Many APIs still rely on simpler authentication mechanisms like API keys, Basic Auth, or custom header tokens. These schemes are easier to implement but also easy to misuse. Proper testing ensures that keys and credentials are handled safely and consistently across endpoints.
Testing API Keys and Basic Auth
API keys are often passed in headers or query parameters, while Basic Auth encodes username and password in a header. Tests should verify that requests without valid credentials fail with appropriate status codes (such as 401 or 403) and that valid credentials work across all protected endpoints.
# Example: API key in header
curl -i -X GET "https://api.example.com/v1/customers" -H "X-Api-Key: <api_key>"Custom token headers may use schemes like X-Auth-Token or similar. Make sure error messages do not leak sensitive information when tokens are invalid. Also check how quickly tokens can be revoked or rotated.
Revocation and Rotation Tests
Tests should include revoking or regenerating keys and verifying that old keys stop working promptly. This is critical for incident response scenarios where keys may be compromised. Automated tests can simulate rotation by creating a new key, updating configuration, and confirming that calls using the old key fail.
Common Mistakes
Mistake 1 โ Using the same high-privilege key for all tests
This hides permission issues and increases risk.
โ Wrong: One powerful key that can do everything in all environments.
โ Correct: Use multiple keys with scoped privileges to test behaviour realistically.
Mistake 2 โ Not testing key revocation and expiry
Ignoring lifecycle events leaves gaps in security coverage.
โ Wrong: Assuming keys work forever and revocation will be handled later.
โ Correct: Design tests that cover key rotation, expiration, and invalidation.