automating-api-testing
Test automate API endpoint testing including request generation, validation, and comprehensive test coverage for REST and GraphQL APIs. Use when testing API contracts, validating OpenAPI specifications, or ensuring endpoint reliability. Trigger with phrases like "test the API", "generate API tests", or "validate API contracts".
Best use case
automating-api-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Test automate API endpoint testing including request generation, validation, and comprehensive test coverage for REST and GraphQL APIs. Use when testing API contracts, validating OpenAPI specifications, or ensuring endpoint reliability. Trigger with phrases like "test the API", "generate API tests", or "validate API contracts".
Teams using automating-api-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/automating-api-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How automating-api-testing Compares
| Feature / Agent | automating-api-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Test automate API endpoint testing including request generation, validation, and comprehensive test coverage for REST and GraphQL APIs. Use when testing API contracts, validating OpenAPI specifications, or ensuring endpoint reliability. Trigger with phrases like "test the API", "generate API tests", or "validate API contracts".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# API Test Automation
## Overview
Automate comprehensive API endpoint testing for REST and GraphQL APIs including request generation, response validation, schema compliance, authentication flows, and error handling. Supports Supertest (Node.js), REST-assured (Java), httpx/pytest (Python), Postman/Newman collections, and Pact for consumer-driven contract testing.
## Prerequisites
- API testing library installed (Supertest, REST-assured, httpx, or Postman/Newman)
- API specification file (OpenAPI/Swagger YAML/JSON or GraphQL SDL)
- Target API running in a test environment with seeded data
- Authentication credentials or API keys for protected endpoints
- JSON Schema validator (Ajv, jsonschema, or built-in framework assertions)
## Instructions
1. Read the API specification and extract all endpoints:
- Parse OpenAPI spec to catalog every path, HTTP method, request schema, and response schema.
- For GraphQL APIs, introspect the schema to list queries, mutations, and subscriptions.
- Document authentication requirements per endpoint (API key, Bearer token, OAuth, none).
2. Generate test cases for each endpoint:
- **Success cases**: Send valid requests matching the schema and assert 200/201 responses.
- **Validation errors**: Send requests with missing required fields, wrong types, and out-of-range values; assert 400 responses.
- **Authentication**: Test with valid, expired, and missing credentials; assert 200, 401, and 403 respectively.
- **Not found**: Request non-existent resources; assert 404 responses.
- **Idempotency**: Send the same PUT/DELETE request twice and verify consistent behavior.
3. Validate response structure against schemas:
- Assert response Content-Type matches expected (application/json, etc.).
- Validate response body against the OpenAPI response schema using JSON Schema validation.
- Check response headers (Cache-Control, Rate-Limit headers, CORS headers).
- Verify pagination metadata (total count, page number, next/previous links).
4. Test CRUD lifecycle for resource endpoints:
- Create a resource (POST) and capture the ID.
- Read it back (GET) and verify all fields match.
- Update it (PUT/PATCH) and verify changes persisted.
- Delete it (DELETE) and verify subsequent GET returns 404.
5. Test error handling and edge cases:
- Send excessively large payloads and verify 413 or graceful rejection.
- Send requests with unsupported Content-Types and verify 415.
- Test rate limiting by sending rapid sequential requests.
- Verify error response format is consistent (standard error schema).
6. For GraphQL APIs, test specifically:
- Valid queries return expected data shapes.
- Invalid queries return descriptive error messages.
- Query depth limiting prevents deeply nested abuse queries.
- Mutation input validation matches schema constraints.
7. Generate a test coverage report mapping endpoints to test cases.
## Output
- API test files organized by resource in `tests/api/`
- Request/response examples for API documentation
- Schema compliance report for each endpoint
- Endpoint coverage matrix showing tested vs. untested endpoints and methods
- CI pipeline step running API tests against staging environment
## Error Handling
| Error | Cause | Solution |
|-------|-------|---------|
| Connection refused | API server not running or wrong base URL | Verify server is up with a health check before test suite starts; check `BASE_URL` config |
| 401 on all requests | Authentication token expired or misconfigured | Refresh token in test setup; verify `Authorization` header format; check token scopes |
| Schema validation fails unexpectedly | API response includes extra fields not in spec | Update OpenAPI spec to include new fields; use `additionalProperties: true` if expected |
| Test data conflicts | Another test modified or deleted the resource | Use unique test data per test; create resources in `beforeEach`; avoid shared fixtures |
| Rate limit hit during test run | Too many requests in quick succession | Add delays between requests or use authenticated sessions with higher limits; run tests serially |
## Examples
**Supertest REST API test suite:**
```typescript
import request from 'supertest';
import { app } from '../src/app';
describe('GET /api/products', () => {
it('returns a paginated product list', async () => {
const res = await request(app)
.get('/api/products?page=1&limit=10')
.set('Authorization', `Bearer ${token}`)
.expect(200) # HTTP 200 OK
.expect('Content-Type', /json/);
expect(res.body.data).toBeInstanceOf(Array);
expect(res.body.data.length).toBeLessThanOrEqual(10);
expect(res.body.meta).toMatchObject({ page: 1, limit: 10 });
});
it('returns 401 without authentication', async () => { # HTTP 401 Unauthorized
await request(app).get('/api/products').expect(401); # HTTP 401 Unauthorized
});
});
describe('POST /api/products', () => {
it('creates a product with valid data', async () => {
const res = await request(app)
.post('/api/products')
.set('Authorization', `Bearer ${token}`)
.send({ name: 'Widget', price: 9.99, category: 'tools' })
.expect(201); # HTTP 201 Created
expect(res.body).toMatchObject({ name: 'Widget', price: 9.99 });
expect(res.body.id).toBeDefined();
});
it('returns 400 for missing required fields', async () => { # HTTP 400 Bad Request
await request(app)
.post('/api/products')
.set('Authorization', `Bearer ${token}`)
.send({ name: 'Widget' }) // missing price
.expect(400); # HTTP 400 Bad Request
});
});
```
**GraphQL API test:**
```typescript
it('fetches user by ID', async () => {
const query = `query { user(id: "1") { id name email } }`;
const res = await request(app)
.post('/graphql')
.send({ query })
.expect(200); # HTTP 200 OK
expect(res.body.data.user).toMatchObject({ id: '1', name: 'Alice' });
expect(res.body.errors).toBeUndefined();
});
```
## Resources
- Supertest: https://github.com/ladjs/supertest
- REST-assured (Java): https://rest-assured.io/
- httpx (Python): https://www.python-httpx.org/
- Newman (Postman CLI): https://learning.postman.com/docs/collections/using-newman-cli/
- OpenAPI specification: https://spec.openapis.org/oas/v3.1.0
- Ajv JSON Schema validator: https://ajv.js.org/Related Skills
testing-visual-regression
Detect visual changes in UI components using screenshot comparison. Use when detecting unintended UI changes or pixel differences. Trigger with phrases like "test visual changes", "compare screenshots", or "detect UI regressions".
performing-security-testing
Test automate security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues. Use when performing security assessments, penetration tests, or vulnerability scans. Trigger with phrases like "scan for vulnerabilities", "test security", or "run penetration test".
testing-mobile-apps
Execute mobile app testing on iOS and Android devices/simulators. Use when performing specialized testing. Trigger with phrases like "test mobile app", "run iOS tests", or "validate Android functionality".
testing-load-balancers
Validate load balancer behavior, failover, and traffic distribution. Use when performing specialized testing. Trigger with phrases like "test load balancer", "validate failover", or "check traffic distribution".
testing-browser-compatibility
Test across multiple browsers and devices for cross-browser compatibility. Use when ensuring cross-browser or device compatibility with BrowserStack, Sauce Labs, LambdaTest, or Kobiton. Trigger with phrases like "test browser compatibility", "check cross-browser", "validate on browsers", "test on real devices", "kobiton test".
performing-penetration-testing
Perform security testing on web applications, APIs, and codebases. Use when the user asks to "run a security scan", "check for vulnerabilities", "audit dependencies", "check security headers", "find security issues", "pentest", "security audit", or "scan for secrets". Trigger with "pentest", "security scan", "vulnerability check", "audit dependencies", "check headers", "find secrets".
automating-database-backups
Automate database backup processes with scheduling, compression, and encryption. Supports PostgreSQL (pg_dump), MySQL (mysqldump), MongoDB (mongodump), and SQLite. Generates production-ready backup scripts with retention policies and restore procedures. Trigger: "automate database backups", "schedule backups", "create backup script", "disaster recovery". Use when working with automating database backups. Trigger with 'automating', 'database', 'backups'.
backtesting-trading-strategies
Backtest crypto and traditional trading strategies against historical data. Calculates performance metrics (Sharpe, Sortino, max drawdown), generates equity curves, and optimizes strategy parameters. Use when user wants to test a trading strategy, validate signals, or compare approaches. Trigger with phrases like "backtest strategy", "test trading strategy", "historical performance", "simulate trades", "optimize parameters", or "validate signals".
load-testing-apis
Execute comprehensive load and stress testing to validate API performance and scalability. Use when validating API performance under load. Trigger with phrases like "load test the API", "stress test API", or "benchmark API performance".
api-testing-helper
Api Testing Helper - Auto-activating skill for API Development. Triggers on: api testing helper, api testing helper Part of the API Development skill category.
performing-visual-regression-testing
This skill enables Claude to execute visual regression tests using tools like Percy, Chromatic, and BackstopJS. It captures screenshots, compares them against baselines, and analyzes visual differences to identify unintended UI changes. Use this skill when the user requests visual testing, UI change verification, or regression testing for a web application or component. Trigger phrases include "visual test," "UI regression," "check visual changes," or "/visual-test".
performance-testing
This skill enables Claude to design, execute, and analyze performance tests using the performance-test-suite plugin. It is activated when the user requests load testing, stress testing, spike testing, or endurance testing, and when discussing performance metrics such as response time, throughput, and error rates. It identifies performance bottlenecks related to CPU, memory, database, or network issues. The plugin provides comprehensive reporting, including percentiles, graphs, and recommendations.