Simple API Key Testing

Basic API key authentication testing with header and query methods

LoadForge can record your browser, graphically build tests, scan your site with a wizard and more. Sign up now to run your first test.

Sign up now

This guide shows how to test APIs that use API key authentication. Perfect for testing different API key placement methods and validation.

Use Cases

  • Test header-based API key authentication
  • Test query parameter API key authentication
  • Test invalid API key error handling
  • Validate missing API key responses

Simple Implementation

from locust import task, HttpUser
import random

class APIKeyTestUser(HttpUser):
    def on_start(self):
        # API keys for testing (replace with your actual keys)
        self.valid_key = "sk-1234567890abcdef"
        self.invalid_key = "invalid-key-12345"
        
        # API endpoints that require authentication
        self.endpoints = ["/api/users", "/api/data", "/api/reports"]

    @task(4)
    def test_header_api_key(self):
        """Test API key in header (X-API-Key: your-key)"""
        endpoint = random.choice(self.endpoints)
        
        headers = {
            "X-API-Key": self.valid_key,
            "Content-Type": "application/json"
        }
        
        with self.client.get(
            endpoint,
            headers=headers,
            name="Header API Key"
        ) as response:
            if response.status_code == 200:
                print(f"Header API key success: {endpoint}")
            elif response.status_code == 401:
                response.failure("Valid API key rejected")
            else:
                response.failure(f"Unexpected response: {response.status_code}")

    @task(3)
    def test_bearer_token_api_key(self):
        """Test API key as Bearer token (Authorization: Bearer your-key)"""
        endpoint = random.choice(self.endpoints)
        
        headers = {
            "Authorization": f"Bearer {self.valid_key}",
            "Content-Type": "application/json"
        }
        
        with self.client.get(
            endpoint,
            headers=headers,
            name="Bearer Token API Key"
        ) as response:
            if response.status_code == 200:
                print(f"Bearer token success: {endpoint}")
            elif response.status_code == 401:
                response.failure("Valid bearer token rejected")
            else:
                response.failure(f"Unexpected response: {response.status_code}")

    @task(3)
    def test_query_parameter_api_key(self):
        """Test API key in query parameter (?api_key=your-key)"""
        endpoint = random.choice(self.endpoints)
        
        params = {"api_key": self.valid_key}
        
        with self.client.get(
            endpoint,
            params=params,
            name="Query Parameter API Key"
        ) as response:
            if response.status_code == 200:
                print(f"Query parameter success: {endpoint}")
            elif response.status_code == 401:
                response.failure("Valid API key in query rejected")
            else:
                response.failure(f"Unexpected response: {response.status_code}")

    @task(2)
    def test_invalid_api_key(self):
        """Test with invalid API key"""
        endpoint = random.choice(self.endpoints)
        
        headers = {
            "X-API-Key": self.invalid_key,
            "Content-Type": "application/json"
        }
        
        with self.client.get(
            endpoint,
            headers=headers,
            name="Invalid API Key"
        ) as response:
            if response.status_code == 401:
                print(f"Invalid API key correctly rejected: {endpoint}")
            elif response.status_code == 200:
                response.failure("Invalid API key was accepted")
            else:
                print(f"Invalid API key returned {response.status_code}")

    @task(1)
    def test_missing_api_key(self):
        """Test request without API key"""
        endpoint = random.choice(self.endpoints)
        
        with self.client.get(
            endpoint,
            name="Missing API Key"
        ) as response:
            if response.status_code == 401:
                print(f"Missing API key correctly rejected: {endpoint}")
            elif response.status_code == 200:
                response.failure("Request without API key was accepted")
            else:
                print(f"Missing API key returned {response.status_code}")

Setup Instructions

  1. Replace self.valid_key with your actual API key
  2. Replace self.invalid_key with a test invalid key
  3. Update self.endpoints with your actual API endpoints
  4. Adjust authentication method if your API uses different headers

What This Tests

  • Header Authentication: Tests X-API-Key header method
  • Bearer Token: Tests Authorization: Bearer token method
  • Query Parameter: Tests api_key query parameter method
  • Error Handling: Validates rejection of invalid/missing keys

Best Practices

  • Use realistic API keys that match your API's format
  • Test all authentication methods your API supports
  • Validate both success and failure scenarios
  • Monitor response times for different auth methods

Common Issues

  • API Key Format: Ensure test keys match your API's expected format
  • Rate Limiting: Some APIs rate limit by API key, adjust test frequency
  • Permissions: Different API keys may have different permissions
  • Expiration: Check if your test API keys expire
Previous Guide

OAuth 2.0 Authorization Code Flow with PKCE

Complete OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange) for secure authentication testing

oauth authentication
Next Guide

Simple JWT Authentication Testing

Basic JWT token authentication testing with login and protected API access

jwt authentication
View all Authentication & Security guides

Ready to run your test?
Launch your locust test at scale.

Run free test