How to Test Any API Without Documentation with Liudas Jankauskas
Categories: Podcasts , Test Guild
Challenges in API testing include neglecting edge cases, undocumented endpoints, and security headers, leading to vulnerabilities and system failures. The podcast introduces RentGen, an open-source tool for automating hard-to-reach API tests, emphasizing its role in improving coverage and complementing tools like Postman for thorough, reliable testing.
Test Guild
Test Guild - hosted by Joe Colantonio has main topic focus on Testing or Automating. Each episode has a different guest. Show notes have comprehensive links and usually a full transcript. Released as audio and video.
- https://testguild.com/
- https://testguild.com/podcasts/automation/
- https://www.youtube.com/playlist?list=PL9AgRtJkydU1jqvx46esyr56BXtm1QEds
- https://www.youtube.com/@JoeColantonio
Episode Details
- Show Notes: https://testtalks.libsyn.com/how-to-test-any-api-without-documentation-with-liudas-jankauskas
- Published: 2026-06-30T11:15:00Z
- Duration: 23:22
- Author: Unknown
Overview
The podcast explores critical challenges in API testing, emphasizing that many testers focus on “happy path” scenarios while neglecting areas prone to production issues, such as undocumented APIs, edge cases, and security headers. These often-overlooked elements can introduce vulnerabilities and system failures, particularly when testing tools lack functionality for non-standard requests. The discussion highlights the gap between documented and actual API behaviors, stressing the need for systematic testing of both valid and invalid inputs, error handling, and server-side logic. Techniques like using browser DevTools to inspect network requests and AI-driven inference of undocumented APIs are proposed as solutions to identify and test endpoints effectively.
A key solution presented is RentGen, an open-source tool developed to automate testing of hard-to-reach API features, such as edge cases and undocumented endpoints. It streamlines repetitive tasks like security checks and error code validation, reducing manual effort and improving test coverage. The podcast compares RentGen to tools like Postman, noting that while it enhances initial “sanity” testing and regression checks, it lacks scripting capabilities for advanced automation. The tool emphasizes local execution for data security and supports integration with CI/CD pipelines, though this functionality is not yet implemented. Discussions also cover best practices, including balancing test coverage with system complexity, prioritizing critical systems like defense or finance, and ensuring data type validation, performance checks, and efficient error reporting.
The podcast underscores the importance of distinguishing between mainflow and error validation test cases, advocating for pre-automation checks to ensure API stability. It highlights the value of data-driven testing for edge scenarios and the role of automated tools in reducing manual effort compared to UI testing. Challenges include interpreting ambiguous APIs without documentation and ensuring robust error handling (e.g., 400 responses). RentGens primary role is as a preparatory tool for automation workflows, complementing existing tools like Postman rather than replacing them. Overall, the content stresses the need for thorough, automated testing of APIs to uncover vulnerabilities and ensure reliability, particularly in high-stakes environments.
What If
-
What if you used RentGen to automate testing of undocumented API endpoints in your current project?
- Move: Run RentGen on your internal APIs to scan for undocumented or poorly documented endpoints, focusing on edge cases like invalid headers or malformed payloads.
- Why Now?: The text highlights that undocumented APIs are a hidden risk and that RentGen is designed to automate testing of these often-overlooked areas.
- Expected Upside: Identify critical vulnerabilities (e.g., unhandled error codes, security loopholes) before production deployment, reducing the risk of system failures.
-
What if you integrated AI-driven documentation analysis into your API testing workflow using RentGen?
- Move: Use AI tools to reverse-engineer API structures from code or data, then feed the inferred endpoints into RentGen to generate test cases for edge scenarios.
- Why Now?: The text notes that AI can infer API functionality from code, which is critical for systems lacking documentation, and RentGen can automate testing of these inferred endpoints.
- Expected Upside: Reduce manual effort in identifying undocmented APIs and ensure comprehensive test coverage, including inputs like whitespace in numeric fields or invalid headers.
-
What if you prioritized generating security-specific test cases with RentGen for your API?
- Move: Run RentGen in “security mode” to generate test cases for header validation, large payload handling (e.g., 10MB requests), and error response validation (e.g., 400 responses).
- Why Now?: The text emphasizes the importance of security testing, including header validation and payloads, and RentGens ability to automate these steps without server dependency.
- Expected Upside: Quickly identify security flaws (e.g., missing authentication checks, buffer overflow risks) and ensure compliance with industry standards (e.g., banking, healthcare) by keeping data local.
Takeaway
- Leverage RentGen for automating tests on undocumented APIs and edge cases by integrating it into your workflow to address security headers, non-standard requests, and error code validation, as it reduces manual effort and ensures critical areas are covered.
- Use browser DevTools to inspect and replicate network requests for identifying APIs in internal systems, then use tools like Postman to test these endpoints systematically, especially when documentation is lacking.
- Prioritize testing edge cases and error handling (e.g., invalid inputs, 400 responses) by designing test cases for scenarios like division by zero or non-existent operators, ensuring robust validation is enforced.
- Automate error detection and bug reporting using RentGens “bug reaper” feature to document issues with headers, severity, and reproduction steps directly into Jira, improving traceability and resolution speed.
- Validate data types and input boundaries (e.g., min/max values, integer/decimal formats) through local tools or scripts to prevent invalid payloads, ensuring mandatory fields are non-null and responses stay efficient (<150KB).
For a PDF of longer Software Testing Podcast Episode Summaries with Briefing Notes and more detailed summary notes, visit EvilTester Patreon Podcast Summaries.