Learn API testing.
Run real code, right here.
32+ hands-on lessons covering REST, GraphQL, SOAP, authentication, and AI — each with runnable code hitting a live sandbox. No signup. No setup. Just learn.
- Lessons
- 32+
- Protocols
- 4
- Signup
- None
Fundamentals
The first 10 minutes of learning APIs — protocol-agnostic basics.
What is an API? A Plain-English Guide for Testers
An API is how two pieces of software talk to each other. Here's what that actually means — with runnable examples.
HTTP Methods Explained: GET, POST, PUT, PATCH, DELETE
GET, POST, PUT, PATCH, DELETE — the five verbs that carry 99% of API traffic. Here's what each one means, with runnable examples.
HTTP Status Codes: The Complete Tester's Reference
2xx means success, 4xx means you messed up, 5xx means they messed up — but the details matter. Here's the list every tester should know by heart.
Request & Response Anatomy: Headers, Bodies, and Everything In Between
Every HTTP request has the same parts. Once you know them, every API you'll ever test becomes readable.
Query Parameters, Pagination, Sorting & Filtering
Every useful API returns lists of things. Here's how to page through, sort, and filter them — with runnable examples.
Protocols
REST, GraphQL, SOAP, WebSockets — when to pick what, how to test each.
What is a REST API? The 2026 Definitive Guide
REST is the default API style on the web. Here's what it actually means — stripped of jargon and with runnable examples.
REST CRUD Explained: Create, Read, Update, Delete Walkthrough
CRUD is the heartbeat of REST. Create, Read, Update, Delete — walked through end to end.
PATCH vs PUT: The Difference That Trips Everyone
PUT replaces. PATCH modifies. Here's the subtle but critical difference — and why it matters for testing.
RESTful Best Practices: Conventions That Make APIs Predictable
Fifteen conventions that make REST APIs a joy to use — and the absence of any one is a smell.
What is GraphQL? A Practical Introduction for Testers
GraphQL lets the client decide what data to fetch. Here's how it works and when it beats REST.
GraphQL Queries vs Mutations: When and How to Use Each
Queries read. Mutations change state. Here's the divide — and how to write both correctly.
Authentication
API keys, JWT, OAuth2, token refresh — auth flows explained with runnable code.
API Keys: The Simplest Authentication That Still Trips People Up
Simple, common, and surprisingly easy to get wrong. Here's the API key playbook.
JWT Authentication: What's Inside the Token and How to Test It
JWTs pack auth and user context into a signed string. Simple on the surface, full of traps underneath.
OAuth 2.0 Client Credentials: Machine-to-Machine Auth Done Right
OAuth 2.0's machine-to-machine flow. Clean, standard, and easy to test once you see the shape.
Token Refresh Patterns: Rotating, Sliding, and Reactive Refresh
Short-lived access tokens need graceful refresh. Three common patterns, one big pitfall.
Testing
Negative testing, retries, contract testing — ship APIs that survive production.
Testing Validation Errors: The Most Neglected Test Category
Most API bugs live in input validation. Here's how to test it systematically.
Retries and Timeouts: Testing APIs That Live on Unreliable Networks
The network is unreliable. Here's how clients should retry, how servers should behave, and how to test both.
Negative Testing: Breaking Your API Before Attackers Do
Happy paths prove your API works. Negative paths prove it doesn't break. Both matter.
Contract Testing: Catching Breakage Before Clients See It
A contract is a promise. Contract testing keeps you honest. Here's how to do it right.
AI
Generate, maintain, and expand API tests using AI — the next decade of testing.
Generating API Tests from OpenAPI with AI: What's Actually Possible
Turn an OpenAPI spec into hundreds of tests in minutes. Here's what the AI actually does well — and where it still needs you.
AI-Assisted Negative Testing: Finding Edge Cases Humans Miss
AI is remarkably good at generating weird, hostile, and boundary inputs. Here's how to use it.
AI Test Maintenance: Keeping Suites Alive as APIs Evolve
Every test suite decays. AI is finally good enough to slow the decay — if you let it.
Tool Comparisons
Postman, ReadyAPI, Apidog — deep comparisons vs ShiftLeft.
Postman Alternatives: Honest 2026 Comparison for API Testing
Postman is the default — but not always the right fit. Here are the alternatives that actually matter in 2026.
ReadyAPI vs ShiftLeft: Enterprise SOAP Testing in 2026
ReadyAPI rules SOAP testing. ShiftLeft rebuilds the workflow with AI. Here's the honest comparison.
Apidog vs ShiftLeft: Mid-Market API Testing in 2026
Apidog bundles everything for small teams. ShiftLeft focuses on AI generation and maintenance. Here's how they compare.
Best AI API Testing Tools of 2026: The Honest Landscape
Every tool now claims AI. Here's what actually works — and how to tell the genuine from the marketing.
Take what you've learned into Shift-Left Studio.
Download the Citizen Developer Edition — a forever-free, single-user license. Generate tests with AI, mock APIs, run workflows, and ship faster — using the same techniques you just practiced. No credit card, no expiry.
Free edition includes 50 endpoints, 50 mocks, 50 workflows, AI test & mock generation (BYO key), and the local desktop runner.