| name | api-validation |
| description | Comprehensive API endpoint validation including schema validation, authentication testing, and error handling |
API Validation Skill
Thorough validation of API endpoints including schema compliance, authentication, authorization, error handling, and performance.
When to Use
- Validating new API endpoints
- Testing API changes
- Schema compliance verification
- Authentication/authorization testing
- API contract validation
- Performance baseline checks
Capabilities
- Schema validation - Verify responses match expected structure
- Authentication testing - Test auth flows and token handling
- Authorization testing - Verify permission enforcement
- Error handling - Validate error responses and messages
- Performance testing - Check response times and limits
Workflow
Phase 1: Discovery
Understand the API:
- Review documentation (OpenAPI, Swagger, README)
- Identify endpoints to validate
- Note authentication requirements
- Document expected responses
Phase 2: Test Design
Create comprehensive test cases:
For Each Endpoint:
- Success scenarios (valid requests)
- Authentication tests (valid/invalid/missing token)
- Authorization tests (permitted/forbidden actions)
- Validation tests (required fields, formats, types)
- Error scenarios (not found, server errors)
Phase 3: Execution
Run tests systematically:
- Test authentication first
- Test each endpoint method
- Validate response schemas
- Check error handling
- Measure performance
Phase 4: Validation
For each response, verify:
- Status code correct
- Response body matches schema
- Required fields present
- Data types correct
- Headers appropriate
- Timing acceptable
Phase 5: Reporting
Document findings:
- Endpoints validated
- Tests passed/failed
- Schema violations
- Security issues
- Performance concerns
Validation Checklist
Authentication Validation
Authorization Validation
Schema Validation
Input Validation
Error Handling Validation
Performance Validation
Common Validation Patterns
CRUD Endpoint Validation
Use the api-validation skill to validate all CRUD operations on the /api/users endpoint
Tests:
- POST /users - Create with valid data (201)
- POST /users - Create with invalid data (400)
- GET /users - List all (200, paginated)
- GET /users/:id - Get existing (200)
- GET /users/:id - Get non-existing (404)
- PUT /users/:id - Update existing (200)
- PUT /users/:id - Update non-existing (404)
- DELETE /users/:id - Delete existing (204)
- DELETE /users/:id - Delete non-existing (404)
Auth Endpoint Validation
Use the api-validation skill to thoroughly test authentication on /api/auth endpoints
Tests:
- POST /auth/login - Valid credentials (200 + token)
- POST /auth/login - Invalid password (401)
- POST /auth/login - Unknown user (401)
- POST /auth/logout - With valid token (200)
- POST /auth/refresh - Valid refresh token (200)
- POST /auth/refresh - Invalid token (401)
Protected Endpoint Validation
Use the api-validation skill to verify authorization on /api/admin endpoints
Tests:
- Request without token (401)
- Request with user token (403)
- Request with admin token (200)
- Request with expired token (401)
Schema Validation Approach
For each response field, verify:
| Field | Type | Required | Validation |
|-------|------|----------|------------|
| id | string | yes | UUID format |
| email | string | yes | email format |
| name | string | yes | min 1, max 100 |
| status | string | yes | enum: active, inactive |
| createdAt | string | yes | ISO date format |
| metadata | object | no | can be empty |
Usage Examples
Full Endpoint Validation
Use the api-validation skill to thoroughly validate the /api/products endpoint including all HTTP methods, authentication, and error handling
Auth-Focused Validation
Use the api-validation skill to test authentication and authorization across all protected endpoints
Schema Compliance Check
Use the api-validation skill to verify all API responses match the OpenAPI schema
Input Validation Testing
Use the api-validation skill to test input validation on POST /api/orders with various invalid payloads
Validation Report Format
# API Validation Report: [Endpoint]
**Date**: [Date]
**Endpoint**: [PATH]
**Methods Tested**: GET, POST, PUT, DELETE
## Summary
| Category | Tests | Passed | Failed |
|----------|-------|--------|--------|
| Authentication | X | X | X |
| Authorization | X | X | X |
| Schema | X | X | X |
| Validation | X | X | X |
| Error Handling | X | X | X |
| Performance | X | X | X |
## Detailed Results
### Authentication Tests
[Results table]
### Schema Validation
[Field-by-field results]
### Issues Found
[List with severity]
## Recommendations
[Action items]
Best Practices
- Start with auth - Test authentication before other endpoints
- Use real payloads - Test with production-like data
- Test all methods - GET, POST, PUT, PATCH, DELETE
- Validate schemas strictly - Every field, every type
- Check error formats - Consistency matters
- Test edge cases - Empty strings, null, max lengths
- Measure performance - Set baselines, track changes
- Document findings - Include evidence (requests/responses)