API Testing Cheatsheet

🔹 1. Common HTTP Methods

Method Purpose Example Endpoint

GET Read data /users/123

POST Create new resource /users

PUT Update entire resource /users/123

PATCH Update partial data /users/123

DELETE Remove resource /users/123

🔹 2. Status Codes to Validate

Code Meaning Use Case

200 OK Success – GET/PUT/DELETE

201 Created Success – POST

204 No Content Success – DELETE

400 Bad Request Invalid input

401 Unauthorized Auth required/missing token

403 Forbidden Auth OK, but no permission

404 Not Found Resource doesn’t exist

409 Conflict Duplicate data

500 Internal Server Error API/server issue

​

1​ ​ ​ ​ ​ ​ ​ ​ ​ ​ @Amit Sahu
🔹 3. Test Types
●​ Positive Testing: Valid input, expect success​

●​ Negative Testing: Invalid/missing input, expect failure​

●​ Boundary Testing: Max/min lengths, limits​

●​ Security Testing: Invalid token, injection​

●​ Load/Performance: Test under stress​

●​ Contract Testing: Validate schema and structure

🔹 4. Tools You Can Use

●​ 🔧 Manual Testing: Postman, Insomnia​
●​ 🤖 Automation: Rest Assured (Java), Karate, Supertest (JS), Requests (Python)​
●​ 📊 Performance: JMeter, k6​
●​ ✅ Contract Testing: Swagger, Pact

🔹 5. Basic Flow for API Automation

1. Set Base URI (e.g., https://api.example.com)

2. Choose HTTP Method: GET, POST, PUT, DELETE, etc.

3. Pass Headers (Content-Type, Auth tokens, etc.)

4. Add Request Body (if needed)

5. Send Request and Capture Response

6. Assert Status Code, Body, Headers

7. Log or Report results

2​ ​ ​ ​ ​ ​ ​ ​ ​ ​ @Amit Sahu
🔹 6. Common Automation Assertions
Check Code Example (Rest Assured / Postman)

Status code == 200 response.statusCode == 200

JSON body field value json.response.user.id == 123

Response time < 500ms pm.expect(response.responseTime).to.be.below(500)

Header contains response.header("Content-Type").contains("applica

tion/json")

Array size > 0 json.path("data").size() > 0

🔹 7. Authorization Handling
Type Header Format

Bearer Token Authorization: Bearer <token>

API Key x-api-key: <your-api-key>

Basic Auth Encoded Base64: Authorization: Basic <base64string>

OAuth 2.0 Token-based; often dynamic with refresh flows

🔹 8. Rest Assured Snippet (Java)​

​

given()
.baseUri("https://api.example.com")
.header("Authorization", "Bearer " + token)
.contentType("application/json")
.body(jsonPayload)
.when()
.post("/users")

3​ ​ ​ ​ ​ ​ ​ ​ ​ ​ @Amit Sahu
.then()
.statusCode(201)
.body("id", notNullValue());

🔹 9. Postman (Newman) Script Example

pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});

pm.test("Response contains userId", function () {

var jsonData = pm.response.json();
pm.expect(jsonData.userId).to.not.be.undefined;
});

🔹 10. Best Practices

✅ Use data-driven testing (CSV, JSON, Excel)​
✅ Modularize test cases & reuse headers, base URIs​
✅ Add setup & teardown APIs if needed​
✅ Include logging for requests/responses​
✅ Integrate with CI/CD (Jenkins, GitHub Actions, etc.)​
✅ Keep test data clean, isolated, and resettable
🔹 11. Reporting Tools
●​ Extent Reports – Rest Assured + TestNG​

●​ Allure Reports – Java/Karate/Cucumber​

●​ Newman HTML Reporter – For Postman automation​

●​ Jenkins Test Results – For CI visibility

🔹 12. Common Libraries

4​ ​ ​ ​ ​ ​ ​ ​ ​ ​ @Amit Sahu
 Tool Language Use Case

Rest Java API Automation Framework

Assured

Postman JS Manual + Automated API tests

Karate Java BDD + API + UI combo tests

Supertest JS Node.js API testing

Requests Python Lightweight API testing

​

🔹 13. Handy Tips

​

●​ Always test both valid and invalid inputs​

●​ Use environment variables for base URLs and tokens​

●​ Create collections and group related tests​

●​ Use data-driven testing for multiple test cases​

●​ Add delays/assertions to handle async processing

5​ ​ ​ ​ ​ ​ ​ ​ ​ ​ @Amit Sahu