# **Chapter 21: REST API Testing**

---

## **21.1 Introduction to REST API Testing**

### **What is REST API Testing?**

**REST API Testing** is the process of validating RESTful web services to ensure they function correctly, meet requirements, and adhere to their specifications. Unlike UI testing which validates the presentation layer, API testing validates the **business logic layer** directlyâ€”making it faster, more stable, and earlier in the development pipeline.

**Why REST API Testing is Critical:**

1. **Speed:** API tests execute 10-100x faster than UI tests (milliseconds vs seconds)
2. **Stability:** No DOM changes, CSS issues, or JavaScript flakiness
3. **Early Testing:** Test APIs before UI is built (shift-left)
4. **System Integration:** Verify microservices communicate correctly
5. **Security:** Test authentication and authorization directly
6. **Load Testing:** APIs are the entry point for performance testing

**The REST API Testing Process:**
```
1. Understand API Specification (OpenAPI/Swagger)
2. Design Test Cases (Happy path, edge cases, error scenarios)
3. Set Up Test Environment and Data
4. Execute Requests (Automated)
5. Validate Responses (Status, headers, body, schema)
6. Report and Analyze Results
```

---

## **21.2 REST Architecture Deep Dive**

### **REST Constraints and Principles**

**REST (Representational State Transfer)** is an architectural style defined by Roy Fielding in 2000. True RESTful APIs adhere to six constraints:

#### **1. Client-Server Architecture**
Separation of concerns: UI concerns (client) are separated from data storage concerns (server).

```python
# Client (Test) doesn't care about server implementation
# Only cares about the interface contract

def test_client_server_separation():
    """Client only knows the API contract, not implementation"""
    response = requests.get("https://api.example.com/users/123")
    
    # Client validates contract:
    # - Status code 200
    # - JSON format
    # - Required fields present
    
    assert response.status_code == 200
    data = response.json()
    assert "id" in data
    assert "name" in data
    
    # Client doesn't know if server uses:
    # - SQL database or NoSQL
    # - Python/Java/Node.js
    # - AWS or Azure
```

#### **2. Statelessness**
Each request from client to server must contain all information necessary to understand and process the request. The server does not store any client context between requests.

```python
def test_statelessness():
    """Each request is independent"""
    # Request 1: Get user
    response1 = requests.get(
        "https://api.example.com/users/123",
        headers={"Authorization": "Bearer token123"}
    )
    assert response1.status_code == 200
    
    # Request 2: Update user (must include auth again)
    response2 = requests.patch(
        "https://api.example.com/users/123",
        headers={"Authorization": "Bearer token123"},  # Required again!
        json={"name": "New Name"}
    )
    assert response2.status_code == 200
    
    # Server doesn't "remember" previous auth
    # Each request is self-contained
```

#### **3. Cacheability**
Responses must implicitly or explicitly define themselves as cacheable or non-cacheable.

```python
def test_cache_headers():
    """Verify caching directives"""
    response = requests.get("https://api.example.com/users/123")
    
    # Check cache headers
    cache_control = response.headers.get("Cache-Control", "")
    
    if "no-cache" in cache_control or "no-store" in cache_control:
        print("Response explicitly non-cacheable")
    elif "max-age" in cache_control:
        max_age = int(cache_control.split("max-age=")[1].split(",")[0])
        print(f"Cacheable for {max_age} seconds")
    
    # ETag for conditional requests
    etag = response.headers.get("ETag")
    if etag:
        # Subsequent request with If-None-Match should return 304
        cached_response = requests.get(
            "https://api.example.com/users/123",
            headers={"If-None-Match": etag}
        )
        assert cached_response.status_code == 304  # Not Modified
```

#### **4. Uniform Interface**

**Four sub-constraints:**

**a) Resource Identification:** Resources are identified in requests using URIs.

```python
# Good REST - Resource identified in URI
GET /users/123          # Get user 123
GET /users/123/orders   # Get orders for user 123
GET /orders/456         # Get order 456 (independent resource)

# Not RESTful - Using query params for resource ID
GET /getUser?id=123     # RPC style, not REST
```

**b) Resource Manipulation through Representations:** Clients manipulate resources through representations (JSON, XML) they receive.

```python
# Client receives representation
response = requests.get("https://api.example.com/users/123")
user = response.json()  # Representation

# Client manipulates representation
user["name"] = "New Name"

# Client sends back representation
requests.put(
    "https://api.example.com/users/123",
    json=user  # Updated representation
)
```

**c) Self-Descriptive Messages:** Each message includes enough information to describe how to process it.

```python
# Self-descriptive: Content-Type tells how to parse
headers = {
    "Content-Type": "application/json",  # Parse as JSON
    "Accept": "application/json",         # Expect JSON back
    "Authorization": "Bearer token",      # How to authenticate
    "Accept-Language": "en-US"            # Preferred language
}
```

**d) Hypermedia as the Engine of Application State (HATEOAS):** Responses include links to related resources and possible actions.

```python
def test_hateoas_links(self):
    """Verify API returns navigation links"""
    response = requests.get("https://api.example.com/users/123")
    data = response.json()
    
    # HATEOAS: Links to related actions
    assert "_links" in data or "links" in data
    links = data.get("_links", data.get("links", {}))
    
    # Self link
    assert "self" in links
    assert links["self"]["href"] == "/users/123"
    
    # Related links
    assert "edit" in links  # How to edit
    assert "delete" in links  # How to delete
    assert "orders" in links  # Related resource
    
    # Client can navigate without hardcoding URLs
    orders_url = links["orders"]["href"]
    orders_response = requests.get(f"https://api.example.com{orders_url}")
    assert orders_response.status_code == 200
```

---

## **21.3 Authentication Mechanisms**

### **Basic Authentication**

```python
import requests
from requests.auth import HTTPBasicAuth

class TestBasicAuth:
    """HTTP Basic Authentication (Base64 encoded username:password)"""
    
    def test_basic_auth_success(self):
        """Successful authentication"""
        response = requests.get(
            "https://api.example.com/protected",
            auth=HTTPBasicAuth("username", "password")
            # Or shorthand: auth=("username", "password")
        )
        
        assert response.status_code == 200
        
        # Verify we got protected data
        data = response.json()
        assert "sensitive_data" in data
    
    def test_basic_auth_failure(self):
        """Invalid credentials rejected"""
        response = requests.get(
            "https://api.example.com/protected",
            auth=("wrong", "wrong")
        )
        
        assert response.status_code == 401
        
        # Verify WWW-Authenticate header present
        assert "WWW-Authenticate" in response.headers
    
    def test_basic_auth_header_format(self):
        """Verify Authorization header format"""
        import base64
        
        username = "testuser"
        password = "testpass"
        
        # Expected format: Basic base64(username:password)
        credentials = f"{username}:{password}"
        encoded = base64.b64encode(credentials.encode()).decode()
        
        expected_header = f"Basic {encoded}"
        
        # Verify by making request and checking actual header sent
        # (Would need request interception or proxy to verify)
        
        # Or test decoding
        decoded = base64.b64decode(encoded).decode()
        assert decoded == credentials
```

### **Bearer Token Authentication (JWT)**

```python
import jwt
import datetime

class TestBearerTokenAuth:
    """OAuth 2.0 / JWT Bearer Token authentication"""
    
    def test_bearer_token_success(self):
        """Authenticate with Bearer token"""
        # First, obtain token (login endpoint)
        login_response = requests.post(
            "https://api.example.com/auth/login",
            json={"username": "test", "password": "test"}
        )
        
        assert login_response.status_code == 200
        token = login_response.json()["access_token"]
        
        # Use token for authenticated request
        response = requests.get(
            "https://api.example.com/protected",
            headers={"Authorization": f"Bearer {token}"}
        )
        
        assert response.status_code == 200
    
    def test_jwt_token_structure(self):
        """Verify JWT token structure"""
        # Sample JWT: header.payload.signature
        token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
        
        # Decode without verification (for inspection)
        try:
            decoded = jwt.decode(token, options={"verify_signature": False})
            
            assert "sub" in decoded  # Subject
            assert "iat" in decoded  # Issued at
            assert "exp" in decoded or True  # Expiration (optional in this token)
            
        except jwt.DecodeError:
            pass  # Invalid token format
    
    def test_token_expiration(self):
        """Handle expired tokens"""
        # Use expired token
        expired_token = "eyJhbGciOiJIUzI1NiIs..."  # Expired
        
        response = requests.get(
            "https://api.example.com/protected",
            headers={"Authorization": f"Bearer {expired_token}"}
        )
        
        # Should return 401 Unauthorized
        assert response.status_code == 401
        
        data = response.json()
        assert "expired" in data.get("message", "").lower() or \
               "invalid" in data.get("message", "").lower()
    
    def test_refresh_token_flow(self):
        """Test token refresh mechanism"""
        # Initial login
        login_resp = requests.post(
            "https://api.example.com/auth/login",
            json={"username": "test", "password": "test"}
        )
        
        access_token = login_resp.json()["access_token"]
        refresh_token = login_resp.json()["refresh_token"]
        
        # Use access token
        resp1 = requests.get(
            "https://api.example.com/data",
            headers={"Authorization": f"Bearer {access_token}"}
        )
        assert resp1.status_code == 200
        
        # Simulate token expiration (wait or use expired token)
        # Then refresh
        refresh_resp = requests.post(
            "https://api.example.com/auth/refresh",
            json={"refresh_token": refresh_token}
        )
        
        assert refresh_resp.status_code == 200
        new_access_token = refresh_resp.json()["access_token"]
        
        # New token works
        resp2 = requests.get(
            "https://api.example.com/data",
            headers={"Authorization": f"Bearer {new_access_token}"}
        )
        assert resp2.status_code == 200
```

### **API Key Authentication**

```python
class TestAPIKeyAuth:
    """API Key authentication patterns"""
    
    def test_header_api_key(self):
        """API key in header (most common)"""
        response = requests.get(
            "https://api.example.com/data",
            headers={"X-API-Key": "your-api-key-here"}
        )
        
        assert response.status_code == 200
    
    def test_query_param_api_key(self):
        """API key in URL (less secure, but common)"""
        response = requests.get(
            "https://api.example.com/data",
            params={"api_key": "your-api-key-here"}
        )
        
        assert response.status_code == 200
    
    def test_api_key_missing(self):
        """Request without API key rejected"""
        response = requests.get("https://api.example.com/data")
        
        assert response.status_code == 401
        assert "api key" in response.json().get("message", "").lower()
    
    def test_api_key_invalid(self):
        """Invalid API key rejected"""
        response = requests.get(
            "https://api.example.com/data",
            headers={"X-API-Key": "invalid-key"}
        )
        
        assert response.status_code == 401
```

---

## **21.4 Response Validation and Schema Testing**

### **JSON Schema Validation**

```python
import jsonschema
from jsonschema import validate, ValidationError

class TestSchemaValidation:
    """Validating API responses against schemas"""
    
    def test_user_schema_validation(self):
        """Validate user object structure"""
        # Define JSON Schema
        user_schema = {
            "type": "object",
            "required": ["id", "name", "email"],
            "properties": {
                "id": {
                    "type": "integer",
                    "minimum": 1
                },
                "name": {
                    "type": "string",
                    "minLength": 1,
                    "maxLength": 100
                },
                "email": {
                    "type": "string",
                    "format": "email"
                },
                "age": {
                    "type": "integer",
                    "minimum": 0,
                    "maximum": 150
                },
                "role": {
                    "type": "string",
                    "enum": ["admin", "user", "guest"]
                },
                "created_at": {
                    "type": "string",
                    "format": "date-time"
                },
                "is_active": {
                    "type": "boolean"
                },
                "address": {
                    "type": "object",
                    "properties": {
                        "street": {"type": "string"},
                        "city": {"type": "string"},
                        "zip": {"type": "string", "pattern": "^[0-9]{5}$"}
                    }
                }
            },
            "additionalProperties": False  # Reject unknown fields
        }
        
        # Get actual response
        response = requests.get("https://api.example.com/users/123")
        data = response.json()
        
        # Validate
        try:
            validate(instance=data, schema=user_schema)
            print("âœ“ Schema validation passed")
        except ValidationError as e:
            print(f"âœ— Schema validation failed: {e.message}")
            print(f"Path: {list(e.path)}")
            raise
    
    def test_array_schema_validation(self):
        """Validate list responses"""
        list_schema = {
            "type": "array",
            "items": {
                "type": "object",
                "required": ["id", "name"],
                "properties": {
                    "id": {"type": "integer"},
                    "name": {"type": "string"}
                }
            },
            "minItems": 0,
            "maxItems": 100
        }
        
        response = requests.get("https://api.example.com/users")
        data = response.json()
        
        validate(instance=data, schema=list_schema)
    
    def test_dynamic_schema_validation(self):
        """Schema validation with dynamic data types"""
        # Sometimes fields can be multiple types (string or null)
        flexible_schema = {
            "type": "object",
            "properties": {
                "nickname": {
                    "oneOf": [
                        {"type": "string"},
                        {"type": "null"}
                    ]
                },
                "age": {
                    "anyOf": [
                        {"type": "integer"},
                        {"type": "string", "pattern": "^[0-9]+$"}
                    ]
                }
            }
        }
        
        response = requests.get("https://api.example.com/users/123")
        validate(instance=response.json(), schema=flexible_schema)
```

### **Response Data Extraction and Assertions**

```python
class TestResponseValidation:
    """Comprehensive response validation techniques"""
    
    def test_json_path_extraction(self):
        """Extract nested data using JSONPath-like queries"""
        import json
        
        response = requests.get("https://api.example.com/orders/123")
        data = response.json()
        
        # Manual nested access
        customer_name = data["customer"]["profile"]["name"]
        assert customer_name == "John Doe"
        
        # Safe nested access (handles missing keys)
        def safe_get(obj, path, default=None):
            keys = path.split(".")
            for key in keys:
                if isinstance(obj, dict) and key in obj:
                    obj = obj[key]
                else:
                    return default
            return obj
        
        # Usage
        phone = safe_get(data, "customer.profile.phone", "N/A")
        assert phone is not None
        
        # List extraction
        items = data["order"]["items"]
        assert len(items) > 0
        
        # Find specific item in list
        expensive_item = next(
            (item for item in items if item["price"] > 100),
            None
        )
        assert expensive_item is not None
    
    def test_response_time_assertions(self):
        """Validate API performance"""
        import time
        
        # Measure response time
        start = time.time()
        response = requests.get("https://api.example.com/users")
        duration = time.time() - start
        
        print(f"Response time: {duration:.3f}s")
        
        # Assert performance SLA
        assert duration < 1.0, f"API too slow: {duration}s"
        
        # Check server-side timing header (if present)
        server_time = response.headers.get("X-Response-Time")
        if server_time:
            print(f"Server processing: {server_time}")
    
    def test_response_header_validation(self):
        """Comprehensive header checks"""
        response = requests.get("https://api.example.com/users/123")
        
        # Content negotiation
        assert response.headers["Content-Type"] == "application/json; charset=utf-8"
        
        # Security headers
        security_headers = {
            "X-Content-Type-Options": "nosniff",
            "X-Frame-Options": "DENY",
            "X-XSS-Protection": "1; mode=block",
            "Strict-Transport-Security": "max-age=31536000"
        }
        
        for header, expected in security_headers.items():
            if header in response.headers:
                assert expected in response.headers[header]
        
        # Caching headers
        if "Cache-Control" in response.headers:
            cache = response.headers["Cache-Control"]
            assert any(directive in cache for directive in 
                      ["no-cache", "no-store", "max-age", "private", "public"])
        
        # Rate limiting headers (common in APIs)
        if "X-RateLimit-Limit" in response.headers:
            limit = int(response.headers["X-RateLimit-Limit"])
            remaining = int(response.headers["X-RateLimit-Remaining"])
            assert remaining <= limit
    
    def test_content_negotiation(self):
        """Test API serves correct format based on Accept header"""
        # Request JSON
        json_response = requests.get(
            "https://api.example.com/users/123",
            headers={"Accept": "application/json"}
        )
        assert json_response.headers["Content-Type"] == "application/json"
        
        # Request XML (if supported)
        xml_response = requests.get(
            "https://api.example.com/users/123",
            headers={"Accept": "application/xml"}
        )
        if xml_response.status_code == 200:
            assert "xml" in xml_response.headers["Content-Type"]
            
            # Parse XML
            import xml.etree.ElementTree as ET
            root = ET.fromstring(xml_response.content)
            assert root.find("name") is not None
        
        # Unsupported format
        html_response = requests.get(
            "https://api.example.com/users/123",
            headers={"Accept": "text/html"}
        )
        # Should return 406 Not Acceptable or default to JSON
        assert html_response.status_code in [200, 406]
```

---

## **21.5 Testing Tools and Frameworks**

### **Python: requests + pytest**

```python
# conftest.py - Shared fixtures
import pytest
import requests

@pytest.fixture(scope="session")
def api_client():
    """Session-scoped API client"""
    session = requests.Session()
    session.headers.update({
        "Content-Type": "application/json",
        "Accept": "application/json"
    })
    yield session
    session.close()

@pytest.fixture(scope="session")
def base_url():
    return "https://api.example.com/v1"

@pytest.fixture
def auth_token(api_client, base_url):
    """Get authentication token"""
    response = api_client.post(f"{base_url}/auth/login", json={
        "username": "test",
        "password": "test"
    })
    assert response.status_code == 200
    return response.json()["access_token"]

# test_users.py
class TestUserAPI:
    """User API test suite"""
    
    def test_list_users(self, api_client, base_url):
        """GET /users"""
        response = api_client.get(f"{base_url}/users")
        
        assert response.status_code == 200
        data = response.json()
        
        assert isinstance(data, list)
        assert len(data) > 0
        
        # Schema validation
        user = data[0]
        assert "id" in user
        assert "name" in user
        assert isinstance(user["id"], int)
    
    def test_create_user(self, api_client, base_url, auth_token):
        """POST /users"""
        payload = {
            "name": "Test User",
            "email": "test@example.com",
            "role": "user"
        }
        
        response = api_client.post(
            f"{base_url}/users",
            json=payload,
            headers={"Authorization": f"Bearer {auth_token}"}
        )
        
        assert response.status_code == 201
        
        # Verify response contains created resource
        data = response.json()
        assert data["id"] is not None
        assert data["name"] == payload["name"]
        
        # Verify Location header
        assert "Location" in response.headers
        assert str(data["id"]) in response.headers["Location"]
        
        # Cleanup
        user_id = data["id"]
        api_client.delete(
            f"{base_url}/users/{user_id}",
            headers={"Authorization": f"Bearer {auth_token}"}
        )
    
    def test_user_not_found(self, api_client, base_url):
        """GET /users/{id} - 404 case"""
        response = api_client.get(f"{base_url}/users/999999")
        
        assert response.status_code == 404
        
        data = response.json()
        assert "error" in data or "message" in data
    
    def test_update_user(self, api_client, base_url, auth_token):
        """PUT /users/{id}"""
        # Create user first
        create_resp = api_client.post(
            f"{base_url}/users",
            json={"name": "Original", "email": "orig@example.com"},
            headers={"Authorization": f"Bearer {auth_token}"}
        )
        user_id = create_resp.json()["id"]
        
        try:
            # Full update
            update_payload = {
                "id": user_id,
                "name": "Updated Name",
                "email": "updated@example.com",
                "role": "admin"
            }
            
            response = api_client.put(
                f"{base_url}/users/{user_id}",
                json=update_payload,
                headers={"Authorization": f"Bearer {auth_token}"}
            )
            
            assert response.status_code == 200
            
            # Verify update
            get_resp = api_client.get(f"{base_url}/users/{user_id}")
            data = get_resp.json()
            assert data["name"] == "Updated Name"
            assert data["email"] == "updated@example.com"
            
        finally:
            # Cleanup
            api_client.delete(
                f"{base_url}/users/{user_id}",
                headers={"Authorization": f"Bearer {auth_token}"}
            )
```

### **Java: REST Assured**

```java
// pom.xml dependencies
/*
<dependency>
    <groupId>io.rest-assured</groupId>
    <artifactId>rest-assured</artifactId>
    <version>5.3.2</version>
    <scope>test</scope>
</dependency>
<dependency>
    <groupId>org.hamcrest</groupId>
    <artifactId>hamcrest</artifactId>
    <version>2.2</version>
    <scope>test</scope>
</dependency>
*/

import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import io.restassured.response.Response;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class UserAPITest {
    
    @BeforeAll
    public static void setup() {
        RestAssured.baseURI = "https://api.example.com";
        RestAssured.basePath = "/v1";
    }
    
    @Test
    public void testGetUser() {
        given()
            .pathParam("id", 123)
        .when()
            .get("/users/{id}")
        .then()
            .statusCode(200)
            .contentType(ContentType.JSON)
            .body("id", equalTo(123))
            .body("name", notNullValue())
            .body("email", containsString("@"));
    }
    
    @Test
    public void testCreateUser() {
        String requestBody = """
            {
                "name": "Test User",
                "email": "test@example.com",
                "role": "user"
            }
            """;
        
        given()
            .contentType(ContentType.JSON)
            .body(requestBody)
            .header("Authorization", "Bearer " + getAuthToken())
        .when()
            .post("/users")
        .then()
            .statusCode(201)
            .header("Location", containsString("/users/"))
            .body("id", notNullValue())
            .body("created_at", notNullValue());
    }
    
    @Test
    public void testUpdateUser() {
        given()
            .pathParam("id", 123)
            .contentType(ContentType.JSON)
            .body("{\"name\": \"Updated Name\"}")
            .header("Authorization", "Bearer token")
        .when()
            .put("/users/{id}")
        .then()
            .statusCode(200)
            .body("name", equalTo("Updated Name"))
            .body("id", equalTo(123));  // ID unchanged
    
    @Test
    public void testDeleteUser() {
        given()
            .pathParam("id", 123)
            .header("Authorization", "Bearer token")
        .when()
            .delete("/users/{id}")
        .then()
            .statusCode(204)
            .body(emptyOrNullString());  // No body for 204
    
    @Test
    public void testAuthenticationFailure() {
        given()
            .header("Authorization", "Bearer invalid_token")
        .when()
            .get("/protected")
        .then()
            .statusCode(401)
            .body("error", equalTo("Unauthorized"))
            .body("message", containsString("token"));
    }
    
    private String getAuthToken() {
        // Helper to get auth token
        return given()
            .contentType(ContentType.JSON)
            .body("{\"username\":\"test\",\"password\":\"test\"}")
            .post("/auth/login")
            .jsonPath()
            .getString("access_token");
    }
}
```

---

## **21.4 Advanced API Testing Patterns**

### **Data-Driven API Testing**

```python
import pytest
import csv
import json

class TestDataDrivenAPI:
    """Data-driven API testing"""
    
    @pytest.mark.parametrize("user_data", [
        {"name": "Alice", "email": "alice@example.com", "expected_status": 201},
        {"name": "Bob", "email": "bob@example.com", "expected_status": 201},
        {"name": "", "email": "invalid", "expected_status": 422},  # Invalid
        {"name": "Charlie", "email": "duplicate@example.com", "expected_status": 409},  # Duplicate
    ])
    def test_create_user_scenarios(self, user_data):
        """Test multiple scenarios with different data"""
        payload = {
            "name": user_data["name"],
            "email": user_data["email"]
        }
        
        response = requests.post(
            "https://api.example.com/users",
            json=payload
        )
        
        assert response.status_code == user_data["expected_status"]
        
        if user_data["expected_status"] == 201:
            assert "id" in response.json()
        elif user_data["expected_status"] == 422:
            assert "errors" in response.json() or "message" in response.json()
    
    def test_from_csv_file(self):
        """Load test data from CSV"""
        with open("test_data/api_tests.csv") as f:
            reader = csv.DictReader(f)
            for row in reader:
                # CSV columns: method, endpoint, payload, expected_status
                method = row["method"]
                endpoint = row["endpoint"]
                payload = json.loads(row["payload"]) if row["payload"] else None
                expected = int(row["expected_status"])
                
                # Execute request
                func = getattr(requests, method.lower())
                kwargs = {"url": f"https://api.example.com{endpoint}"}
                if payload:
                    kwargs["json"] = payload
                
                response = func(**kwargs)
                assert response.status_code == expected, \
                    f"Failed for {method} {endpoint}: expected {expected}, got {response.status_code}"
```

### **Handling Pagination**

```python
class TestPagination:
    """Testing paginated API responses"""
    
    def test_offset_pagination(self):
        """Test offset/limit pagination"""
        all_items = []
        page = 1
        limit = 10
        
        while True:
            response = requests.get(
                "https://api.example.com/items",
                params={"page": page, "limit": limit}
            )
            
            data = response.json()
            items = data["items"]
            
            if not items:
                break
            
            all_items.extend(items)
            
            # Verify pagination metadata
            assert data["page"] == page
            assert data["limit"] == limit
            assert "total" in data or "total_pages" in data
            
            page += 1
            
            # Safety limit
            if page > 100:
                break
        
        # Verify all items retrieved
        assert len(all_items) > 0
    
    def test_cursor_pagination(self):
        """Test cursor-based pagination (more efficient for large datasets)"""
        all_items = []
        cursor = None
        
        for _ in range(10):  # Limit iterations for test
            params = {"limit": 10}
            if cursor:
                params["cursor"] = cursor
            
            response = requests.get(
                "https://api.example.com/items",
                params=params
            )
            
            data = response.json()
            items = data["data"]
            
            if not items:
                break
            
            all_items.extend(items)
            
            # Get next cursor
            cursor = data.get("next_cursor")
            if not cursor:
                break
        
        assert len(all_items) > 0
    
    def test_pagination_consistency(self):
        """Verify pagination doesn't skip or duplicate items"""
        # Get page 1
        page1 = requests.get(
            "https://api.example.com/items",
            params={"page": 1, "limit": 5}
        ).json()["items"]
        
        # Get page 2
        page2 = requests.get(
            "https://api.example.com/items",
            params={"page": 2, "limit": 5}
        ).json()["items"]
        
        # Verify no overlap (assuming unique IDs)
        page1_ids = {item["id"] for item in page1}
        page2_ids = {item["id"] for item in page2}
        
        assert len(page1_ids.intersection(page2_ids)) == 0, \
            "Pagination overlap detected"
```

---

## **Chapter Summary**

### **Key Takeaways:**

1. **REST Principles:** Stateless, client-server, cacheable, uniform interface. Resources identified by URIs, manipulated through representations.

2. **HTTP Methods:** GET (retrieve), POST (create), PUT (full update), PATCH (partial update), DELETE (remove). Understand idempotency and safety.

3. **Status Codes:** 2xx (success), 3xx (redirect), 4xx (client error), 5xx (server error). Each code has specific semantics.

4. **Authentication:** Basic Auth (Base64), Bearer tokens (JWT), API Keys (header/query), OAuth 2.0 (authorization framework). Test token expiration and refresh flows.

5. **Request Construction:** Headers (Content-Type, Accept, Authorization), query parameters, path variables, body (JSON, form-data, multipart).

6. **Response Validation:** Status codes, headers, body content, JSON schema validation. Use libraries like `jsonschema` (Python) or `json-schema-validator` (Java).

7. **Data-Driven Testing:** Parameterize tests with multiple data sets. Use CSV, JSON, or databases for test data.

8. **Pagination:** Test offset/limit and cursor-based pagination. Verify no duplicates or skipped items across pages.

9. **Error Handling:** Verify 4xx/5xx responses have proper error structures. Test validation errors, authentication failures, and not-found scenarios.

10. **Contract Testing:** Verify API adheres to its specification (OpenAPI). Check backward compatibility when versions change.

### **Tools Summary:**

| **Language** | **Library** | **Best For** |
|--------------|-------------|--------------|
| **Python** | `requests` + `pytest` | Simplicity, readability |
| **Python** | `httpx` | Async support, HTTP/2 |
| **Java** | REST Assured | Fluent DSL, powerful matchers |
| **JavaScript** | `axios` + `jest` | Node.js environments |
| **JavaScript** | `supertest` | Express app testing |
| **C#** | RestSharp | .NET ecosystem |
| **Ruby** | HTTParty | Ruby simplicity |

---

## **ðŸ“– Next Chapter: Chapter 22 - API Testing Tools**

Now that you understand REST API testing fundamentals, **Chapter 22** explores the **specialized tools and frameworks** that make API testing more efficient and powerful.

In **Chapter 22**, you'll explore:

- **Postman:** The industry-standard API client for manual and automated testing
- **REST Assured:** Java DSL for powerful API testing with fluent syntax
- **Karate:** BDD-style API testing framework with built-in assertions
- **Insomnia:** Modern alternative to Postman with GraphQL support
- **Swagger/OpenAPI Tools:** Code generation and validation from API specs
- **Contract Testing Tools:** Pact for consumer-driven contract testing
- **Performance Testing:** k6 and JMeter for API load testing
- **Security Testing:** OWASP ZAP for API security scanning

**Why Chapter 22 is Critical:** While you can test APIs with basic HTTP libraries, specialized tools provide features like test organization, environment management, automated reporting, and CI/CD integration that are essential for professional API testing at scale.

**Continue to Chapter 22 to master the tools that professional API testers use every day!**