Skip to content

API Tests

ewyct edited this page Jul 4, 2026 · 1 revision

API Tests

Alongside browser-based visual tests, Lastest supports headless API tests — a first-class test type (testType: 'api') for exercising backend HTTP endpoints. API tests run in-process on the server with no browser and no Embedded Browser dispatch, then feed the same step-comparison and verdict pipeline as browser tests, so results, statuses, and shares work identically.


What an API test defines

Each API test stores an ApiTestDefinition:

Field Description
method GET / POST / PUT / PATCH / DELETE
url Absolute, or relative to the repository's base URL
headers Request headers
query Query-string parameters
body Request body (JSON or raw)
auth none, bearer (token), basic (username/password), or custom (arbitrary headers)
assertions One or more checks against the response (see below)
timeoutMs Optional per-request timeout

Assertions

Kind Checks
status Exact status code (equals) or one of a set (in)
header A response header's value
jsonPath A dot-path into the JSON response body
jsonSchema The response body validates against a JSON schema
bodyContains The raw body contains a substring
latencyMs Response latency is under a threshold

Result

Each run persists a result with passed, statusCode, latencyMs, per-assertion outcomes (expected vs actual), an optional responseSnippet, and any error — surfaced on the test's Success Criteria tab just like expect() assertions in browser tests.


Creating API tests

  • From captured network calls — Lastest can turn a real request observed during a browser run into a reproducible API test (method, URL, headers, payload), so you can assert on the backend behind a UI flow.
  • By hand — define the request and assertions directly.

Load / burst runner

API endpoints can be fired as a burst of concurrent requests (a lightweight load check). SSRF validation runs once up front for the burst, and every connection is still re-validated at connect time.


Security

API tests can target arbitrary URLs from the server, so every request is SSRF-guarded: hostnames are resolved and validated, and metadata / link-local / private ranges are blocked (matching the Embedded Browser egress policy).


See also

Clone this wiki locally