API Testing Cheatsheet: A Comprehensive Guide for Developers

API testing is a critical skill for modern developers and QA engineers. Whether you're working with RESTful services or GraphQL, having a solid testing strategy ensures your APIs are reliable, secure, and performant. In this cheatsheet, I'll cover everything from HTTP methods to best practices for automation.

1. Common HTTP Methods

Method	Purpose	Example Endpoint
GET	Read data	/users/123
POST	Create new resource	/users
PUT	Update entire resource	/users/123
PATCH	Update partial data	/users/123
DELETE	Remove resource	/users/123

2. Status Codes to Validate

Code	Meaning	Use Case
200	OK	Success – GET/PUT/DELETE
201	Created	Success – POST
204	No Content	Success – DELETE
400	Bad Request	Invalid input
401	Unauthorized	Auth required/missing token
403	Forbidden	Auth OK, but no permission
404	Not Found	Resource doesn't exist
409	Conflict	Duplicate data
500	Internal Server Error	API/server issue

3. Test Types

• Positive Testing: Valid input, expect success
• Negative Testing: Invalid/missing input, expect failure
• Boundary Testing: Max/min lengths, limits
• Security Testing: Invalid token, injection
• Load/Performance: Test under stress
• Contract Testing: Validate schema and structure

4. Tools You Can Use

• Manual Testing: Postman, Insomnia
• Automation: Rest Assured (Java), Karate, Supertest (JS), Requests (Python)
• Performance: JMeter, k6
• Contract Testing: Swagger, Pact

5. Basic Flow for API Automation

1. Set Base URI (e.g., https://api.example.com)
2. Choose HTTP Method: GET, POST, PUT, DELETE, etc.
3. Pass Headers (Content-Type, Auth tokens, etc.)
4. Add Request Body (if needed)
5. Send Request and Capture Response
6. Assert Status Code, Body, Headers
7. Log or Report results

6. Common Automation Assertions

Check	Code Example (Rest Assured / Postman)
Status code == 200	response.statusCode == 200
JSON body field value	json.response.user.id == 123
Response time < 500ms	pm.expect(response.responseTime).to.be.below(500)
Header contains	response.header("Content-Type").contains("application/json")
Array size > 0	json.path("data").size() > 0

7. Authorization Handling

Type	Header Format
Bearer Token	Authorization: Bearer
API Key	x-api-key:
Basic Auth	Encoded Base64: Authorization: Basic
OAuth 2.0	Token-based; often dynamic with refresh flows

8. Rest Assured Snippet (Java)

given()
    .baseUri("https://api.example.com")
    .header("Authorization", "Bearer " + token)
    .contentType("application/json")
    .body(jsonPayload)
when()
    .post("/users")
then()
    .statusCode(201)
    .body("id", notNullValue());

9. Postman (Newman) Script Example

pm.test("Status code is 200", function () {
    pm.response.to.have.status(200);
});

pm.test("Response contains userId", function () {
    var jsonData = pm.response.json();
    pm.expect(jsonData.userId).to.not.be.undefined;
});

10. Best Practices

• Use data-driven testing (CSV, JSON, Excel)
• Modularize test cases & reuse headers, base URIs
• Add setup & teardown APIs if needed
• Include logging for requests/responses
• Integrate with CI/CD (Jenkins, GitHub Actions, etc.)
• Keep test data clean, isolated, and resettable

11. Reporting Tools

• Extent Reports – Rest Assured + TestNG
• Allure Reports – Java/Karate/Cucumber
• Newman HTML Reporter – For Postman automation
• Jenkins Test Results – For CI visibility

12. Common Libraries

Tool	Language	Use Case
Rest Assured	Java	API Automation Framework
Postman	JS	Manual + Automated API tests
Karate	Java	BDD + API + UI combo tests
Supertest	JS	Node.js API testing
Requests	Python	Lightweight API testing

13. Handy Tips

• Always test both valid and invalid inputs
• Use environment variables for base URLs and tokens
• Create collections and group related tests
• Use data-driven testing for multiple test cases
• Add delays/assertions to handle async processing

---

This cheatsheet covers the essentials of API testing, but remember that every project has unique requirements. What are your favorite API testing tools or techniques? Share in the comments below!