Best use case
API Tester is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
## Overview
Teams using API Tester should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-tester/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How API Tester Compares
| Feature / Agent | API Tester | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
## Overview
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Tester
## Overview
Test API endpoints by sending HTTP requests, validating responses, and reporting results. Supports REST and GraphQL APIs with authentication, custom headers, request bodies, and structured assertions on status codes, headers, and response payloads.
## Instructions
When a user asks you to test or debug an API endpoint, follow these steps:
### Step 1: Gather endpoint details
Determine from the user or codebase:
- **URL**: The full endpoint URL
- **Method**: GET, POST, PUT, PATCH, DELETE
- **Headers**: Content-Type, Authorization, custom headers
- **Body**: JSON payload, form data, or query parameters
- **Auth**: Bearer token, API key, basic auth
- **Expected response**: Status code, response shape, specific values
### Step 2: Send the request
**Using curl (preferred for quick tests):**
```bash
# GET request
curl -s -w "\nHTTP Status: %{http_code}\nTime: %{time_total}s\n" \
-H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users?page=1"
# POST request with JSON
curl -s -w "\nHTTP Status: %{http_code}\nTime: %{time_total}s\n" \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{"name": "Jane", "email": "jane@example.com"}' \
"https://api.example.com/users"
```
**Using Python (for complex flows):**
```python
import requests
import json
import time
def test_endpoint(method, url, headers=None, body=None, expected_status=200):
start = time.time()
response = requests.request(method, url, headers=headers, json=body, timeout=30)
elapsed = time.time() - start
result = {
"status": response.status_code,
"time_ms": round(elapsed * 1000),
"headers": dict(response.headers),
"body": response.json() if response.headers.get("content-type", "").startswith("application/json") else response.text,
}
passed = response.status_code == expected_status
print(f"{'PASS' if passed else 'FAIL'} | {method} {url} | {response.status_code} | {result['time_ms']}ms")
return result, passed
```
### Step 3: Validate the response
Check these in order:
1. **Status code** matches expected (200, 201, 204, 400, 401, 404, etc.)
2. **Response time** is acceptable (flag if > 2 seconds)
3. **Content-Type** header matches expected format
4. **Response body** structure matches expected schema
5. **Specific values** match assertions
```python
def validate_response(result, assertions):
failures = []
body = result["body"]
for field, expected in assertions.items():
actual = body
for key in field.split("."):
if isinstance(actual, dict):
actual = actual.get(key)
elif isinstance(actual, list) and key.isdigit():
actual = actual[int(key)]
else:
actual = None
break
if actual != expected:
failures.append(f" {field}: expected {expected!r}, got {actual!r}")
return failures
```
### Step 4: Report results
Format as a clear test report:
```
API Test Results
================
Endpoint: POST /api/users
Status: 201 Created (expected 201) -- PASS
Time: 142ms
Body: Valid JSON, 3 fields
Assertions:
[PASS] body.id is present
[PASS] body.name == "Jane"
[PASS] body.email == "jane@example.com"
[FAIL] body.role expected "admin", got "user"
Result: 3/4 assertions passed
```
## Examples
### Example 1: Test a CRUD flow
**User request:** "Test the users API -- create, read, update, delete"
**Output:**
```
API Test Suite: Users CRUD
==========================
1. POST /api/users
Status: 201 Created -- PASS
Time: 156ms
Body: {"id": 42, "name": "Test User", "email": "test@example.com"}
2. GET /api/users/42
Status: 200 OK -- PASS
Time: 38ms
Body: {"id": 42, "name": "Test User", "email": "test@example.com"}
3. PUT /api/users/42
Status: 200 OK -- PASS
Time: 89ms
Body: {"id": 42, "name": "Updated Name", "email": "test@example.com"}
4. DELETE /api/users/42
Status: 204 No Content -- PASS
Time: 45ms
5. GET /api/users/42 (verify deletion)
Status: 404 Not Found -- PASS
Time: 22ms
Result: 5/5 PASSED
```
### Example 2: Debug a failing request
**User request:** "I'm getting a 401 on POST /api/orders, can you figure out why?"
**Output:**
```
Debugging POST /api/orders
===========================
Test 1: No auth header
Status: 401 -- Missing Authorization header (expected)
Test 2: With Bearer token
Status: 401 -- Response: {"error": "Token expired"}
Note: Token exp claim is 2024-01-15T00:00:00Z (expired)
Test 3: With refreshed token
Status: 201 Created -- PASS
Root cause: Your Bearer token has expired.
Fix: Refresh the token using POST /api/auth/refresh
```
## Guidelines
- Never send requests to production APIs unless the user explicitly confirms. Ask first.
- Mask sensitive values (tokens, passwords, API keys) in output. Show only the last 4 characters.
- For sequences of dependent requests (create then read), use the response from the first request to build the second.
- Include response time in reports. Flag responses over 2 seconds as slow.
- When testing auth flows, test both the happy path and common failure modes (expired token, wrong credentials, missing permissions).
- For GraphQL, use POST with the query in the JSON body and validate the `data` field separately from `errors`.
- If an endpoint returns pagination, test the first page and mention the total count.
- Always set a timeout (30 seconds) to avoid hanging on unresponsive endpoints.Related Skills
network-latency-tester
Network Latency Tester - Auto-activating skill for Performance Testing. Triggers on: network latency tester, network latency tester Part of the Performance Testing skill category.
keyboard-navigation-tester
Keyboard Navigation Tester - Auto-activating skill for Frontend Development. Triggers on: keyboard navigation tester, keyboard navigation tester Part of the Frontend Development skill category.
hypothesis-tester
Structured hypothesis formulation, experiment design, and results interpretation for Product Managers. Use when the user needs to validate an assumption, design an A/B test, evaluate experiment results, or decide whether to ship based on data. Triggers include "hypothesis", "A/B test", "experiment", "validate assumption", "test this", "should we ship", or when making a decision that should be data-informed.
skill-tester
Skill Tester
../../../engineering/skill-tester/assets/sample-skill/SKILL.md
No description provided.
route-tester
Test authenticated routes in the your project using cookie-based authentication. Use this skill when testing API endpoints, validating route functionality, or debugging authentication issues. Includes patterns for using test-auth-route.js and mock authentication.
webhook-tester
Test webhook integrations locally with tunneling, inspection, and debugging tools.
tester
Updated skill
Regression Tester
## Overview
Prompt Tester
## Overview
API Load Tester
## Overview
Daily Logs
Record the user's daily activities, progress, decisions, and learnings in a structured, chronological format.