-
Notifications
You must be signed in to change notification settings - Fork 0
API Tests
Alongside browser-based visual tests, Lastest supports headless API tests — a first-class test type (testType: 'api') for exercising backend HTTP endpoints. API tests run in-process on the server with no browser and no Embedded Browser dispatch, then feed the same step-comparison and verdict pipeline as browser tests, so results, statuses, and shares work identically.
Each API test stores an ApiTestDefinition:
| Field | Description |
|---|---|
method |
GET / POST / PUT / PATCH / DELETE
|
url |
Absolute, or relative to the repository's base URL |
headers |
Request headers |
query |
Query-string parameters |
body |
Request body (JSON or raw) |
auth |
none, bearer (token), basic (username/password), or custom (arbitrary headers) |
assertions |
One or more checks against the response (see below) |
timeoutMs |
Optional per-request timeout |
| Kind | Checks |
|---|---|
status |
Exact status code (equals) or one of a set (in) |
header |
A response header's value |
jsonPath |
A dot-path into the JSON response body |
jsonSchema |
The response body validates against a JSON schema |
bodyContains |
The raw body contains a substring |
latencyMs |
Response latency is under a threshold |
Each run persists a result with passed, statusCode, latencyMs, per-assertion outcomes (expected vs actual), an optional responseSnippet, and any error — surfaced on the test's Success Criteria tab just like expect() assertions in browser tests.
- From captured network calls — Lastest can turn a real request observed during a browser run into a reproducible API test (method, URL, headers, payload), so you can assert on the backend behind a UI flow.
- By hand — define the request and assertions directly.
API endpoints can be fired as a burst of concurrent requests (a lightweight load check). SSRF validation runs once up front for the burst, and every connection is still re-validated at connect time.
API tests can target arbitrary URLs from the server, so every request is SSRF-guarded: hostnames are resolved and validated, and metadata / link-local / private ranges are blocked (matching the Embedded Browser egress policy).
Lastest Wiki
Getting Started
Core Features
- Visual Diffing
- AI Configuration
- Fix-the-App Advisor
- Agent Monitoring
- Public Shares
- Gamification
- Scheduled Runs
- Bug Reports
- Settings Reference
Integrations
- GitHub Integration
- GitLab Integration
- Google Sheets Integration
- Custom Webhooks
- VSCode Extension API
- MCP Server
Deployment & CI
Administration
Reference