The main categories of API testing and what each one is checking.
Overview
| Type | What it validates |
|---|---|
| Smoke | The API is alive and nothing is catastrophically broken |
| Functional | Correct outputs for given inputs, per spec |
| Integration | End-to-end flows across multiple API calls and services |
| Regression | Existing behavior hasn't broken after a change |
| Load | Performance under expected traffic levels |
| Stress | Behavior under extreme load (beyond capacity) |
| Security | Resistance to external threats |
| UI | API data is correctly displayed by the frontend |
| Fuzz | Robustness against invalid or unexpected inputs |
In Detail
Smoke Testing
Done immediately after deployment. Validates that the API is reachable and core endpoints return expected status codes. If smoke tests fail, stop — don't bother running anything else.
Functional Testing
Tests each endpoint against its functional requirements: correct response body, correct status codes, correct behavior for valid and invalid inputs. Based on the API spec or contract.
Integration Testing
Combines multiple API calls into end-to-end scenarios. Tests intra-service communication and data flowing correctly across service boundaries. Example: create order → payment → confirmation email.
Regression Testing
Runs after bug fixes or new feature releases. Ensures changes haven't broken existing behavior. Should be automated and run on every PR/deployment.
Load Testing
Simulates realistic traffic levels to measure response time, throughput, and error rates. Answers: "What's our capacity?" and "Where does performance degrade?"
Stress Testing
Deliberately pushes the API beyond expected capacity to find the breaking point. Answers: "What happens when we hit 10× normal traffic?" — useful for planning autoscaling and failure modes.
Security Testing
Tests the API against common threats:
- Authentication/authorization bypass
- SQL/NoSQL injection
- Broken object-level authorization (BOLA/IDOR)
- Rate limiting and abuse prevention
- Sensitive data exposure
UI Testing
Validates that the frontend correctly renders data returned by the API. Catches mismatches between API response shape and what the UI expects.
Fuzz Testing
Injects invalid, unexpected, or random data into API inputs to find crashes, unhandled exceptions, or security holes. Useful for finding edge cases that manual testing misses.
When to Run What
| Stage | Tests to run |
|---|---|
| After deployment | Smoke |
| On every PR | Functional, Regression |
| Pre-release | Integration, Load |
| Periodic / Security audit | Security, Fuzz |
| Capacity planning | Load, Stress |