Testing Interfaces, APIs, and Business Logic
Interface testing checks what users can see and do. API testing checks how systems exchange requests and responses. Business-logic testing checks whether the product enforces its rules, limits, permissions, and valid states.
What You Will Be Able to Decide
- Separate interface, API, business-logic, and workflow testing.
- Identify responsive failures and inaccessible interaction patterns.
- Test valid, invalid, unauthorised, and duplicate API requests.
- Challenge impossible product states and weak validation.
A product can look correct while behaving incorrectly.
A volume control may display 130%.
A booking may end before it begins.
A user may edit another company’s records by changing an identifier in the URL.
An API may return a successful status while saving incomplete data.
Testing should inspect several layers of the product rather than treating a working screen as proof that the system works.
Interface Testing
Interface testing checks how the product behaves from the user’s perspective.
Test:
- navigation
- buttons
- forms
- validation
- loading states
- empty states
- error states
- success feedback
- keyboard access
- responsive layout
- different browsers
Technical term
Responsive design
Responsive design means that the interface adapts to different screen sizes and input methods.
Do not test only one narrow desktop browser window.
At minimum, inspect:
- a small mobile width
- a larger mobile width
- tablet width
- laptop width
- wide desktop width
Check for:
- clipped text
- horizontal scrolling
- buttons outside the viewport
- overlapping controls
- unreadable tables
- hover-only actions
- modals larger than the screen
- navigation that cannot be closed
- touch targets that are difficult to select
Technical term
API
API means application programming interface. An API allows one part of a system to communicate with another through defined requests and responses.
Technical term
Endpoint
An endpoint is a specific API address used for a particular operation.
API Testing
Examples:
GET /api/projects
POST /api/projects
PATCH /api/projects/123
DELETE /api/projects/123Postman can send requests directly to an endpoint without requiring the normal application interface.
This allows the tester to inspect:
- request method
- URL
- headers
- authentication token
- request payload
- response status
- response data
- error messages
Technical term
Payload
A payload is the data sent with a request or returned in a response.
For a project-creation endpoint, test:
- valid data
- missing project name
- extremely long project name
- invalid customer identifier
- unauthenticated request
- user without permission
- duplicate request
- unexpected extra fields
Do not test only the successful request.
Technical term
Business logic
Business logic is the set of rules defining what the product permits and how it behaves.
Examples:
- volume must remain between 0 and 100
- inventory cannot fall below zero
- a booking end time must occur after its start time
- a refunded payment cannot remain marked as pending
- only an administrator can delete a workspace
- one company cannot access another company’s records
Technical term
Validation
Validation means checking whether data meets the product’s required rules.
Technical term
Data integrity
Data integrity means that stored data remains accurate, valid, and internally consistent.
Testing Workflows
A workflow test follows a complete user goal across multiple screens and systems.
For a booking application:
- find an available time
- select the time
- enter details
- confirm the booking
- store the booking
- send confirmation
- display the booking to the business
Each individual page may work while the full workflow fails.
Examples:
- the booking is stored but no confirmation is sent
- confirmation is sent but the booking is missing
- two users reserve the same slot
- refreshing the page submits the booking twice
- a failed payment still creates a confirmed order
Technical term
Idempotency
Idempotency means repeating the same request does not repeat its effect. Submitting the same payment request twice should not charge the customer twice.
Questions to Ask a Consultant
- Which user workflows have been tested end to end?
- Which invalid values have been tested?
- Are permissions tested through direct API requests?
- What happens when an external service fails?
- Can an action be submitted twice?
- Which rules are enforced by the frontend, backend, and database?
- How are failed tests recorded and prioritised?
- Which tests run automatically before deployment?
Key takeaway
Key Takeaway
Test the visible interface, the system communication beneath it, and the business rules that must remain true regardless of how a request reaches the application.