2 Comments

APIs need testing. But not all testing is the same. Each type catches different problems at different stages.

Here are the nine types you should know.

The first check after deployment. Does the API even work?

You’re testing basic connectivity, key endpoints returning 200, and authentication not failing immediately. A simple GET /health request is usually enough.

Does the API do what it’s supposed to do?

You’re validating inputs and outputs against requirements. Send a POST /users with valid data - did it create a user? Is the response structure correct? Do all CRUD operations behave as documented?

Does the API work with everything it connects to?

APIs don’t exist in isolation. They talk to databases, other services, message queues. Integration testing verifies data flows correctly across these boundaries.

Create a user via API, then check if the downstream service received it.

Did the new changes break old functionality?

Every time you deploy, you risk breaking something that worked before. Regression testing runs your existing test suite to catch unintended side effects.

Automate this in CI/CD.

How does the API perform under expected traffic?

You’re measuring response times, throughput, and resource usage when many users hit the API simultaneously. Simulate 500 concurrent users and watch what happens to latency.

What happens when traffic exceeds expectations?

Load testing checks normal conditions. Stress testing pushes past the limit. You want to know the breaking point and whether the API fails gracefully or crashes entirely.

Is the API protected from attacks?

Check authentication and authorization. Try accessing admin resources with user tokens. Test for SQL injection, XSS, and CSRF. Verify rate limiting works.

Does the frontend display API data correctly?

The API might return perfect data, but if the UI mishandles it, users see bugs. This tests the contract between backend responses and frontend rendering.

How does the API handle garbage input?

Send malformed JSON, random strings, oversized payloads, unexpected data types. You’re looking for unhandled exceptions and system crashes that attackers could exploit.

You may also like these:

What happens when you type a url in your browser?
How to store passwords in your database
How to choose between SQL and NoSQL
Authentication (Session Vs JWT)
Every type of API you must know

Free subscribers also get a little bonus:

🎁 The System Design Interview Preparation Cheat Sheet

If you’re into visuals, paid subscribers unlock:

My Excalidraw system design template – so you have somewhere to start
My Excalidraw component library – used in the diagram of this issue

No pressure though. Your support helps me keep writing, and I appreciate it more than you know ❤️

Discussion about this post

Ready for more?