ENV_ID" \
-r cli
The goal is not full coverage. The goal is a fast go/no-go signal.
5. In production: continuous monitoring
After deployment, selected API scenarios can run on a schedule as synthetic monitoring. The same scenario that validates a critical checkout path in CI can also detect production degradation.
Use this for:
- Expired certificates.
- Broken third-party dependencies.
- Authentication failures.
- Unexpected response shape changes.
- Latency or availability problems.
The difference between a test and a monitor is mostly scheduling. See API monitoring for turning passing tests into production checks.
A practical rule:
The closer you get to production, the smaller and faster the suite should be.
Run wider coverage on PRs and staging. Run a narrow smoke suite at deploy time and in production monitoring.
Why API tests deserve pipeline priority
API tests usually produce better CI/CD signal than adding more UI tests.
They are fast
API tests speak HTTP directly. There is no browser startup, no DOM waiting, and no visual rendering delay.
A scenario that exercises multiple endpoints can often finish in seconds, making it practical to run on every PR.
They are stable
UI tests can fail because a selector changed or a component rendered late. API tests fail when the contract changes, which is usually exactly what you want to detect.
Less flake means developers trust red builds.
They test integration contracts
Your consumers depend on API behavior, not your CSS.
API tests validate:
- Request bodies.
- Response bodies.
- Status codes.
- Error formats.
- Auth behavior.
- Data flow across requests.
That is the seam where many production incidents happen.
Run Apidog API tests in CI with the Apidog CLI
A test that does not run automatically will eventually be skipped. The CI pattern is simple:
- Install the runner.
- Pass credentials through CI secrets.
- Run the scenario or suite.
- Let the command exit code pass or fail the job.
With Apidog, you author the scenario once in the app, then run it headlessly with the CLI. The CLI is an npm package, so any CI runner with Node.js can execute it.
Install it:
npm install -g apidog-cli
Run a scenario:
apidog run \
--access-token "$APIDOG_ACCESS_TOKEN" \
-t 605067 \
-e 1629989 \
-r cli
The key flags are:
-
--access-token: authenticates the CLI. -
-t 605067: runs a specific scenario by ID. -
-f <folderId>: runs a folder of scenarios. -
--test-suite <id>: runs a curated test suite. -
-e 1629989: selects the environment. -
-r cli: prints results to the CI log. -
-r junit: emits JUnit XML for CI test reports.
You can find the access token, scenario ID, and environment ID in the scenario CI/CD tab in Apidog.
The gate is the exit code:
- Exit code
0: all assertions passed. - Non-zero exit code: at least one assertion failed.
Your CI system reads that exit code and fails the job automatically.
Use this to inspect available flags for your installed version:
apidog run --help
Example: GitHub Actions PR gate
Here is a GitHub Actions workflow that runs API scenarios on every pull request:
name: API Tests
on: [pull_request]
jobs:
api-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Apidog CLI
run: npm install -g apidog-cli
- name: Run API scenarios
env:
APIDOG_ACCESS_TOKEN: ${{ secrets.APIDOG_ACCESS_TOKEN }}
run: |
apidog run \
--access-token "$APIDOG_ACCESS_TOKEN" \
-t 605067 \
-e 1629989 \
-r cli,junit
Implementation notes:
- Store
APIDOG_ACCESS_TOKENin repository secrets. - Do not hard-code tokens in workflow files.
- Use different environment IDs for local, staging, and production.
- Use
junitwhen you want CI-native test reports. - Do not suppress the command failure with
|| true.
The same command works in GitLab CI, Jenkins, CircleCI, and Azure Pipelines. The wrapper syntax changes, but the core dependency is Node.js.
For platform-specific setup, see automating API tests in GitHub Actions and integrating Apidog tests with Jenkins.
Example: deploy-time smoke test
For production smoke testing, reuse the same scenario pattern and switch the environment:
apidog run \
--access-token "$APIDOG_ACCESS_TOKEN" \
-t "$SMOKE_SCENARIO_ID" \
-e "$PROD_ENV_ID" \
-r cli
Keep this job small enough to run immediately after deployment.
A good smoke scenario might look like this:
POST /auth/login- Extract token from response.
GET /me- Assert
200. - Assert required fields exist.
GET /health-critical-resource- Assert expected response shape.
One scenario can run in multiple lifecycle stages by changing only the environment flag.
Common mistakes that defeat the gate
Swallowing the exit code
Avoid this:
apidog run ... || true
That makes the build green even when tests fail. The non-zero exit code is the gate.
Only checking 200 OK
A status code alone is not enough.
Also assert:
- Required fields exist.
- Field types are correct.
- Error responses match expectations.
- IDs, tokens, and pagination values are usable by later requests.
For deeper examples, see API assertions.
Running one giant pre-deploy job
If all tests run only right before release, you are not shifting left. Split the suite:
- Local/dev: relevant scenarios.
- PR: broad regression coverage.
- Staging: integration and contract checks.
- Deploy: small smoke suite.
- Production: scheduled monitoring.
Testing against a shared mutable environment
If multiple pipelines write to the same database, one run can poison another. That creates flaky failures and reduces trust in the gate.
Prefer:
- Isolated test environments.
- Resettable test data.
- Dedicated test accounts.
- API mocking for dependencies you do not control.
Uploading reports only on success
If reports are uploaded only when tests pass, you lose the report when you need it most. Configure artifact upload to run even on failure.
FAQ
Where in the DevOps pipeline should API tests run?
At minimum, run API tests on pull requests as a merge gate. Ideally, also run them after build in an integrated environment and as a small smoke suite after deployment. The same Apidog scenario can run at each stage by changing the environment flag. Teams using Apidog without Postman can follow the same staging.
What is the difference between API test automation and CI/CD?
CI/CD is the pipeline that builds, tests, and ships code automatically. API test automation is one quality check that runs inside that pipeline.
CI/CD is the conveyor belt. Automated API tests are one inspection station on it.
If CI/CD terminology is unclear, what is CI/CD covers the fundamentals.
Do I need to rewrite my API tests as code to run them in CI?
Not with Apidog. You build the test scenario visually in the app, and the Apidog CLI runs that same scenario headlessly. Since the CLI is an npm package, any CI runner with Node.js can execute it.
How do API tests fail a build?
Through the process exit code. If every assertion passes, the runner exits 0. If any assertion fails, it exits non-zero. The CI system marks the step failed and blocks the merge or deployment.
Should performance tests run in the same pipeline?
Run functional API tests on every PR. Run heavier load and performance testing separately, such as nightly or before major releases.
Performance tests need more time and a stable environment. Putting them on every commit usually slows feedback without adding useful per-commit signal.
Where to put your first API test
Start with the merge gate.
If your API tests are still manual clicks, do this:
- Download Apidog.
- Build one scenario for a critical API flow.
- Add assertions beyond
200 OK. - Copy the
apidog runcommand from the CI/CD tab. - Store the access token in CI secrets.
- Add the GitHub Actions workflow above.
- Require the API test job to pass before merging.
That one change moves a common production failure mode into the pull request, where it is cheaper and faster to fix.
Top comments (0)