Smoke Test Authenticated API Routes
Purpose
Provide a repeatable approach to quickly validate that protected API endpoints work end-to-end: authentication, request handling, and persistence side effects.
When to use
Use this skill when you are:
- •Testing a newly added endpoint
- •Verifying endpoint behavior after refactors
- •Debugging auth-related failures (
401,403) - •Confirming that POST/PUT/PATCH/DELETE endpoints create or update the right records
Avoid using this skill when:
- •You need a full end-to-end test execution record across many endpoints, or you need to produce evidence for a release gate.
- •You primarily need a code/implementation review rather than a smoke test plan and quick validation run.
Inputs
- •Endpoint(s): method + URL path
- •Authentication method:
- •cookie-based session
- •bearer token
- •API key
- •mock/dev bypass (development only)
- •Required request body/query/params
- •Expected response shape and status code
- •Expected persistence side effects (tables/collections/records)
Outputs
- •A minimal smoke test plan per endpoint:
- •valid request
- •invalid request (one representative)
- •expected status codes and response shapes
- •Verification notes for persistence side effects
- •A short debug report if a test fails (observations + likely causes)
Core rules
- •Smoke tests SHOULD prioritize the happy path and core behavior.
- •Tests MUST NOT use real production credentials.
- •Any “mock auth” bypass MUST be limited to non-production environments.
- •Persisted side effects MUST be verified for write endpoints.
Steps
- •
Locate the endpoint contract
- •method + path
- •request fields (required/optional)
- •response shape
- •
Prepare authentication
- •Obtain a valid session/token for a test user, or use a non-production auth bypass if available.
- •Record the user/role used for the test.
- •
Run a valid request
- •Use an HTTP client (curl, Postman, a test harness, or automated integration test).
- •Record status code and response body.
- •
Verify side effects (write endpoints)
- •Query the database or inspect logs to confirm expected changes.
- •Verify idempotency expectations if the endpoint is retried.
- •
Run one invalid request
- •Example: missing required field, invalid enum, or invalid identifier.
- •Verify validation status code and error shape.
- •
If the request fails, triage by class
- •
401unauthorized: missing/invalid auth - •
403forbidden: user lacks permission - •
404not found: wrong URL/prefix/route registration - •
5xxserver error: unhandled exception or downstream dependency
- •
Verification
- • Status codes match the contract
- • Success response contains required fields
- • Validation errors return stable error codes and details
- • Persistence side effects match expectations
- • No secrets or tokens were logged or committed to docs
- • At least one valid and one invalid request were tested
Boundaries
- •MUST NOT use real production credentials in tests
- •MUST NOT enable mock auth bypasses in production environments
- •MUST NOT skip persistence verification for write endpoints
- •MUST NOT log or commit secrets/tokens to documentation
- •SHOULD NOT test only happy paths (include at least one negative case)
- •SHOULD NOT assume auth context without verifying it is attached
Included assets
- •Templates:
./templates/includes a route test matrix and a JSON test spec schema. - •Examples:
./examples/includes curl patterns for cookie and bearer auth (placeholders only).