Master API Testing: 20 Ready‑to‑Use Templates for Security, Performance, and Automation

General Templates

Template 1 – API Overview Translation : Prompt a senior test engineer to explain an API’s core function and usage in plain language, list the three most critical parameters, describe its position in the business flow, and note common call errors.

[Paste API documentation fragment, including URL, method, brief description]
- Explain the API’s role in the workflow
- List the three key parameters and their purpose
- Identify the most frequent invocation errors

Template 2 – Full Call Chain Generation : Given a set of micro‑service endpoints, generate end‑to‑end Python code using the requests library, with exception handling for 401/500 responses and detailed comments describing data flow.

1. Auth service: POST /auth/login → obtain access_token
2. User service: GET /users/me?token={access_token}
3. Order service: POST /orders { "user_id": "...", "items": [...] }
- Use requests library
- Include error handling for 401 and 500
- Add comprehensive comments on data transformation

Authentication & Security Templates

Template 3 – OAuth2.0 Flow Analysis : Explain the authorization‑code grant flow, draw a Mermaid sequence diagram, justify why the redirect URI must be pre‑registered, and provide a curl example for token acquisition.

- Authorization endpoint: GET /oauth/authorize?client_id=xxx&redirect_uri=yyy
- Token endpoint: POST /oauth/token
1. Draw Mermaid sequence diagram
2. Explain pre‑registration of redirect_uri
3. Provide curl command to obtain token

Template 4 – JWT Validation Test Cases : Design security test cases for JWT‑protected APIs, specifying token structure, expiration, and expected responses for tampered payloads.

Interface: All authenticated APIs, Header: Authorization: Bearer
Constraints: token expires in 1 hour, contains user_id and role claims
| Test case | Token tampering method | Expected response |
|----------|------------------------|-------------------|
| Example  | Modify payload role=admin | 403 Forbidden |

Template 5 – API Key Rotation Strategy : Propose a Go middleware that supports concurrent old and new keys, outlines client‑side smooth transition, and provides sample code.

1. Validation logic during key coexistence period
2. Client‑side seamless switch procedure
3. Go middleware implementation example

File Upload Templates

Template 6 – Large File Chunked Upload (Frontend) : Generate JavaScript code using FileReader to split files into 5 MB chunks, support resumable uploads, and update a progress bar.

Init: POST /upload/init → returns upload_id
Chunk upload: PUT /upload/{upload_id}/{part_number} (binary)
Complete: POST /upload/complete { "upload_id": "...", "parts": [...] }
- Use FileReader for 5 MB chunks
- Enable resumable upload
- Add progress‑bar logic

Template 7 – File Type Security Test Cases : Create high‑risk test files (double extensions, forged magic numbers) and corresponding curl commands, expecting rejection or sandbox isolation.

- Endpoint: POST /upload, param: file (multipart/form-data)
- Restrictions: only .jpg/.png, max 10 MB
1. List of malicious test files (e.g., .pdf.exe, fake magic numbers)
2. Corresponding curl commands
3. Expected server behavior (reject / sandbox)

Template 8 – Concurrent Upload Load Test : Write a Locust script that simulates 100 users uploading random 1‑5 MB images, targeting QPS > 50 and error rate < 1 % while generating files on‑the‑fly to avoid disk I/O bottlenecks.

- Scenario: 100 concurrent users, each uploads a random 1‑5 MB image
- Goal: QPS > 50, error rate < 1 %
- Requirement: Dynamically generate test files to prevent disk I/O limits

WebSocket Templates

Template 9 – Real‑Time Message Protocol Parsing : Provide Python websockets code to connect, send, and receive JSON messages, with automatic reconnection and a 30‑second ping/pong heartbeat.

- Connection: wss://api.example.com/chat?token=xxx
- Message format: JSON { "type": "send|receive", "content": "...", "timestamp": ... }
1. Generate connection and send/receive code using websockets library
2. Explain auto‑reconnect handling
3. Design heartbeat (ping every 30 s, expect pong)

Template 10 – WebSocket Stress Test : Use Artillery to simulate 1 000 concurrent users, each sending one message per second, asserting 95 % of messages have latency < 500 ms and reporting connection success and loss rates.

- Scenario: 1 000 users simultaneously connected, 1 message/second
- Assertion: 95 % messages latency < 500 ms
- Output: connection success rate, message loss report

Template 11 – Abnormal Disconnection Handling : List five network‑failure scenarios, expected client behavior, and provide Jest unit‑test code that mocks WebSocket exceptions.

- Scenarios: network blip, server restart, oversized message, etc.
1. Enumerate 5 abnormal cases and expected client responses
2. Generate Jest unit‑test code to simulate WebSocket failures

Complex Business Scenarios

Template 12 – Payment Callback Verification : Explain the security mechanism of a payment gateway callback, generate Node.js signature verification code, discuss idempotency, and design replay‑attack test cases.

Callback URL: POST /payment/notify
Parameters: order_id, amount, signature
Verification: HMAC‑SHA256(order_id+amount, secret_key)
1. Node.js code for signature verification
2. Reason for idempotency handling (duplicate callbacks)
3. Replay‑attack test case design

Template 13 – GraphQL Query Optimization : Write an efficient query to fetch a user and their pending orders, explain how to avoid N+1 problems, and provide Apollo Client call code.

type Query {
  user(id: ID!): User
  orders(userId: ID!, status: String): [Order]
}
1. Query for user + "pending" orders
2. Explain N+1 avoidance (e.g., data loader)
3. Apollo Client invocation example

Template 14 – gRPC Interface Testing : Generate Python pytest integration tests for a gRPC OrderService, using grpcio‑tools to create stubs and an interceptor to log requests.

service OrderService { rpc CreateOrder(CreateOrderRequest) returns (Order); }
1. Generate stub with grpcio-tools
2. Write pytest cases covering success and error flows
3. Add interceptor for request logging

Error Handling & Monitoring

Template 15 – HTTP Status‑Code Scenarios : Provide concrete e‑commerce examples for pairs of status codes (400 vs 422, 401 vs 403, 429 vs 503) and explain the differences.

Explain each status code with a real‑world e‑commerce scenario
- 400 Bad Request vs 422 Unprocessable Entity
- 401 Unauthorized vs 403 Forbidden
- 429 Too Many Requests vs 503 Service Unavailable

Template 16 – Circuit‑Breaker Degradation Test : Design fault‑injection tests for an API protected by Hystrix, using Chaos Monkey to delay Service B, and verify Service A returns degraded data with appropriate metrics.

- Service A calls Service B (Hystrix enabled)
- Trigger: error rate > 50 % for 10 s
1. Chaos Monkey plan to inject latency into Service B
2. Verify Service A returns fallback data, not an error
3. Metrics list: circuit‑breaker opens, degradation rate

Performance & Compatibility

Template 17 – API Version Compatibility : Create a Postman collection covering v1 and v2 user endpoints, validate backward compatibility, and output a matrix of field changes.

v1: GET /users?id=123
v2: GET /users/123
1. Generate Postman collection with both versions
2. Verify v2 supports v1 query parameters
3. Output compatibility matrix (added/removed fields, type changes)

Template 18 – Internationalization (i18n) Testing : Design test cases for language‑tag handling, special characters, and timezone localization on a multilingual product API.

Endpoint: GET /products?lang=zh-CN
Coverage:
- Language tags (zh‑CN, en‑US, ja‑JP)
- Special characters (emoji, Arabic script)
- Timezone handling (localize returned timestamps)
Output: test data table + assertion rules

Advanced Debugging

Template 19 – OpenAPI 3.0 Specification Validation : Check a given OpenAPI YAML fragment for required parameters, response schema consistency, and correct security scheme definitions, then list errors with fix suggestions.

[Paste YAML fragment]
Validate:
1. Required parameters are marked
2. Response schema matches examples
3. Security scheme is correctly defined
Output: error list + remediation advice

Template 20 – API Contract Test Generation : From an OpenAPI document, generate Pact contract tests in Python for the User Service provider and Order Service consumer, including provider state setup.

Provider: User Service
Consumer: Order Service
Key endpoint: GET /users/{id}
1. Generate pact‑python test file
2. Include provider state "user exists"
3. Verify response field types and required fields

This collection serves as a ready‑to‑use toolbox for engineers to quickly produce high‑quality API documentation, security checks, performance benchmarks, and automated tests across a wide range of scenarios.