← Back to SkillsView on GitHub
api-test-generator
matteocervelli
Updated Yesterday
16 views
10
10
Metatestingapi
About
This skill automatically generates comprehensive integration tests for REST and GraphQL API endpoints. It covers all HTTP methods, status codes, authentication, authorization, and request/response validation. Use it to quickly create robust test suites that validate your API contracts and error handling.
Documentation
API Test Generator Skill
Purpose
This skill generates comprehensive integration tests for API endpoints, covering all HTTP methods, status codes, authentication, authorization, request/response validation, and error handling.
When to Use
- Generate tests for REST API endpoints
- Test GraphQL API queries and mutations
- Validate API request/response contracts
- Test API authentication and authorization
- Verify API error handling and status codes
API Test Coverage
For each endpoint, test:
- ✅ Success cases (200, 201, 204)
- ✅ Validation errors (400, 422)
- ✅ Authentication errors (401)
- ✅ Authorization errors (403)
- ✅ Not found errors (404)
- ✅ Conflict errors (409)
- ✅ Server errors (500)
- ✅ Request body validation
- ✅ Query parameter validation
- ✅ Response schema validation
API Test Generation Workflow
1. Analyze API Routes
Identify endpoints:
# Read route definitions
cat src/routes/users.py
cat src/controllers/user_controller.py
# Identify:
# - Endpoints and HTTP methods
# - Path parameters
# - Query parameters
# - Request body schemas
# - Response schemas
# - Authentication requirements
# - Authorization requirements
Map endpoints:
GET /api/users - List users (public)
GET /api/users/:id - Get user (public)
POST /api/users - Create user (admin only)
PUT /api/users/:id - Update user (auth required, owner or admin)
DELETE /api/users/:id - Delete user (auth required, owner or admin)
Deliverable: API endpoint inventory
2. Generate REST API Test Suite
Test file structure:
"""
Integration tests for Users API endpoints.
Endpoints tested:
- GET /api/users
- GET /api/users/:id
- POST /api/users
- PUT /api/users/:id
- PATCH /api/users/:id
- DELETE /api/users/:id
"""
import pytest
from fastapi.testclient import TestClient
from sqlalchemy.orm import Session
from src.models import User
# ============================================================================
# GET /api/users - List Users
# ============================================================================
class TestGetUsers:
"""Tests for GET /api/users endpoint."""
def test_get_users_empty_returns_empty_list(self, client: TestClient):
"""Test GET /api/users with no users returns empty list."""
# Act
response = client.get("/api/users")
# Assert
assert response.status_code == 200
assert response.json() == []
def test_get_users_returns_user_list(
self, client: TestClient, db: Session
):
"""Test GET /api/users returns list of users."""
# Arrange: Create test users
users = [
User(name=f"User {i}", email=f"user{i}@example.com")
for i in range(3)
]
db.add_all(users)
db.commit()
# Act
response = client.get("/api/users")
# Assert
assert response.status_code == 200
data = response.json()
assert len(data) == 3
assert all("id" in user for user in data)
assert all("name" in user for user in data)
assert all("email" in user for user in data)
def test_get_users_with_pagination(
self, client: TestClient, db: Session
):
"""Test GET /api/users with pagination parameters."""
# Arrange: Create 10 users
users = [
User(name=f"User {i}", email=f"user{i}@example.com")
for i in range(10)
]
db.add_all(users)
db.commit()
# Act
response = client.get("/api/users?limit=5&offset=0")
# Assert
assert response.status_code == 200
data = response.json()
assert len(data) == 5
def test_get_users_with_search_filter(
self, client: TestClient, db: Session
):
"""Test GET /api/users with search query."""
# Arrange
users = [
User(name="Alice", email="[email protected]"),
User(name="Bob", email="[email protected]"),
User(name="Alice Smith", email="[email protected]"),
]
db.add_all(users)
db.commit()
# Act
response = client.get("/api/users?search=alice")
# Assert
assert response.status_code == 200
data = response.json()
assert len(data) == 2
assert all("alice" in user["name"].lower() for user in data)
def test_get_users_invalid_limit_returns_400(self, client: TestClient):
"""Test GET /api/users with invalid limit parameter."""
# Act
response = client.get("/api/users?limit=-1")
# Assert
assert response.status_code == 400
assert "limit" in response.json()["detail"].lower()
# ============================================================================
# GET /api/users/:id - Get User by ID
# ============================================================================
class TestGetUserById:
"""Tests for GET /api/users/:id endpoint."""
def test_get_user_by_id_returns_user(
self, client: TestClient, test_user: User
):
"""Test GET /api/users/:id returns specific user."""
# Act
response = client.get(f"/api/users/{test_user.id}")
# Assert
assert response.status_code == 200
data = response.json()
assert data["id"] == test_user.id
assert data["name"] == test_user.name
assert data["email"] == test_user.email
assert "password" not in data # Sensitive data not included
def test_get_user_nonexistent_id_returns_404(self, client: TestClient):
"""Test GET /api/users/:id with nonexistent ID returns 404."""
# Act
response = client.get("/api/users/99999")
# Assert
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_get_user_invalid_id_format_returns_400(self, client: TestClient):
"""Test GET /api/users/:id with invalid ID format returns 400."""
# Act
response = client.get("/api/users/invalid-id")
# Assert
assert response.status_code == 400
# ============================================================================
# POST /api/users - Create User
# ============================================================================
class TestCreateUser:
"""Tests for POST /api/users endpoint."""
def test_create_user_valid_data_returns_created(
self, client: TestClient, db: Session, admin_headers: dict
):
"""Test POST /api/users with valid data creates user."""
# Arrange
user_data = {
"name": "New User",
"email": "[email protected]",
"password": "SecurePass123"
}
# Act
response = client.post(
"/api/users",
json=user_data,
headers=admin_headers
)
# Assert
assert response.status_code == 201
data = response.json()
assert data["name"] == user_data["name"]
assert data["email"] == user_data["email"]
assert "id" in data
assert "password" not in data # Password not returned
assert "created_at" in data
# Verify in database
user = db.query(User).filter_by(email=user_data["email"]).first()
assert user is not None
assert user.name == user_data["name"]
def test_create_user_missing_required_field_returns_400(
self, client: TestClient, admin_headers: dict
):
"""Test POST /api/users with missing required field returns 400."""
# Arrange: Missing email
invalid_data = {
"name": "User",
"password": "password"
}
# Act
response = client.post(
"/api/users",
json=invalid_data,
headers=admin_headers
)
# Assert
assert response.status_code == 400
assert "email" in response.json()["detail"].lower()
def test_create_user_invalid_email_returns_400(
self, client: TestClient, admin_headers: dict
):
"""Test POST /api/users with invalid email format returns 400."""
# Arrange
invalid_data = {
"name": "User",
"email": "not-an-email",
"password": "password"
}
# Act
response = client.post(
"/api/users",
json=invalid_data,
headers=admin_headers
)
# Assert
assert response.status_code == 400
assert "email" in response.json()["detail"].lower()
def test_create_user_weak_password_returns_400(
self, client: TestClient, admin_headers: dict
):
"""Test POST /api/users with weak password returns 400."""
# Arrange
invalid_data = {
"name": "User",
"email": "[email protected]",
"password": "123" # Too short
}
# Act
response = client.post(
"/api/users",
json=invalid_data,
headers=admin_headers
)
# Assert
assert response.status_code == 400
assert "password" in response.json()["detail"].lower()
def test_create_user_duplicate_email_returns_409(
self, client: TestClient, test_user: User, admin_headers: dict
):
"""Test POST /api/users with duplicate email returns 409."""
# Arrange
duplicate_data = {
"name": "Another User",
"email": test_user.email, # Duplicate
"password": "password"
}
# Act
response = client.post(
"/api/users",
json=duplicate_data,
headers=admin_headers
)
# Assert
assert response.status_code == 409
assert "already exists" in response.json()["detail"].lower()
def test_create_user_without_auth_returns_401(
self, client: TestClient
):
"""Test POST /api/users without authentication returns 401."""
# Arrange
user_data = {
"name": "User",
"email": "[email protected]",
"password": "password"
}
# Act
response = client.post("/api/users", json=user_data)
# Assert
assert response.status_code == 401
def test_create_user_as_non_admin_returns_403(
self, client: TestClient, auth_headers: dict
):
"""Test POST /api/users as non-admin user returns 403."""
# Arrange
user_data = {
"name": "User",
"email": "[email protected]",
"password": "password"
}
# Act
response = client.post(
"/api/users",
json=user_data,
headers=auth_headers # Regular user, not admin
)
# Assert
assert response.status_code == 403
# ============================================================================
# PUT /api/users/:id - Update User (Full Replace)
# ============================================================================
class TestUpdateUser:
"""Tests for PUT /api/users/:id endpoint."""
def test_update_user_own_account_returns_updated(
self, client: TestClient, test_user: User, auth_headers: dict, db: Session
):
"""Test PUT /api/users/:id to update own account."""
# Arrange
update_data = {
"name": "Updated Name",
"email": test_user.email # Same email
}
# Act
response = client.put(
f"/api/users/{test_user.id}",
json=update_data,
headers=auth_headers
)
# Assert
assert response.status_code == 200
data = response.json()
assert data["name"] == "Updated Name"
# Verify in database
db.refresh(test_user)
assert test_user.name == "Updated Name"
def test_update_user_other_account_as_admin_succeeds(
self, client: TestClient, test_user: User, admin_headers: dict, db: Session
):
"""Test PUT /api/users/:id as admin to update other user."""
# Arrange
update_data = {
"name": "Admin Updated",
"email": test_user.email
}
# Act
response = client.put(
f"/api/users/{test_user.id}",
json=update_data,
headers=admin_headers
)
# Assert
assert response.status_code == 200
def test_update_user_other_account_as_regular_user_returns_403(
self, client: TestClient, db: Session, auth_headers: dict
):
"""Test PUT /api/users/:id to update other user returns 403."""
# Arrange: Create another user
other_user = User(name="Other", email="[email protected]")
db.add(other_user)
db.commit()
update_data = {"name": "Unauthorized Update"}
# Act
response = client.put(
f"/api/users/{other_user.id}",
json=update_data,
headers=auth_headers # Regular user, not admin
)
# Assert
assert response.status_code == 403
def test_update_user_nonexistent_returns_404(
self, client: TestClient, admin_headers: dict
):
"""Test PUT /api/users/:id with nonexistent ID returns 404."""
# Arrange
update_data = {"name": "Updated"}
# Act
response = client.put(
"/api/users/99999",
json=update_data,
headers=admin_headers
)
# Assert
assert response.status_code == 404
# ============================================================================
# PATCH /api/users/:id - Partial Update User
# ============================================================================
class TestPatchUser:
"""Tests for PATCH /api/users/:id endpoint."""
def test_patch_user_single_field_updates(
self, client: TestClient, test_user: User, auth_headers: dict, db: Session
):
"""Test PATCH /api/users/:id updates only specified field."""
# Arrange
original_email = test_user.email
patch_data = {"name": "Patched Name"}
# Act
response = client.patch(
f"/api/users/{test_user.id}",
json=patch_data,
headers=auth_headers
)
# Assert
assert response.status_code == 200
data = response.json()
assert data["name"] == "Patched Name"
assert data["email"] == original_email # Unchanged
# Verify in database
db.refresh(test_user)
assert test_user.name == "Patched Name"
assert test_user.email == original_email
# ============================================================================
# DELETE /api/users/:id - Delete User
# ============================================================================
class TestDeleteUser:
"""Tests for DELETE /api/users/:id endpoint."""
def test_delete_user_own_account_returns_no_content(
self, client: TestClient, test_user: User, auth_headers: dict, db: Session
):
"""Test DELETE /api/users/:id to delete own account."""
# Act
response = client.delete(
f"/api/users/{test_user.id}",
headers=auth_headers
)
# Assert
assert response.status_code == 204
# Verify in database
deleted_user = db.query(User).filter_by(id=test_user.id).first()
assert deleted_user is None
def test_delete_user_as_admin_succeeds(
self, client: TestClient, test_user: User, admin_headers: dict, db: Session
):
"""Test DELETE /api/users/:id as admin."""
# Act
response = client.delete(
f"/api/users/{test_user.id}",
headers=admin_headers
)
# Assert
assert response.status_code == 204
def test_delete_user_other_account_returns_403(
self, client: TestClient, db: Session, auth_headers: dict
):
"""Test DELETE /api/users/:id to delete other user returns 403."""
# Arrange
other_user = User(name="Other", email="[email protected]")
db.add(other_user)
db.commit()
# Act
response = client.delete(
f"/api/users/{other_user.id}",
headers=auth_headers
)
# Assert
assert response.status_code == 403
def test_delete_user_without_auth_returns_401(
self, client: TestClient, test_user: User
):
"""Test DELETE /api/users/:id without auth returns 401."""
# Act
response = client.delete(f"/api/users/{test_user.id}")
# Assert
assert response.status_code == 401
def test_delete_user_nonexistent_returns_404(
self, client: TestClient, admin_headers: dict
):
"""Test DELETE /api/users/:id with nonexistent ID returns 404."""
# Act
response = client.delete(
"/api/users/99999",
headers=admin_headers
)
# Assert
assert response.status_code == 404
Deliverable: Comprehensive REST API tests
3. Generate GraphQL API Tests
GraphQL test structure:
"""
Integration tests for GraphQL API.
"""
import pytest
from fastapi.testclient import TestClient
from sqlalchemy.orm import Session
class TestGraphQLQueries:
"""Tests for GraphQL queries."""
def test_query_users_returns_list(
self, client: TestClient, db: Session
):
"""Test users query returns list."""
# Arrange
create_test_users(db, count=3)
query = """
query {
users {
id
name
email
}
}
"""
# Act
response = client.post("/graphql", json={"query": query})
# Assert
assert response.status_code == 200
data = response.json()["data"]
assert len(data["users"]) == 3
def test_query_user_by_id_returns_user(
self, client: TestClient, test_user: User
):
"""Test user query by ID returns specific user."""
# Arrange
query = f"""
query {{
user(id: {test_user.id}) {{
id
name
email
}}
}}
"""
# Act
response = client.post("/graphql", json={"query": query})
# Assert
assert response.status_code == 200
data = response.json()["data"]["user"]
assert data["id"] == test_user.id
assert data["name"] == test_user.name
class TestGraphQLMutations:
"""Tests for GraphQL mutations."""
def test_create_user_mutation_creates_user(
self, client: TestClient, db: Session, admin_headers: dict
):
"""Test createUser mutation creates new user."""
# Arrange
mutation = """
mutation {
createUser(input: {
name: "New User",
email: "[email protected]",
password: "SecurePass123"
}) {
user {
id
name
email
}
}
}
"""
# Act
response = client.post(
"/graphql",
json={"query": mutation},
headers=admin_headers
)
# Assert
assert response.status_code == 200
data = response.json()["data"]["createUser"]["user"]
assert data["name"] == "New User"
assert data["email"] == "[email protected]"
# Verify in database
user = db.query(User).filter_by(email="[email protected]").first()
assert user is not None
Deliverable: GraphQL API tests
HTTP Status Code Testing
Test all relevant status codes:
# 200 OK - Successful GET/PUT/PATCH
def test_returns_200_on_success(client):
response = client.get("/api/resource")
assert response.status_code == 200
# 201 Created - Successful POST
def test_returns_201_on_create(client):
response = client.post("/api/resource", json=data)
assert response.status_code == 201
# 204 No Content - Successful DELETE
def test_returns_204_on_delete(client):
response = client.delete("/api/resource/1")
assert response.status_code == 204
# 400 Bad Request - Validation error
def test_returns_400_on_invalid_input(client):
response = client.post("/api/resource", json=invalid_data)
assert response.status_code == 400
# 401 Unauthorized - Missing/invalid auth
def test_returns_401_without_auth(client):
response = client.get("/api/protected")
assert response.status_code == 401
# 403 Forbidden - Insufficient permissions
def test_returns_403_without_permission(client, user_token):
response = client.delete("/api/admin/resource", headers=user_token)
assert response.status_code == 403
# 404 Not Found - Resource doesn't exist
def test_returns_404_for_nonexistent(client):
response = client.get("/api/resource/99999")
assert response.status_code == 404
# 409 Conflict - Duplicate resource
def test_returns_409_on_duplicate(client):
response = client.post("/api/resource", json=existing_data)
assert response.status_code == 409
# 422 Unprocessable Entity - Semantic error
def test_returns_422_on_semantic_error(client):
response = client.post("/api/resource", json=invalid_semantic_data)
assert response.status_code == 422
# 500 Internal Server Error - Server error
def test_returns_500_on_server_error(client, mock_error):
response = client.get("/api/resource")
assert response.status_code == 500
Best Practices
- Test all HTTP methods: GET, POST, PUT, PATCH, DELETE
- Test all status codes: Success and error responses
- Validate request bodies: Required fields, formats, constraints
- Validate response bodies: Schema, fields, data types
- Test authentication: With/without tokens, expired tokens
- Test authorization: Different user roles and permissions
- Test edge cases: Empty lists, null values, max limits
- Verify database state: Check data persisted correctly
- Use descriptive test names: Clearly state what's being tested
- Group by endpoint: Organize tests by API endpoint
Quality Checklist
Before completing API tests:
- All endpoints tested
- All HTTP methods tested
- Success cases (200, 201, 204) covered
- Error cases (400, 401, 403, 404, 409) covered
- Request validation tested
- Response schema validated
- Authentication tested
- Authorization tested
- Edge cases covered
- Database state verified
- All tests pass
- Tests are independent
Integration with Testing Workflow
Input: API routes and endpoints Process: Analyze → Generate tests → Run & verify Output: Comprehensive API test suite Next Step: API documentation or deployment
Remember
- Test all endpoints and HTTP methods
- Test success and error cases
- Validate request and response schemas
- Test authentication and authorization
- Verify database state after operations
- Use appropriate status codes
- Keep tests focused on one scenario
- Tests serve as API documentation
Quick Install
/plugin add https://github.com/matteocervelli/llms/tree/main/api-test-generatorCopy and paste this command in Claude Code to install this skill
GitHub 仓库
matteocervelli/llms
Path: .claude/skills/api-test-generator
Related Skills
evaluating-llms-harness
TestingThis Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.
View skill
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.
View skill
webapp-testing
TestingThis Claude Skill provides a Playwright-based toolkit for testing local web applications through Python scripts. It enables frontend verification, UI debugging, screenshot capture, and log viewing while managing server lifecycles. Use it for browser automation tasks but run scripts directly rather than reading their source code to avoid context pollution.
View skill
finishing-a-development-branch
TestingThis skill helps developers complete finished work by verifying tests pass and then presenting structured integration options. It guides the workflow for merging, creating PRs, or cleaning up branches after implementation is done. Use it when your code is ready and tested to systematically finalize the development process.
View skill