We thought generating API tests from an OpenAPI specification would eliminate the repetitive work of writing test cases. It did. What we didn't expect was how quickly it exposed problems in our API specifications instead of our APIs.
After generating more than 12,000 API tests from OpenAPI specifications across dozens of projects, one thing became obvious:
The biggest bottleneck wasn't the test generator.
It was the API specification itself.
We expected to spend most of our time improving generation algorithms.
Instead, we spent most of it fixing incomplete schemas, ambiguous contracts, and inconsistent specifications.
If you're planning to generate tests from OpenAPI, here's what surprised us the most.
The Promise of OpenAPI Test Generation
Most API teams already have an OpenAPI specification.
Unfortunately, many teams treat it as documentation instead of a contract.
That's a missed opportunity.
A good specification can generate:
- Request validation
- Response validation
- Schema assertions
- Negative test cases
- Authentication scenarios
- Mock servers
- SDKs
- Documentation
And, of course, automated API tests.
Generating tests directly from the specification means developers don't have to manually recreate the contract inside Postman collections or code-based frameworks.
The specification becomes the single source of truth.
At least, that's the theory.
What We Actually Generated
Over several months we processed thousands of endpoints from internal projects, public APIs, and customer specifications.
Across all of them we generated approximately:
- 12,000+ API test cases
- Hundreds of OpenAPI specifications
- Thousands of request/response assertions
- Countless schema validations
The APIs themselves weren't the interesting part.
The specifications were.
Lesson 1: Most OpenAPI Specs Are Only 80% Complete
One pattern appeared immediately.
Developers document the happy path.
Everything else gets skipped.
Typical examples included:
Missing error responses:
responses:
200:
description: Success
But no:
400
401
403
404
500
The generator can only create tests for scenarios that exist in the contract.
If the specification ignores validation failures, your generated suite will too.
Lesson 2: Example Values Matter More Than Expected
OpenAPI supports examples.
Many teams ignore them.
Instead of:
name:
type: string
provide:
name:
type: string
example: John Doe
This improves generated:
- Requests
- Mock responses
- Documentation
- Test readability
Good examples dramatically improve generated tests.
Lesson 3: Nullable Doesn't Mean Optional
This was responsible for an astonishing number of incorrect assertions.
These are different:
nullable: true
and
required: false
One means:
"The property exists but may contain null."
The other means:
"The property might not exist at all."
Generated tests need to distinguish between both.
Otherwise perfectly valid responses fail incorrectly.
Lesson 4: Authentication Is Frequently Under-Specified
Many APIs defined:
security:
- bearerAuth: []
Globally.
Then individual endpoints silently behaved differently.
Some required API keys.
Others ignored authentication.
The specification never reflected reality.
Test generation immediately exposed those inconsistencies.
Lesson 5: Schemas Drift Faster Than Teams Realize
One endpoint returned:
{
"userId": 123
}
Another returned:
{
"id": 123
}
Both represented the same resource.
Both passed manual testing.
Neither matched the documented contract consistently.
Generated tests highlighted schema drift that had accumulated over years.
What the Generator Could Infer
Modern generators are surprisingly capable.
They can infer:
- Required request bodies
- Path parameters
- Query parameters
- Status codes
- JSON schema assertions
- Authentication requirements
From a single specification.
But they cannot infer business rules.
What Still Requires Human Input
For example:
Should:
discount = 110%
be valid?
The schema cannot answer that.
Should creating an order reduce inventory?
The schema doesn't know.
Should duplicate email addresses return 409 or 422?
Only the business can define that.
Generated tests complement—not replace—human-designed scenarios.
The Biggest Surprise
We expected developers to ask:
"How accurate is the generator?"
Instead they asked:
"Why is the generator failing on my specification?"
In most cases the answer was simple.
The specification wasn't actually valid.
Or it was incomplete.
The tool simply surfaced issues that had always been there.
The Generator Became a Spec Validator
One unexpected outcome was that teams started fixing specifications before generating tests.
The generator effectively became a quality gate.
Instead of discovering contract issues in production, developers discovered them during generation.
That feedback loop was much cheaper.
Common Specification Problems We Found
Across hundreds of specifications, the same issues appeared repeatedly:
- Missing required properties
- Incorrect data types
- Invalid examples
- Inconsistent naming
- Missing response schemas
- Undefined authentication
- Duplicate models
- Ambiguous nullable fields
Most of these weren't testing problems.
They were specification problems.
What We Changed in Our Workflow
Today our process looks like this:
Design API
↓
Write OpenAPI Specification
↓
Validate Specification
↓
Generate Tests
↓
Add Business Assertions
↓
Run in CI
Notice what's missing?
Manual recreation of test cases.
The contract drives almost everything.
Where Human Testing Still Wins
Automatic generation is fantastic for:
- Schema validation
- Required fields
- Authentication
- Parameter combinations
- Status codes
Humans still write tests for:
- Business rules
- Complex workflows
- Performance
- Security
- User journeys
The two approaches work best together.
The Biggest Productivity Gain
The biggest benefit wasn't writing fewer tests.
It was eliminating duplicated work.
Previously developers described the API three times:
- OpenAPI specification
- Postman collection
- Automated tests
Now the specification generates much of the repetitive work automatically.
Teams spend more time testing behavior instead of recreating contracts.
What We'd Recommend to Teams Starting Today
If you're adopting OpenAPI-driven testing:
- Treat the specification as code.
- Validate it continuously.
- Keep examples realistic.
- Separate nullable from optional fields.
- Add business assertions after generation.
- Run generated tests in every CI pipeline.
The better the specification becomes, the better the generated tests become.
Final Thoughts
Generating 12,000 API tests taught us something unexpected.
The hardest part wasn't automation.
It was creating clear, accurate API contracts.
OpenAPI isn't just documentation.
Done well, it becomes the foundation for documentation, SDK generation, mock servers, contract validation, and automated testing.
The quality of your generated tests will almost always reflect the quality of your specification.
If you're interested in this approach, we have documented more about OpenAPI test automation
The best API tests don't start with a testing framework.
They start with a well-written contract.
Top comments (0)