API test'in farklı katmanları
API testi tek bir aktivite değil; birden çok katmanı kapsar. AIOR projelerinde uyguladığımız hiyerarşi: contract test (en alt), integration test, end-to-end test, performance test, security test. Her katmanın amacı ve maliyeti farklı.Contract testing — Pact ile
Microservice mimaride consumer ve provider'ın kontrat üzerinde anlaşması kritik. Consumer-driven contract testing pattern'i: consumer'lar provider'dan ne bekledikleri kontratı yazar, provider bu kontrata uyumlu kalır. Pact AIOR projelerinde standart araç.Avantaj: integration test'lerin yüksek maliyetinden kaçınma, breaking change'leri erken yakalama.
Integration test — gerçek bağımlılıklarla
Unit test'ten farklı olarak gerçek database, gerçek API, gerçek queue ile test. AIOR'da testcontainers (Java/Kotlin, JS, Python) ile gerçek PostgreSQL, Redis, RabbitMQ instance'lar başlatıyoruz. Her test suite kendi izole ortamında çalışır.Postman ve Newman — manuel ve automated
Postman API geliştirici için indispensable. Manual exploration için Postman UI, CI'da Newman (CLI Postman runner). AIOR projelerinde her API endpoint için Postman collection bulundururuz; kullanıcı dokümantasyonu olarak da iş görür.Schema testing — OpenAPI doğrulama
API response'larının OpenAPI spec'e uyumluluğu test edilebilir. Dredd, Schemathesis gibi araçlar OpenAPI spec'i okur, spec'ten otomatik test üretir. AIOR projelerinde Schemathesis'i CI'da her PR için çalıştırıyoruz — backward compatibility breaks yakalanır.Authentication ve authorization test
API güvenliği test edilmezse production'da sürprizler kaçınılmaz. AIOR'ın security test rutini:- Authenticated endpoint'lere token olmadan erişim 401 dönmeli.
- Wrong role'le erişim 403 dönmeli.
- Expired token 401 dönmeli.
- SQL injection input'lar reject edilmeli.
- Mass assignment koruması test edilmeli.
- Rate limit doğru çalışıyor mu.
Performance test — load ve stress
API'lar production yükü altında nasıl davranır? AIOR projelerinde k6 veya Locust kullanıyoruz. Her release öncesi standard load test: hedef RPS'de p95 latency ve error rate ölçülür. Belirli endpoint'ler için stress test — breakdown point bulunur.Test data management
Realistic test data oluşturmak büyük problem. AIOR yaklaşımı: Faker library ile random ama realistic data, factory pattern ile composable test data, fixture'lar ile shared baseline. Production data sanitize edilerek test ortamına alınabilir (GDPR uyumu için anonymize zorunlu).API mocking — geliştirme akışı için
Frontend ve backend paralel geliştirilirken mock API gerekir. WireMock (Java), Mock Service Worker (JS), Mountebank (cross-platform). AIOR projelerinde frontend ekibinin backend tamamlanmasını beklememesi için OpenAPI spec'ten mock server üretiyoruz.CI entegrasyonu[/HEADING>
API testler CI'da otomatik çalışmalı:
- Unit testler her commit'te.
- Integration testler her PR'da.
- Contract testler her merge'de.
- Smoke testler her deploy'da production'a karşı.
- Full load test schedule edilmiş (haftalık).
AIOR'da GitHub Actions üzerinde bu pipeline standart.
Sonuç
API test çok katmanlı bir disiplin — contract, integration, security, performance ayrı ayrı test edilir. AIOR olarak her müşteri API'sini bu katmanların hepsinde test edilmiş olarak teslim ediyoruz. Sizin API test stratejinizde en zorlandığınız konu ne — flaky integration tests, test data management, yoksa performance baseline kurma mı?
The different layers of API testing
API testing isn't a single activity; it spans multiple layers. The hierarchy we apply on AIOR projects: contract tests (bottom), integration tests, end-to-end tests, performance tests, security tests. Each layer has different purpose and cost.
Contract testing — with Pact
In microservice architecture, agreement between consumer and provider on the contract is critical. Consumer-driven contract testing pattern: consumers write what they expect from the provider; provider stays compliant. Pact is AIOR's standard tool.
Advantage: avoids the high cost of integration tests; catches breaking changes early.
Integration test — with real dependencies
Unlike unit tests, tests run against real database, real API, real queue. AIOR uses testcontainers (Java/Kotlin, JS, Python) to spin up real PostgreSQL, Redis, RabbitMQ instances. Each test suite runs in its isolated environment.
Postman and Newman — manual and automated
Postman is indispensable for API developers. Postman UI for manual exploration; Newman (CLI Postman runner) in CI. Every API endpoint gets a Postman collection on AIOR projects; it also serves as user documentation.
Schema testing — OpenAPI verification
Conformance of API responses to OpenAPI spec is testable. Dredd, Schemathesis read OpenAPI specs and generate tests automatically. AIOR runs Schemathesis in CI on every PR — backward-compatibility breaks get caught.
Authentication and authorisation tests
Untested API security leads to production surprises. AIOR's security test routine:
- Authenticated endpoints return 401 without a token.
- Access with the wrong role returns 403.
- Expired tokens return 401.
- SQL injection inputs get rejected.
- Mass-assignment protection is tested.
- Rate limit works correctly.
Performance test — load and stress
How does the API behave under production load? AIOR uses k6 or Locust. Standard load test before every release: at the target RPS, p95 latency and error rate are measured. Specific endpoints get stress tests — break-down point identified.
Test data management
Realistic test data is a big problem. The AIOR approach: Faker for random-but-realistic data, factory pattern for composable test data, fixtures for a shared baseline. Production data sanitised into the test environment (GDPR-compliant anonymisation mandatory).
API mocking — for development flow
A mock API is needed while frontend and backend develop in parallel. WireMock (Java), Mock Service Worker (JS), Mountebank (cross-platform). On AIOR projects we generate mock servers from OpenAPI specs so frontend teams don't wait for backend completion.
CI integration
API tests run automatically in CI:
- Unit tests on every commit.
- Integration tests on every PR.
- Contract tests on every merge.
- Smoke tests on every deploy against production.
- Full load tests scheduled (weekly).
This pipeline is standard on AIOR's GitHub Actions setup.
Bottom line
API testing is a multi-layered discipline — contract, integration, security, performance tested separately. AIOR delivers every customer API tested across all these layers. What do you struggle with most in your API test strategy — flaky integration tests, test data management, or establishing a performance baseline?
The different layers of API testing
API testing isn't a single activity; it spans multiple layers. The hierarchy we apply on AIOR projects: contract tests (bottom), integration tests, end-to-end tests, performance tests, security tests. Each layer has different purpose and cost.Contract testing — with Pact
In microservice architecture, agreement between consumer and provider on the contract is critical. Consumer-driven contract testing pattern: consumers write what they expect from the provider; provider stays compliant. Pact is AIOR's standard tool.Advantage: avoids the high cost of integration tests; catches breaking changes early.
Integration test — with real dependencies
Unlike unit tests, tests run against real database, real API, real queue. AIOR uses testcontainers (Java/Kotlin, JS, Python) to spin up real PostgreSQL, Redis, RabbitMQ instances. Each test suite runs in its isolated environment.Postman and Newman — manual and automated
Postman is indispensable for API developers. Postman UI for manual exploration; Newman (CLI Postman runner) in CI. Every API endpoint gets a Postman collection on AIOR projects; it also serves as user documentation.Schema testing — OpenAPI verification
Conformance of API responses to OpenAPI spec is testable. Dredd, Schemathesis read OpenAPI specs and generate tests automatically. AIOR runs Schemathesis in CI on every PR — backward-compatibility breaks get caught.Authentication and authorisation tests
Untested API security leads to production surprises. AIOR's security test routine:- Authenticated endpoints return 401 without a token.
- Access with the wrong role returns 403.
- Expired tokens return 401.
- SQL injection inputs get rejected.
- Mass-assignment protection is tested.
- Rate limit works correctly.
Performance test — load and stress
How does the API behave under production load? AIOR uses k6 or Locust. Standard load test before every release: at the target RPS, p95 latency and error rate are measured. Specific endpoints get stress tests — break-down point identified.Test data management
Realistic test data is a big problem. The AIOR approach: Faker for random-but-realistic data, factory pattern for composable test data, fixtures for a shared baseline. Production data sanitised into the test environment (GDPR-compliant anonymisation mandatory).API mocking — for development flow
A mock API is needed while frontend and backend develop in parallel. WireMock (Java), Mock Service Worker (JS), Mountebank (cross-platform). On AIOR projects we generate mock servers from OpenAPI specs so frontend teams don't wait for backend completion.CI integration
API tests run automatically in CI:- Unit tests on every commit.
- Integration tests on every PR.
- Contract tests on every merge.
- Smoke tests on every deploy against production.
- Full load tests scheduled (weekly).
