Status Codes, Headers and Payload Validation

πŸ“š QA Engineering πŸ“‚ Chapter 17: REST API Testing Fundamentals πŸ“„ Lesson 17030 Intermediate πŸ•’ March 17, 2026
πŸ“‹ Table of Contents β–Ύ
  1. Validating Status Codes and Error Responses
  2. Payload and Schema Validation
  3. Common Mistakes

HTTP status codes, headers, and response payloads are the primary signals APIs use to communicate success, failure, and additional context. If you only check that the status code is 200, you may miss incorrect error handling, missing headers, or malformed JSON. Thorough validation looks at all three layers.

Validating Status Codes and Error Responses

Status codes indicate the high-level outcome of a request: 2xx for success, 4xx for client errors, and 5xx for server errors. Within these ranges, specific codes such as 200, 201, 400, 401, 404, and 500 carry distinct meanings. Testers should verify that the API returns appropriate codes for each scenario and that error responses include useful messages or error structures.

# Example: check status and body with curl and jq

curl -s -w "Status: %{http_code}
"   -X POST "https://api.example.com/v1/customers"   -H "Content-Type: application/json"   -d '{"name": "", "email": "bad"}'   | tee /tmp/resp.json

jq '.error.code, .error.message' /tmp/resp.json
Note: Consistent error structures make APIs easier to consume and test. If all errors follow the same JSON shape, your tests can validate them systematically.
Tip: Create reusable checks in your automation framework for common expectations, such as β€œunauthenticated requests return 401 with error code AUTH_REQUIRED”.
Warning: Returning 200 for failed operations and hiding errors only in the body confuses both clients and testers. Status codes should accurately reflect success or failure.

Headers convey important metadata such as content type, caching directives, correlation IDs, and rate limiting information. Testing should confirm that required headers are present and correctly formatted, especially for security and observability.

Payload and Schema Validation

Beyond basic field checks, schema validation verifies that responses follow the structure defined in API documentation or contracts. Tools can validate JSON against a schema, ensuring that required fields exist, types are correct, and unknown fields are flagged. This helps catch breaking changes early when services evolve.

Common Mistakes

Mistake 1 β€” Checking only the HTTP status code

This misses incorrect error payloads or missing fields.

❌ Wrong: Asserting only that the status is 200 for success cases.

βœ… Correct: Validate status, headers, and key response fields together.

Mistake 2 β€” Ignoring response headers in tests

Headers often carry security and caching information.

❌ Wrong: Never checking headers like Content-Type or Authorization-related values.

βœ… Correct: Include header checks where they are significant to behaviour or compliance.

🧠 Test Yourself

What should comprehensive REST API validation include?





πŸ“š More in this Tutorial Series

What Is Software Testing? Purpose, Goals and Why It Matters
The Seven Principles of Software Testing β€” ISTQB Foundation
Testing Mindset and Psychology β€” Thinking Like a Tester
Essential Testing Terminology β€” A Practical Glossary for QA Engineers
Testing in Practice β€” Putting Fundamentals to Work on a Real Project
What Is the Software Development Life Cycle (SDLC)? Phases and Purpose