Intelligent Contract Testing
Generate comprehensive API tests from OpenAPI specs with automatic edge case discovery and breaking change detection
API Test Automation
Ta treść nie jest jeszcze dostępna w Twoim języku.
Transform your API testing from manual validation to intelligent automation. Learn how to use Cursor IDE and Claude Code to generate comprehensive test suites, validate contracts, analyze performance, and secure your APIs through natural language prompts and AI-powered workflows.
Why AI-Powered API Testing Matters
Section titled “Why AI-Powered API Testing Matters”Modern applications rely on countless API interactions. Traditional testing approaches struggle with the complexity, while AI-driven testing transforms challenges into opportunities:
Performance Validation
Create realistic load tests that adapt to production patterns and identify bottlenecks before they impact users
Security Automation
Implement continuous security testing with OWASP API Top 10 validation and intelligent vulnerability scanning
Data-Driven Testing
Generate realistic test data that respects constraints and relationships while maintaining privacy compliance
Quick Start: Generate API Tests with Natural Language
Section titled “Quick Start: Generate API Tests with Natural Language”Workflow 1: OpenAPI Spec to Test Suite
Section titled “Workflow 1: OpenAPI Spec to Test Suite”Prompt: “Generate comprehensive API tests from our OpenAPI specification with full coverage and security validation.”
// Agent Mode: Generate comprehensive API test suiteAgent: "Analyze our OpenAPI spec and create tests that:- Cover all endpoints with positive and negative scenarios- Include authentication and authorization testing- Add rate limiting and error boundary tests- Generate realistic test data for each endpoint- Validate response schemas and status codes"
// AI generates complete test suitedescribe('User Management API', () => { describe('POST /api/users', () => { it('creates user with valid data', async () => { const userData = { email: 'test@example.com', name: 'Test User', role: 'user' };
const response = await request(app) .post('/api/users') .send(userData) .expect(201);
expect(response.body).toMatchObject({ id: expect.any(String), ...userData, createdAt: expect.any(String) }); });
// AI adds comprehensive edge cases it('handles duplicate email gracefully', async () => { await request(app) .post('/api/users') .send({ email: 'duplicate@test.com', name: 'User One' }) .expect(201);
await request(app) .post('/api/users') .send({ email: 'duplicate@test.com', name: 'User Two' }) .expect(409) .expect(res => { expect(res.body.error).toContain('already exists'); }); }); });});# Generate comprehensive API test suiteclaude "Create API tests for our e-commerce platform:
Requirements:- Test all REST endpoints (products, orders, users, payments)- Include authentication flows (JWT, OAuth)- Add rate limiting validation- Test error scenarios and edge cases- Generate realistic test data- Include performance benchmarks- Validate OpenAPI spec compliance"
# Claude analyzes codebase and generates:# tests/api/# ├── auth.test.js # Authentication flows# ├── products.test.js # Product CRUD operations# ├── orders.test.js # Order processing# ├── payments.test.js # Payment validation# ├── fixtures/ # Test data generators# └── helpers/ # Common test utilitiesWorkflow 2: Contract Testing with Consumer-Driven Contracts
Section titled “Workflow 2: Contract Testing with Consumer-Driven Contracts”Prompt: “Set up contract testing between our microservices to prevent breaking changes and ensure API compatibility.”
// Agent Mode: Contract testing setupAgent: "Create consumer-driven contract tests for our microservices:
1. Consumer: Frontend App → Provider: User Service2. Consumer: Order Service → Provider: Payment Service3. Consumer: Notification Service → Provider: User Service
Include:- All critical API interactions- Request/response validation- State management for test data- Breaking change detection- CI/CD integration"
// AI generates Pact contract testsconst { pactWith } = require('jest-pact');const { UserService } = require('../services/UserService');
pactWith({ consumer: 'Frontend', provider: 'UserService' }, provider => { describe('User API', () => { beforeEach(() => { const interaction = { state: 'user exists', uponReceiving: 'a request for user details', withRequest: { method: 'GET', path: '/api/users/123', headers: { 'Authorization': 'Bearer some-token' } }, willRespondWith: { status: 200, headers: { 'Content-Type': 'application/json' }, body: { id: '123', name: 'John Doe', email: 'john@example.com' } } };
return provider.addInteraction(interaction); });
it('returns user details', async () => { const user = await UserService.getUser('123'); expect(user).toEqual({ id: '123', name: 'John Doe', email: 'john@example.com' }); }); });});</TabItem><TabItem label="Claude Code">```bash# Set up comprehensive contract testingclaude "Implement contract testing for our microservices architecture:
Todo:- [ ] Set up Pact broker for contract storage- [ ] Create consumer tests for each service dependency- [ ] Configure provider verification in CI/CD- [ ] Add breaking change detection- [ ] Set up contract evolution workflows- [ ] Create documentation for contract testing process
Services to test:- User Service (provides user data)- Payment Service (processes payments)- Order Service (manages orders)- Notification Service (sends alerts)
Ensure backward compatibility and migration strategies."
# Claude sets up complete contract testing pipelineBreaking Change Detection
Section titled “Breaking Change Detection”Prompt: “Analyze our API schema changes and detect potential breaking changes before deployment.”
// AI-powered breaking change detectionAgent: "Compare our API schemas and identify breaking changes:
1. Analyze current vs new OpenAPI specs2. Detect breaking changes (removed fields, type changes)3. Assess impact on existing consumers4. Suggest migration strategies5. Generate compatibility tests"
// AI generates breaking change analysisconst { detectBreakingChanges } = require('./schema-analyzer');
async function validateApiChanges() { const analysis = await detectBreakingChanges({ currentSchema: './openapi/v1.yaml', newSchema: './openapi/v2.yaml', consumers: [ 'mobile-app', 'web-frontend', 'partner-integrations' ] });
if (analysis.hasBreakingChanges) { console.log('⚠️ Breaking changes detected:'); analysis.breakingChanges.forEach(change => { console.log(`- ${change.type}: ${change.description}`); console.log(` Impact: ${change.impact}`); console.log(` Affected consumers: ${change.affectedConsumers.join(', ')}`); console.log(` Migration: ${change.migrationStrategy}`); }); }
return analysis.isBackwardCompatible;}// AI ensures API version compatibilityAgent: "Test backward compatibility across API versions:
- Test v1 endpoints still work with v2 changes- Validate graceful degradation patterns- Check version header handling- Test feature flag implementations"
describe('API Version Compatibility', () => { const versions = ['v1', 'v2', 'v3'];
versions.forEach(version => { describe(`Version ${version}`, () => { it('maintains backward compatibility', async () => { // Test critical endpoints work across versions const criticalEndpoints = [ '/api/users', '/api/orders', '/api/payments' ];
for (const endpoint of criticalEndpoints) { const response = await request(app) .get(endpoint) .set('API-Version', version) .expect(200);
// Validate response structure hasn't broken expect(response.body).toHaveProperty('data'); expect(response.body).toHaveProperty('meta'); } });
it('handles version negotiation gracefully', async () => { // Test unsupported version handling await request(app) .get('/api/users') .set('API-Version', 'v999') .expect(400) .expect(res => { expect(res.body.error).toContain('unsupported version'); }); }); }); });});Performance Testing
Section titled “Performance Testing”AI-Driven Load Testing
Section titled “AI-Driven Load Testing”// Intelligent load testing with AIclass AILoadTester { async generateLoadScenarios(apiSpec: OpenAPISpec) { // AI analyzes API to create realistic load patterns const patterns = await ai.analyzeProductionTraffic({ logs: await this.getAccessLogs(), duration: '30d', identify: ['peak_hours', 'user_journeys', 'geographic_distribution'] });
return { scenarios: patterns.map(pattern => ({ name: pattern.name, executor: ai.selectExecutor(pattern), startTime: pattern.timing,
// AI generates realistic virtual users vus: ai.calculateVirtualUsers({ pattern, targetLoad: pattern.expectedLoad, rampUp: pattern.rampUpStrategy }),
// AI creates test scenarios exec: ai.generateLoadTest({ endpoints: pattern.endpoints, dataVariation: pattern.dataPatterns, thinkTime: pattern.userBehavior.thinkTime, sessionLength: pattern.userBehavior.sessionDuration }) })),
// AI sets performance thresholds thresholds: ai.generateThresholds({ sla: await this.getSLARequirements(), historical: await this.getHistoricalPerformance(), businessCritical: await this.getCriticalEndpoints() }) }; }
async runIntelligentLoadTest() { const scenarios = await this.generateLoadScenarios();
// AI monitors and adapts during test const monitor = ai.createAdaptiveMonitor({ adjustLoad: true, detectAnomalies: true, predictFailures: true });
const results = await k6.run({ scenarios,
// AI adjusts load based on system response extensions: { adaptive: monitor.adapt.bind(monitor) } });
// AI analyzes results return ai.analyzePerformanceResults({ results, identifyBottlenecks: true, suggestOptimizations: true, predictScalability: true }); }}Real-Time Performance Monitoring
Section titled “Real-Time Performance Monitoring”// AI-powered API performance monitoringclass APIPerformanceMonitor { async setupIntelligentMonitoring() { return { // AI learns normal patterns baseline: await ai.establishPerformanceBaseline({ duration: '7d', endpoints: await this.getAllEndpoints(), metrics: ['latency', 'throughput', 'error_rate', 'cpu', 'memory'] }),
// AI detects anomalies anomalyDetection: ai.createAnomalyDetector({ sensitivity: 'high', algorithms: ['isolation_forest', 'lstm', 'prophet'], alertThreshold: 0.95 }),
// AI predicts issues prediction: ai.createPredictor({ models: ['time_series', 'regression', 'neural_network'], horizons: ['5m', '1h', '24h'], features: ['time', 'load', 'errors', 'dependencies'] }) }; }
async handlePerformanceAnomaly(anomaly: Anomaly) { // AI diagnoses the issue const diagnosis = await ai.diagnosePerformanceIssue({ anomaly, logs: await this.getRecentLogs(anomaly.timeRange), metrics: await this.getMetrics(anomaly.timeRange), traces: await this.getDistributedTraces(anomaly.traceIds) });
// AI suggests remediation const remediation = await ai.suggestRemediation({ diagnosis, previousIncidents: await this.getSimilarIncidents(diagnosis), systemCapabilities: await this.getSystemCapabilities() });
// AI can auto-remediate if configured if (this.config.autoRemediate && remediation.confidence > 0.9) { await this.applyRemediation(remediation); }
return { diagnosis, remediation, prediction: await ai.predictImpact(anomaly) }; }}Security Testing
Section titled “Security Testing”Comprehensive API Security Testing
Section titled “Comprehensive API Security Testing”// AI-enhanced security testingclass APISecurityTester { async performSecurityAudit(api: API) { const securityTests = { // Authentication & Authorization auth: await this.testAuthentication(api), authz: await this.testAuthorization(api),
// Injection attacks injection: await this.testInjectionVulnerabilities(api),
// Data exposure dataExposure: await this.testDataExposure(api),
// Rate limiting & DoS rateLimiting: await this.testRateLimiting(api),
// Encryption & Transport encryption: await this.testEncryption(api) };
return ai.consolidateSecurityFindings(securityTests); }
async testInjectionVulnerabilities(api: API) { const injectionPayloads = ai.generateInjectionPayloads({ types: ['sql', 'nosql', 'ldap', 'xpath', 'json', 'xml'], context: await ai.analyzeAPIContext(api), evasionTechniques: true });
const results = [];
for (const endpoint of api.endpoints) { for (const payload of injectionPayloads) { const result = await this.testEndpoint({ endpoint, payload, monitor: ['response_time', 'error_messages', 'status_codes'] });
if (ai.detectsVulnerability(result)) { results.push({ endpoint: endpoint.path, vulnerability: payload.type, severity: ai.assessSeverity(result), exploitation: ai.generateExploitProof(result), remediation: ai.suggestFix(result) }); } } }
return results; }
async testAuthentication(api: API) { const authTests = [];
// Test various authentication bypasses const bypassTechniques = ai.generateAuthBypassTechniques({ authType: api.authentication.type, knownVulnerabilities: await this.getKnownVulnerabilities(api.authentication.type) });
for (const technique of bypassTechniques) { const result = await this.attemptBypass(technique); authTests.push({ technique: technique.name, successful: result.bypassed, details: result.details, fix: result.bypassed ? ai.generateAuthFix(technique, api) : null }); }
// Test token security if (api.authentication.usesTokens) { authTests.push(...await this.testTokenSecurity(api)); }
return authTests; }}
// Example: Testing OWASP API Security Top 10describe('OWASP API Security Top 10', () => { const securityTester = new APISecurityTester();
test('API1:2023 - Broken Object Level Authorization', async () => { const results = await securityTester.testObjectLevelAuth({ endpoints: api.endpoints.filter(e => e.hasPathParameters), users: await generateTestUsers(['user', 'admin', 'guest']), strategy: 'horizontal_privilege_escalation' });
expect(results.vulnerabilities).toHaveLength(0); });
test('API2:2023 - Broken Authentication', async () => { const results = await securityTester.testAuthentication(api);
results.forEach(result => { expect(result.successful).toBe(false); if (result.successful) { console.error(`Authentication bypass: ${result.technique}`, result.fix); } }); });# Generate comprehensive security test suiteclaude "Create API security tests following OWASP API Security Top 10:
Todo:- [ ] API1: Broken Object Level Authorization tests- [ ] API2: Broken Authentication tests- [ ] API3: Broken Object Property Level Authorization- [ ] API4: Unrestricted Resource Consumption- [ ] API5: Broken Function Level Authorization- [ ] API6: Unrestricted Access to Sensitive Business Flows- [ ] API7: Server Side Request Forgery (SSRF)- [ ] API8: Security Misconfiguration- [ ] API9: Improper Inventory Management- [ ] API10: Unsafe Consumption of APIs
For each vulnerability:1. Create automated tests2. Include both positive and negative test cases3. Add injection attack vectors4. Test authentication and authorization5. Validate input sanitization6. Check for data exposure7. Generate security reports
Focus on endpoints handling sensitive data."
# Claude generates complete security test suiteMocking and Virtualization
Section titled “Mocking and Virtualization”AI-Powered API Mocking
Section titled “AI-Powered API Mocking”// Intelligent API mockingclass AIMockServer { async createIntelligentMock(openApiSpec: OpenAPISpec) { // AI analyzes spec and generates realistic responses const mockBehaviors = await ai.generateMockBehaviors({ spec: openApiSpec, realDataSamples: await this.getRealDataSamples(), businessRules: await this.getBusinessRules() });
return { routes: mockBehaviors.map(behavior => ({ path: behavior.endpoint, method: behavior.method,
handler: async (req, res) => { // AI generates contextual response const response = await ai.generateResponse({ request: req, behavior, context: { previousRequests: this.getRequestHistory(req.session), userProfile: await this.getUserProfile(req), systemState: await this.getSystemState() } });
// AI simulates realistic delays const delay = ai.calculateRealisticDelay({ endpoint: behavior.endpoint, load: this.getCurrentLoad(), complexity: behavior.complexity });
await sleep(delay);
// AI can simulate errors based on patterns if (ai.shouldSimulateError(req, behavior)) { const error = ai.generateRealisticError(behavior); return res.status(error.status).json(error.body); }
res.status(response.status).json(response.body); } })),
// AI creates stateful scenarios scenarios: ai.generateStatefulScenarios({ spec: openApiSpec, workflows: await this.getCommonWorkflows() }) }; }}GraphQL API Testing
Section titled “GraphQL API Testing”AI-Enhanced GraphQL Testing
Section titled “AI-Enhanced GraphQL Testing”// GraphQL-specific testing with AIclass GraphQLTester { async generateGraphQLTests(schema: GraphQLSchema) { const introspection = await ai.introspectSchema(schema);
return { // Query testing queries: await this.generateQueryTests(introspection),
// Mutation testing mutations: await this.generateMutationTests(introspection),
// Subscription testing subscriptions: await this.generateSubscriptionTests(introspection),
// Performance testing performance: await this.generatePerformanceTests(introspection) }; }
async generateQueryTests(introspection: IntrospectionResult) { const queries = [];
for (const type of introspection.types) { if (type.kind === 'OBJECT') { // AI generates queries of varying complexity const complexityLevels = ['simple', 'nested', 'deep', 'circular'];
for (const complexity of complexityLevels) { const query = ai.generateGraphQLQuery({ type, complexity, includeFragments: true, includeVariables: true, includeDirectives: true });
queries.push({ name: `Test ${type.name} - ${complexity}`, query, variables: ai.generateVariables(query), expectedShape: ai.predictResponseShape(query), assertions: ai.generateAssertions(type, complexity) }); } } }
return queries; }
async testGraphQLSecurity(endpoint: string) { const securityTests = [];
// Test for query depth attacks const depthAttack = ai.generateDeepQuery({ depth: 20, breadth: 5 });
securityTests.push({ name: 'Query Depth Attack', test: async () => { const response = await graphql(endpoint, depthAttack); expect(response.errors).toContainError('Query depth limit exceeded'); } });
// Test for resource exhaustion const complexityAttack = ai.generateComplexQuery({ aliases: 100, fragments: 50 });
securityTests.push({ name: 'Complexity Attack', test: async () => { const response = await graphql(endpoint, complexityAttack); expect(response.errors).toContainError('Query complexity limit exceeded'); } });
return securityTests; }}CI/CD Integration
Section titled “CI/CD Integration”Continuous API Testing
Section titled “Continuous API Testing”name: AI-Powered API Testing
on: push: paths: - 'api/**' - 'openapi.yaml' pull_request: types: [opened, synchronize]
jobs: contract-testing: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3
- name: Generate Contract Tests run: | npx ai-contract-test generate \ --spec ./openapi.yaml \ --consumers ./consumers.json \ --output ./tests/contracts
- name: Run Contract Tests run: | npx ai-contract-test run \ --parallel \ --fail-fast \ --report ./reports/contracts
- name: Analyze Breaking Changes if: github.event_name == 'pull_request' run: | npx ai-api-analyzer \ --base ${{ github.base_ref }} \ --head ${{ github.head_ref }} \ --check breaking-changes \ --suggest-migration
security-testing: runs-on: ubuntu-latest steps: - name: Run Security Scan run: | npx ai-security-test \ --api-url ${{ secrets.API_URL }} \ --auth-token ${{ secrets.API_TOKEN }} \ --owasp-top-10 \ --custom-payloads ./security/payloads.json
- name: Upload Security Report uses: actions/upload-artifact@v3 with: name: security-report path: reports/security/
performance-testing: runs-on: ubuntu-latest steps: - name: Run AI Load Test run: | npx ai-load-test \ --analyze-traffic \ --generate-scenarios \ --duration 10m \ --target-rps auto \ --fail-on-degradation 20%
- name: Performance Analysis run: | --contract-failures 0Sample Package.json Scripts
Section titled “Sample Package.json Scripts”{ "scripts": { "test:api:unit": "jest tests/api/unit --coverage", "test:api:contract": "pact-broker can-i-deploy --pacticipant api-service", "test:api:security": "newman run security-tests.postman_collection.json", "test:api:performance": "k6 run performance-tests.js", "test:api:all": "npm run test:api:unit && npm run test:api:contract && npm run test:api:security && npm run test:api:performance" }}Best Practices for AI-Powered API Testing
Section titled “Best Practices for AI-Powered API Testing”Start with OpenAPI Specs
Define your API contracts first. AI can generate 80% of your test suite automatically from well-documented specifications.
Layer Your Testing Strategy
Use the testing pyramid: Unit tests for business logic, contract tests for API boundaries, E2E tests for critical flows.
Embrace Test Data Generation
Let AI generate realistic test data that matches production patterns while maintaining privacy compliance.
Automate Security Testing
Integrate OWASP API Security Top 10 testing into your CI/CD pipeline. Security should be tested continuously.
Common Pitfalls to Avoid
Section titled “Common Pitfalls to Avoid”Essential Tools and MCP Servers
Section titled “Essential Tools and MCP Servers” REST API Tester MCP Model Context Protocol server for comprehensive API testing integration
Locust MCP Server AI-driven performance testing with Locust integration
Playwright MCP Browser automation MCP for comprehensive E2E API testing
Pact Broker Contract testing framework with CI/CD integration
Your API Testing Journey
Section titled “Your API Testing Journey”-
Start with Documentation - Ensure your APIs have comprehensive OpenAPI specifications
-
Generate Basic Tests - Use AI to create unit and contract tests from your specifications
-
Add Security Testing - Implement OWASP API Security Top 10 validation
-
Create Performance Baselines - Set up load testing with realistic user scenarios
-
Integrate with CI/CD - Automate all tests in your deployment pipeline
-
Monitor and Iterate - Use production insights to improve your test coverage
Sample Prompts to Get Started
Section titled “Sample Prompts to Get Started”For Cursor IDE:
Section titled “For Cursor IDE:”Agent: "Generate comprehensive API tests for our user management service:- Create tests from OpenAPI spec- Include authentication and authorization testing- Add input validation and error handling tests- Generate realistic test data- Include performance benchmarks"For Claude Code:
Section titled “For Claude Code:”claude "Set up complete API testing pipeline:
Todo:- [ ] Generate tests from OpenAPI specifications- [ ] Set up contract testing between services- [ ] Add OWASP API Security Top 10 validation- [ ] Create performance testing with k6- [ ] Configure CI/CD integration- [ ] Set up test data management
Focus on critical endpoints: auth, payments, user data"