SoftwareTestPilot
API TestingPublished: 9 min read

GraphQL API Testing Guide: Complete 2026 Handbook

Complete 2026 GraphQL API testing guide. Schema validation, query testing, mutation testing, security testing, and tooling for Jest, Postman, and Karate.

Avinash Kamble
Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp
GraphQL API Testing guide cover — hexagonal GraphQL schema graph with query, mutation, and security nodes on a dark navy background.
GraphQL API Testing guide cover — hexagonal GraphQL schema graph with query, mutation, and security nodes on a dark navy background.
In this article
  1. What is GraphQL?
  2. Why GraphQL Testing Is Different
  3. GraphQL Test Layers
  4. How to Test Queries
  5. How to Test Mutations
  6. Schema Validation
  7. Error Testing
  8. Security Testing
  9. Tools for GraphQL Testing
  10. Test Pyramid for GraphQL
  11. Common Mistakes and Fixes
  12. How to Start Testing GraphQL
  13. Keep Learning
  14. Frequently asked questions

This guide covers everything you need to test GraphQL APIs in 2026: schema validation, queries, mutations, security, and tooling. For the broader picture, see our API Testing Tutorial, Microservices Testing Strategy, and Postman API Testing Tutorial.

What is GraphQL?

GraphQL is a query language for APIs that lets clients request exactly the data they need. Developed by Facebook in 2012 and open-sourced in 2015, it's now the default choice for many product teams alongside REST.

Why GraphQL Testing Is Different

  • Single endpoint — every request goes to /graphql.
  • POST method — all queries are POSTs.
  • Query in body — GraphQL operations travel in the request body.
  • Schema-driven — tests can introspect the schema.
  • Variable support — operations accept typed variables.
  • Subscriptions — real-time data over WebSocket.

GraphQL Test Layers

LayerWhat to test
SchemaTypes, fields, arguments, enums
QueriesHappy path, edge cases, errors
MutationsCreate, update, delete operations
SubscriptionsReal-time event delivery
SecurityAuthentication, authorization, injection

How to Test Queries

Simple query

query GetUser($id: ID!) {
  user(id: $id) {
    id
    name
    email
  }
}
const query = `
  query GetUser($id: ID!) {
    user(id: $id) { id name email }
  }
`;
const variables = { id: '123' };

const response = await fetch('https://api.example.com/graphql', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ query, variables }),
});

const json = await response.json();
expect(json.data.user.id).toBe('123');

Query with variables

query SearchUsers($term: String!, $limit: Int = 10) {
  searchUsers(term: $term, limit: $limit) { id name }
}

How to Test Mutations

Create

mutation CreateUser($input: CreateUserInput!) {
  createUser(input: $input) { id name email }
}
const variables = {
  input: { name: 'Alice', email: 'alice@example.com', role: 'admin' }
};

Update

mutation UpdateUser($id: ID!, $input: UpdateUserInput!) {
  updateUser(id: $id, input: $input) { id name email }
}

Schema Validation

Validate with graphql-js

import { buildSchema, validate, parse } from 'graphql';

const schema = buildSchema(`
  type Query { user(id: ID!): User }
  type User { id: ID! name: String! email: String! }
`);

const query = `query { user(id: "123") { id name email } }`;
const errors = validate(schema, parse(query));
expect(errors).toHaveLength(0);

Detect breaking changes with graphql-inspector

const inspector = new GraphQLInspector();
const changes = inspector.diff(oldSchema, newSchema);
// breaking, dangerous, and safe changes

Error Testing

const query = `query { user(id: "invalid") { id } }`;
const response = await graphqlCall(query);
expect(response.errors).toBeDefined();
expect(response.errors[0].message).toContain('Invalid ID');
ErrorCause
Syntax ErrorInvalid query syntax
Validation ErrorQuery against invalid schema
Execution ErrorServer-side error
Authentication ErrorMissing/invalid auth
Authorization ErrorUser lacks permission

Security Testing

1. Introspection disabled in production

const query = `{ __schema { types { name } } }`;
const response = await graphqlCall(query);
expect(response.errors[0].message).toContain('not allowed');

2. Query depth limit

const deep = `query { user { friends { friends { friends { friends { name } } } } } }`;
// expect depth limit error

3. Query complexity limit

const expensive = `query { users(first: 10000) { id name posts { title } comments { text } } }`;
// expect complexity error

4. SQL injection in GraphQL

query { user(id: "1' OR '1'='1") { id name } }

Expected: validation error or sanitized response.

5. Auth required for sensitive fields

const response = await graphqlCall(`{ adminUsers { id email } }`);
expect(response.errors[0].message).toContain('Unauthorized');

Tools for GraphQL Testing

Postman

Native GraphQL support: POST to your endpoint, JSON body with query + variables, write assertions in the Tests tab. See the Postman API Testing Tutorial.

Jest + graphql-request

import { request } from 'graphql-request';

const endpoint = 'https://api.example.com/graphql';

test('returns user by id', async () => {
  const query = `query GetUser($id: ID!) { user(id: $id) { id name } }`;
  const data = await request(endpoint, query, { id: '123' });
  expect(data.user.id).toBe('123');
});

Karate DSL

Feature: User API

Scenario: Get user
  Given path '/graphql'
  And request { query: 'query { user(id: "123") { id name } }' }
  When method POST
  Then status 200
  And match $.data.user.id == '123'

Apollo Studio

Visual GraphQL explorer for running queries, browsing the schema, and generating tests. See official Apollo Studio docs and graphql.org learn.

Test Pyramid for GraphQL

Unit

  • Schema validation.
  • Single-field queries.
  • Edge cases (null, empty, max values).

Integration

  • Full query chains.
  • Mutations.
  • Authentication and authorization.

E2E

  • Full user journeys.
  • Subscription delivery.
  • Real backend, real database.

For the broader pyramid, see Test Pyramid Explained.

Common Mistakes and Fixes

  1. Testing only the happy path — add error, security, and edge cases.
  2. Leaving introspection enabled in production — disable it.
  3. No query depth/complexity limits — use graphql-depth-limit:
    const depthLimit = require('graphql-depth-limit');
    const server = new ApolloServer({ validationRules: [depthLimit(7)] });
  4. Not testing subscriptions — verify real-time events actually deliver.
  5. Ignoring N+1 query problems — assert query count, not just response.
  6. Not validating input data — use the type system and @constraint directives.
  7. No rate limiting — protect the single endpoint.
  8. Trusting client-side validation — always re-validate on the server.

How to Start Testing GraphQL

Step 1 — Install tools

npm install --save-dev graphql graphql-request jest

Step 2 — Write your first test

test('user query returns expected fields', async () => {
  const query = `{ user(id: "1") { id name email } }`;
  const response = await graphqlCall(query);
  expect(response.data.user.id).toBe('1');
});

Step 3 — Add error tests

test('invalid id returns error', async () => {
  const response = await graphqlCall(`{ user(id: "invalid") { id } }`);
  expect(response.errors).toBeDefined();
});

Step 4 — Add security tests

test('introspection is disabled in production', async () => {
  const response = await graphqlCall(`{ __schema { types { name } } }`);
  expect(response.errors[0].message).toContain('not allowed');
});

Step 5 — Wire into CI/CD

Run on every PR. See the GitHub Actions Automation Testing guide.

Frequently asked questions

What is GraphQL?

A query language for APIs that lets clients request exactly the data they need via a single POST endpoint.

How is GraphQL testing different from REST testing?

Single endpoint, all queries are POSTs, queries in body, schema-driven, with support for variables and subscriptions.

What tools should I use for GraphQL testing in 2026?

Postman for manual + CLI, graphql-request with Jest, Karate for BDD-style flows, and Apollo Studio for exploration.

How do I test GraphQL security?

Verify introspection is disabled in production, enforce depth/complexity limits, test authentication and authorization, and probe for injection attacks.

Can I use Postman for GraphQL testing?

Yes — Postman supports GraphQL natively. POST to your endpoint with a JSON body containing query and variables.

What's the #1 GraphQL testing mistake?

Testing only the happy path. Cover errors, security, and edge cases too.

Keep going

Practice these questions

Rehearse REST, Postman, REST Assured and contract-testing questions with worked examples.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Keep building your QA edge

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • ⚡ Ready-to-use testing strategy templates
  • 🔥 Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access