API Testing
Verification of interfaces for functionality, performance and security independent of the user interface.
Classification
- ComplexityMedium
- Impact areaTechnical
- Decision typeDesign
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Flaky tests lead to loss of trust in the test suite results.
- Insufficient coverage of critical integration paths leads to production defects.
- Excessive test duration slows CI/CD and hinders fast deployments.
- Clearly separate unit, contract and end-to-end tests.
- Version API contracts and perform backward compatibility checks.
- Automate tests in CI and continuously measure their quality.
I/O & resources
- API specification (e.g. OpenAPI)
- Test environment or mock infrastructure
- CI/CD pipeline and test automation tools
- Automated test reports and metrics
- Bug logs and reproducible reproduction cases
- Improvement recommendations for APIs and SLAs
Description
API testing verifies functional, non-functional and security aspects of interfaces independently from the user interface. It includes automated contract, integration and load tests plus dependency mocking. The aim is early defect detection, more stable integrations and faster feedback loops in CI/CD pipelines and measurable API quality indicators.
✔Benefits
- Early detection of integration issues reduces outage risk.
- Automated tests speed up feedback loops in CI/CD.
- Measurable API quality metrics make prioritization easier.
✖Limitations
- Full production parity is often costly and hard to achieve.
- Mocking can give false confidence if behavior isn't reproduced exactly.
- Test data management can cause privacy and consistency issues.
Trade-offs
Metrics
- API test coverage
Proportion of API endpoints and paths covered by automated tests.
- Mean Time to Detection (MTTD)
Average time until detection of an integration defect.
- Flakiness rate
Share of test runs that are not deterministically repeatable.
Examples & implementations
Microservice architecture with contract testing
In a payment service, consumer contracts automatically validate interfaces before deployment.
Public REST API with load and security tests
External API is regularly verified by performance tests and OWASP scans.
GraphQL gateway and integration tests
Schema tests and end-to-end calls validate data flows through the gateway.
Implementation steps
Centralize specification (OpenAPI/GraphQL schema).
Identify contracts and create automated contract tests.
Integrate load and security tests into dedicated pipelines.
Integrate results into observability tooling and dashboards.
⚠️ Technical debt & bottlenecks
Technical debt
- Outdated test mocks that don't match current API behavior.
- Monolithic test suites with long runtimes and poor maintainability.
- Incomplete test API documentation hinders test automation.
Known bottlenecks
Misuse examples
- Using unfiltered production data for tests and violating privacy.
- Not updating mocks after API changes, rendering tests useless.
- Running all tests sequentially on PRs and thus slowing CI.
Typical traps
- Over-reliance on external test endpoints without fallback.
- Lack of isolation leads to non-reproducible failures.
- Unclear test responsibilities between consumer and provider.
Required skills
Architectural drivers
Constraints
- • rate limits of external APIs
- • legal constraints on production data
- • limited resources for realistic staging environments