API Testing Cheatsheet
🔹 1. Common HTTP Methods
Method Purpose Example Endpoint
GET Read data /users/123
POST Create new resource /users
PUT Update entire resource /users/123
PATCH Update partial data /users/123
DELETE Remove resource /users/123
🔹 2. Status Codes to Validate
Code Meaning Use Case
200 OK Success – GET/PUT/DELETE
201 Created Success – POST
204 No Content Success – DELETE
400 Bad Request Invalid input
401 Unauthorized Auth required/missing token
403 Forbidden Auth OK, but no permission
404 Not Found Resource doesn’t exist
409 Conflict Duplicate data
500 Internal Server Error API/server issue
1 @Amit Sahu
🔹 3. Test Types
● Positive Testing: Valid input, expect success
● Negative Testing: Invalid/missing input, expect failure
● Boundary Testing: Max/min lengths, limits
● Security Testing: Invalid token, injection
● Load/Performance: Test under stress
● Contract Testing: Validate schema and structure
🔹 4. Tools You Can Use
● 🔧 Manual Testing: Postman, Insomnia
● 🤖 Automation: Rest Assured (Java), Karate, Supertest (JS), Requests (Python)
● 📊 Performance: JMeter, k6
● ✅ Contract Testing: Swagger, Pact
🔹 5. Basic Flow for API Automation
1. Set Base URI (e.g., https://api.example.com)
2. Choose HTTP Method: GET, POST, PUT, DELETE, etc.
3. Pass Headers (Content-Type, Auth tokens, etc.)
4. Add Request Body (if needed)
5. Send Request and Capture Response
6. Assert Status Code, Body, Headers
7. Log or Report results
2 @Amit Sahu
🔹 6. Common Automation Assertions
Check Code Example (Rest Assured / Postman)
Status code == 200 response.statusCode == 200
JSON body field value json.response.user.id == 123
Response time < 500ms pm.expect(response.responseTime).to.be.below(500)
Header contains response.header("Content-Type").contains("applica
tion/json")
Array size > 0 json.path("data").size() > 0
🔹 7. Authorization Handling
Type Header Format
Bearer Token Authorization: Bearer <token>
API Key x-api-key: <your-api-key>
Basic Auth Encoded Base64: Authorization: Basic <base64string>
OAuth 2.0 Token-based; often dynamic with refresh flows
🔹 8. Rest Assured Snippet (Java)
given()
.baseUri("https://api.example.com")
.header("Authorization", "Bearer " + token)
.contentType("application/json")
.body(jsonPayload)
.when()
.post("/users")
3 @Amit Sahu
.then()
.statusCode(201)
.body("id", notNullValue());
🔹 9. Postman (Newman) Script Example
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});
pm.test("Response contains userId", function () {
var jsonData = pm.response.json();
pm.expect(jsonData.userId).to.not.be.undefined;
});
🔹 10. Best Practices
✅ Use data-driven testing (CSV, JSON, Excel)
✅ Modularize test cases & reuse headers, base URIs
✅ Add setup & teardown APIs if needed
✅ Include logging for requests/responses
✅ Integrate with CI/CD (Jenkins, GitHub Actions, etc.)
✅ Keep test data clean, isolated, and resettable
🔹 11. Reporting Tools
● Extent Reports – Rest Assured + TestNG
● Allure Reports – Java/Karate/Cucumber
● Newman HTML Reporter – For Postman automation
● Jenkins Test Results – For CI visibility
🔹 12. Common Libraries
4 @Amit Sahu
Tool Language Use Case
Rest Java API Automation Framework
Assured
Postman JS Manual + Automated API tests
Karate Java BDD + API + UI combo tests
Supertest JS Node.js API testing
Requests Python Lightweight API testing
🔹 13. Handy Tips
● Always test both valid and invalid inputs
● Use environment variables for base URLs and tokens
● Create collections and group related tests
● Use data-driven testing for multiple test cases
● Add delays/assertions to handle async processing
5 @Amit Sahu