Test the API, not just the UI
Most of what an app does happens below the buttons. Learning to test at the API layer makes you faster, sharper, and much harder to fool.
8 steps · 6 minThe UI is just the front door
When you tap 'Pay now', the app sends a request to a server — the API — which does the real work and sends back a response. The button is decoration; the API is the machine. Test only through the UI and you're testing the machine through a keyhole.
API testing means sending those requests yourself and inspecting exactly what comes back.
Requests and responses
Every API call is a small contract: you send a request (an action plus data, like 'create an order for 2 items'), and the server returns a response — a status code saying how it went, and a body with the result. Tools like Postman or plain curl let you do this without any UI at all.
The checkout total is wrong: the UI shows $40 for items worth $50. Where do you look first to isolate the bug?
Status codes in one minute
The status code is the server's one-line verdict. 2xx: it worked. 4xx: your request was the problem (400 malformed, 401 not logged in, 403 not allowed, 404 not found). 5xx: the server itself broke. That first digit tells you who owns the bug.
A 4xx for a valid request and a 5xx for any request are both bugs — but they point at different code.
You request an order that doesn't exist, and the API returns 500 Internal Server Error. What's your read?
A 200 can still be wrong
The status code says the request was handled — not that the answer is right. A 200 with the wrong total, a missing field, or somebody else's data is a worse bug than a crash, because nothing looks broken. Always check the body, not just the code.
An API test asserts only 'status == 200' and it's green. The response body is another user's profile. What's the verdict on the test?
Why testers love this layer
API tests skip rendering, clicking, and waiting — they run in milliseconds and rarely break when a button moves. Edge cases that are painful in a UI (weird characters, missing fields, wrong permissions) are one line in a request. Same instincts as before, sharper instrument.
Next: now that you can test more layers, which checks deserve to be automated?
Lesson complete.
You can now test below the surface: talk to the API directly, read status codes like a native, and know when a green 200 is lying to you.