api-tester
Test REST and GraphQL API endpoints with structured assertions and reporting. Use when a user asks to test an API, hit an endpoint, check if an API works, validate a response, debug an API call, test authentication flows, or verify API contracts. Supports GET, POST, PUT, PATCH, DELETE with headers, body, auth, and response validation.
Best use case
api-tester is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Test REST and GraphQL API endpoints with structured assertions and reporting. Use when a user asks to test an API, hit an endpoint, check if an API works, validate a response, debug an API call, test authentication flows, or verify API contracts. Supports GET, POST, PUT, PATCH, DELETE with headers, body, auth, and response validation.
Teams using api-tester should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-tester/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-tester Compares
| Feature / Agent | api-tester | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Test REST and GraphQL API endpoints with structured assertions and reporting. Use when a user asks to test an API, hit an endpoint, check if an API works, validate a response, debug an API call, test authentication flows, or verify API contracts. Supports GET, POST, PUT, PATCH, DELETE with headers, body, auth, and response validation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Tester
## Overview
Test API endpoints by sending HTTP requests, validating responses, and reporting results. Supports REST and GraphQL APIs with authentication, custom headers, request bodies, and structured assertions on status codes, headers, and response payloads.
## Instructions
When a user asks you to test or debug an API endpoint, follow these steps:
### Step 1: Gather endpoint details
Determine from the user or codebase:
- **URL**: The full endpoint URL
- **Method**: GET, POST, PUT, PATCH, DELETE
- **Headers**: Content-Type, Authorization, custom headers
- **Body**: JSON payload, form data, or query parameters
- **Auth**: Bearer token, API key, basic auth
- **Expected response**: Status code, response shape, specific values
### Step 2: Send the request
**Using curl (preferred for quick tests):**
```bash
# GET request
curl -s -w "\nHTTP Status: %{http_code}\nTime: %{time_total}s\n" \
-H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users?page=1"
# POST request with JSON
curl -s -w "\nHTTP Status: %{http_code}\nTime: %{time_total}s\n" \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{"name": "Jane", "email": "jane@example.com"}' \
"https://api.example.com/users"
```
**Using Python (for complex flows):**
```python
import requests
import json
import time
def test_endpoint(method, url, headers=None, body=None, expected_status=200):
start = time.time()
response = requests.request(method, url, headers=headers, json=body, timeout=30)
elapsed = time.time() - start
result = {
"status": response.status_code,
"time_ms": round(elapsed * 1000),
"headers": dict(response.headers),
"body": response.json() if response.headers.get("content-type", "").startswith("application/json") else response.text,
}
passed = response.status_code == expected_status
print(f"{'PASS' if passed else 'FAIL'} | {method} {url} | {response.status_code} | {result['time_ms']}ms")
return result, passed
```
### Step 3: Validate the response
Check these in order:
1. **Status code** matches expected (200, 201, 204, 400, 401, 404, etc.)
2. **Response time** is acceptable (flag if > 2 seconds)
3. **Content-Type** header matches expected format
4. **Response body** structure matches expected schema
5. **Specific values** match assertions
```python
def validate_response(result, assertions):
failures = []
body = result["body"]
for field, expected in assertions.items():
actual = body
for key in field.split("."):
if isinstance(actual, dict):
actual = actual.get(key)
elif isinstance(actual, list) and key.isdigit():
actual = actual[int(key)]
else:
actual = None
break
if actual != expected:
failures.append(f" {field}: expected {expected!r}, got {actual!r}")
return failures
```
### Step 4: Report results
Format as a clear test report:
```
API Test Results
================
Endpoint: POST /api/users
Status: 201 Created (expected 201) -- PASS
Time: 142ms
Body: Valid JSON, 3 fields
Assertions:
[PASS] body.id is present
[PASS] body.name == "Jane"
[PASS] body.email == "jane@example.com"
[FAIL] body.role expected "admin", got "user"
Result: 3/4 assertions passed
```
## Examples
### Example 1: Test a CRUD flow
**User request:** "Test the users API -- create, read, update, delete"
**Output:**
```
API Test Suite: Users CRUD
==========================
1. POST /api/users
Status: 201 Created -- PASS
Time: 156ms
Body: {"id": 42, "name": "Test User", "email": "test@example.com"}
2. GET /api/users/42
Status: 200 OK -- PASS
Time: 38ms
Body: {"id": 42, "name": "Test User", "email": "test@example.com"}
3. PUT /api/users/42
Status: 200 OK -- PASS
Time: 89ms
Body: {"id": 42, "name": "Updated Name", "email": "test@example.com"}
4. DELETE /api/users/42
Status: 204 No Content -- PASS
Time: 45ms
5. GET /api/users/42 (verify deletion)
Status: 404 Not Found -- PASS
Time: 22ms
Result: 5/5 PASSED
```
### Example 2: Debug a failing request
**User request:** "I'm getting a 401 on POST /api/orders, can you figure out why?"
**Output:**
```
Debugging POST /api/orders
===========================
Test 1: No auth header
Status: 401 -- Missing Authorization header (expected)
Test 2: With Bearer token
Status: 401 -- Response: {"error": "Token expired"}
Note: Token exp claim is 2024-01-15T00:00:00Z (expired)
Test 3: With refreshed token
Status: 201 Created -- PASS
Root cause: Your Bearer token has expired.
Fix: Refresh the token using POST /api/auth/refresh
```
## Guidelines
- Never send requests to production APIs unless the user explicitly confirms. Ask first.
- Mask sensitive values (tokens, passwords, API keys) in output. Show only the last 4 characters.
- For sequences of dependent requests (create then read), use the response from the first request to build the second.
- Include response time in reports. Flag responses over 2 seconds as slow.
- When testing auth flows, test both the happy path and common failure modes (expired token, wrong credentials, missing permissions).
- For GraphQL, use POST with the query in the JSON body and validate the `data` field separately from `errors`.
- If an endpoint returns pagination, test the first page and mention the total count.
- Always set a timeout (30 seconds) to avoid hanging on unresponsive endpoints.Related Skills
regression-tester
Generate and run regression tests after code refactoring to verify behavior is preserved. Use when someone has refactored code and needs to confirm nothing broke — especially when existing test coverage is insufficient. Trigger words: regression test, refactor validation, behavior preservation, before/after test, did I break anything, refactoring safety net, snapshot test.
prompt-tester
Design, test, and iterate on AI prompts systematically using structured evaluation criteria. Use when building AI features, optimizing agent instructions, comparing prompt variants, or evaluating output quality across edge cases. Trigger words: prompt engineering, prompt testing, eval, LLM evaluation, prompt comparison, A/B test prompts, prompt optimization, system prompt, instruction tuning.
api-load-tester
Generates and executes load test scripts for APIs using k6, wrk, or autocannon. Creates realistic test scenarios from OpenAPI specs, route files, or endpoint descriptions. Use when someone needs to load test, stress test, benchmark, or find the breaking point of their API. Trigger words: load test, stress test, benchmark, RPS, concurrent users, breaking point, performance test, k6, wrk.
zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.
zig
Expert guidance for Zig, the systems programming language focused on performance, safety, and readability. Helps developers write high-performance code with compile-time evaluation, seamless C interop, no hidden control flow, and no garbage collector. Zig is used for game engines, operating systems, networking, and as a C/C++ replacement.
zed
Expert guidance for Zed, the high-performance code editor built in Rust with native collaboration, AI integration, and GPU-accelerated rendering. Helps developers configure Zed, create custom extensions, set up collaborative editing sessions, and integrate AI assistants for productive coding.
zeabur
Expert guidance for Zeabur, the cloud deployment platform that auto-detects frameworks, builds and deploys applications with zero configuration, and provides managed services like databases and message queues. Helps developers deploy full-stack applications with automatic scaling and one-click marketplace services.
zapier
Automate workflows between apps with Zapier. Use when a user asks to connect apps without code, automate repetitive tasks, sync data between services, or build no-code integrations between SaaS tools.
zabbix
Configure Zabbix for enterprise infrastructure monitoring with templates, triggers, discovery rules, and dashboards. Use when a user needs to set up Zabbix server, configure host monitoring, create custom templates, define trigger expressions, or automate host discovery and registration.