Prompt (API level)
Prompt text
“Create
API test cases for endpoint \[METHOD /path]. List preconditions,
request variations (valid/invalid/missing/edge), auth cases,
rate limits, pagination, idempotency, and expected status
codes/payloads.”
How to apply critical
thinking
·
Understand the API contract
·
Request/response schemas,
required vs optional fields, business rules.
·
Authentication/authorization rules per role/tenant.
·
Generate comprehensive test cases
·
Valid requests: minimal valid, full valid, typical real-world payloads.
·
Invalid/malformed: missing required fields, wrong types,
extra fields, oversized payloads.
·
Auth:
no token, expired token, wrong roles, different tenants.
·
Rate/pagination/idempotency: hitting rate limits,
page boundaries, repeating same request.
·
Questions on ambiguities
·
What is
considered a client error vs server error?
·
How
precisely does pagination behave when data changes between calls?
·
Are error
codes standardized across APIs?
·
What test ideas might be missed
·
Security aspects (injection,
sensitive data leakage, error message detail).
·
Backwards compatibility when fields are
added/removed.
·
Localization of
messages in error payloads (if applicable).
Output template
(API testing)
Context: [HTTP method, path, domain area (e.g., "POST /orders")]
Assumptions: [auth mechanism, versioning strategy, content type, rate limits]
Test Types: [API, security (as applicable)]
Test Cases:
ID: [TC-API-001]
Type: [API]
Title: [e.g., "Create order with minimal valid payload"]
Preconditions/Setup:
- [Existing users, auth token, seed data]
- [Feature flags on/off]
Steps:
1. [Send request with defined payload/headers/query params]
Variations:
- [Valid minimal]
- [Valid full]
- [Invalid type]
- [Missing required field]
- [Oversized payload]
- [Unauthenticated / unauthorized]
- [High-rate sequence to trigger rate limit]
Expected Results:
- [Status codes per variation]
- [Response payload, headers]
- [Side effects, e.g., DB records, events]
Cleanup:
- [Delete created entities, reset quotas if needed]
Coverage notes:
- [Covered status codes, auth paths, pagination, idempotency]
Non-functionals:
- [Latency SLAs, payload size constraints, security checks]
Data/fixtures:
- [Sample JWTs, user roles, example payloads]
Environments:
- [API test env with prod-like gateway, WAF rules if possible]
Ambiguity Questions:
- [Unclear edge behaviors on pagination, updates during reads, error code mapping]
Potential Missed Ideas:
- [Negative security tests, content-negotiation, multi-tenant isolation]