Data Driven Testing

Data Driven Testing api testing rest api quality assurance
James Wellington
James Wellington

Lead QA Engineer & API Testing Specialist

 
January 26, 2026 8 min read

TL;DR

  • This article cover how to use external data sets for scaling your api tests across performance and security. We look at separating test logic from data to find more bugs with less code effort. You will learn about choosing the right tools and automation workflows for rest apis in modern software development.

What is anyway?

Ever spent a whole afternoon updating fifty different Postman requests just because a dev changed one single "status" field? Honestly, it’s the kind of soul-crushing work that makes you want to quit testing and go open a bakery.

(DDT) is basically just a fancy way of saying "stop hardcoding your stuff." Instead of writing one script for a user login, another for a blocked user, and a third for a typo, you write one script that's smart enough to read from a file.

  • Maintenance becomes a breeze: If the api endpoint changes, you fix it in one script, not twenty.
  • Better coverage: You can throw 500 rows of weird edge cases (like names with emojis or massive numbers) at your code without writing 500 tests.
  • Cleaner scripts: Your logic stays pretty and your data stays in a csv or json file where it belongs.

According to research by Kobiton, about 76% of teams are trying to automate more of their testing to keep up with fast releases, but hardcoded scripts usually just break and get abandoned.

Diagram 1

I remember working on a healthcare app where we had to test insurance claims. We had different rules for dental, vision, and ER visits. Instead of building a mountain of scripts, we just made a spreadsheet with the "Claim Type" and "Expected Response." The script just looped through it. It was beautiful.

Now that we know why we shouldn't be hardcoding everything like it's 1999, let's look at how to actually set up these data sources without losing our minds.

Setting up your data sources for rest apis

So, you've decided to stop hardcoding your api tests. Great choice, your future self (and your sanity) will thank you. But where do you actually put all that data?

Most people start with a simple spreadsheet, which is fine, but as your rest api gets more complex, those flat files can start feeling a bit cramped.

If you’re just swapping out a username or a product ID, a csv is your best friend. It’s basically just rows and columns that any testing tool can eat for breakfast. I’ve used these for retail sites where we needed to test 200 different SKU numbers against a search endpoint. It’s fast, and even your project manager can edit it in Excel without breaking anything.

But what happens when your api needs a massive, nested payload? Like a healthcare record with five levels of sub-objects? That’s where json files shine.

  • csv for flat stuff: Best for simple key-value pairs like "Email" and "Password" in a login test.
  • json for nesting: Perfect when your request body has arrays or objects inside objects.
  • Database connections: Sometimes, you don't want a file at all. You can hook your scripts directly to a SQL or NoSQL database to pull "live" staging data.

Diagram 2

Postman is usually the go-to here. You just click the "Select File" button in the collection runner, and it maps your variables automatically. If you're doing performance testing, JMeter handles datasets similarly, though it’s a bit more "old school" in how it configures the CSV Data Set Config.

I've also seen teams use apifiddler—which is a solid tool for getting quick insights into your rest api flows without the massive setup headache of a full framework. It helps you see how your data actually maps to the response in real-time.

A study by SmartBear in 2023 pointed out that "standardizing tools across teams" is a top priority for 52% of organizations. Picking a format like json usually helps with that because it's what the developers are already using, anyway.

One time, I tried to force a complex financial payload into a csv. It was a nightmare of commas and quotes. Don’t be like me; if the data looks like a tree, use a json.

Now that we've got our files ready, let's talk about actually hooking them up to your scripts so they run on autopilot.

Applying data driven methods to API Security and Performance

Security and performance testing usually feel like the "final bosses" of a project. You spend all this time making sure the login button works, then suddenly you're told to make sure 10,000 people can hit it at once without the database exploding.

The secret is that you can use the same data-driven tricks we used for functional tests to handle the scary stuff too.

Security testing isn't just for people in hoodies; it's mostly about sending things to an api that it doesn't expect. If your api expects a number for a "quantity" field, what happens if you send a drop-down list of SQL commands instead?

Instead of guessing, I like to use a massive csv file full of "nasty strings." This includes things like <script>alert('xss')</script> or ' OR 1=1--. You just loop your request through these rows and check if the api returns a 500 error (bad) or a 400/422 (better).

  • Injecting malicious payloads: Use a data file to swap out every single parameter in your request with known attack patterns.
  • Testing user roles: You can have a file with different auth tokens—one for an admin, one for a guest, and one for a deleted user—to see if the guest can somehow access the admin's data.
  • Validation logic: Check how your app handles "impossible" data, like a retail checkout api receiving a negative price or a date of birth in the year 2099.

Diagram 3

I once saw a finance app that passed all its functional tests, but when we ran a data-driven security sweep with different account IDs, we found a huge hole. A user could see someone else's balance just by changing a number in the URL. If we hadn't automated that with a data list, we never would've caught it by hand.

Performance testing is where hardcoding really goes to die. If you send the exact same "User_1" request 5,000 times, your server might just cache the response. You aren't actually testing the database; you're just testing how fast the cache is.

To get real results, you need unique data for every single virtual user. If you're testing a search api for a retail site, your data file should have thousands of different search terms. This forces the api to actually do the work every single time.

  • Varying parameters: Use a csv with 10,000 rows of unique IDs to ensure you're hitting different parts of the database.
  • Realistic traffic: Mix up your data so 80% are "normal" requests and 20% are complex, heavy queries that take longer to process.
  • Documentation accuracy: Watch if your api documentation (like Swagger) actually matches the performance limits you're hitting under load.

A 2023 report from BlazeMeter mentioned that teams are increasingly moving performance testing "left" into the development cycle. Using data-driven methods makes this easier because you can run a "mini" load test with 50 rows of data every time someone checks in code.

So, we've got our data and we're breaking things in the name of security and speed. Next, let's talk about how to actually plug all of this into a CI/CD pipeline so it runs while you're sleeping.

Best practices and common mistakes to avoid

Look, I’ve seen some absolute horror stories where a "perfectly automated" suite suddenly starts failing 100% of its tests on a Tuesday morning. Usually, it's not because the code is broken—it's because the data got stale, or someone checked a password into GitHub.

Data driven testing is like owning a car; if you don't change the oil, it's gonna explode eventually. Let's talk about how to keep your scripts running smooth and avoid those "oops, I just leaked the production database" moments.

One big mistake I see is teams using the same "User_ID_123" for three years. In a fast-moving ci/cd pipeline, that data eventually gets deleted or modified by another process.

  • Refresh your data: If you're testing an e-commerce checkout, don't just hardcode a credit card number that might expire. Use a script to generate a fresh "guest user" at the start of your run.
  • Scrub the sensitive stuff: Never, ever put real customer emails or tokens in a csv file. Use "faker" libraries or masked data so you don't end up on the news for a data breach.
  • Dynamic Assertions: If your input data says the price is $10 and tax is $1, your test shouldn't just check for "Total: 11". It should calculate input_price + input_tax so the test stays valid even if the numbers change.

As mentioned earlier, standardizing how we handle this stuff is a huge priority for most teams. If everyone on the team uses a different way to hide secrets, someone's gonna mess up.

You don't need a PhD to set this up. Here is a quick example using javascript (Node.js) to loop through a json file. This is basically what I do whenever I need to smoke test a new rest api quickly.

const fs = require('fs');
const axios = require('axios');


// Load our data file
const testData = JSON.parse(fs.readFileSync('users.json', 'utf8'));


async function runTests() {
    for (const user of testData) {
        try {
            const response = await axios.post('https://api.myapp.com/v1/login&#x27;, {
                username: user.email,
                password: user.pass
            });


        <span class="hljs-comment">// Check if the api response matches our expected code in the json</span>
        <span class="hljs-keyword">if</span> (response.<span class="hljs-property">status</span> === user.<span class="hljs-property">expectedStatus</span>) {
            <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">`PASS: <span class="hljs-subst">${user.email}</span>`</span>);
        }
    } <span class="hljs-keyword">catch</span> (error) {
        <span class="hljs-comment">// Log the specific row that failed so we can fix it</span>
        <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">error</span>(<span class="hljs-string">`FAIL: <span class="hljs-subst">${user.email}</span> - Reason: <span class="hljs-subst">${error.response?.status || error.message}</span>`</span>);
    }
}

}


runTests();

I've used a similar pattern for a retail client where we had to validate 50 different promo codes. Instead of 50 files, we had one array and a five-minute script.

DDT isn't just a buzzword; it’s basically survival for modern QA. If you stop hardcoding, keep your data clean, and use tools like postman or custom scripts to loop through your scenarios—you’re going to save hundreds of hours.

Just remember to keep your secrets out of your csv files and make sure your assertions are as smart as your inputs. Honestly, once you go data-driven, you'll wonder how you ever lived without it. Stay curious and keep breaking things (on purpose)!

James Wellington
James Wellington

Lead QA Engineer & API Testing Specialist

 

James Wellington is a Lead QA Engineer with 8 years of experience specializing in API testing and automation. He currently works at a rapidly growing SaaS startup where he built their entire API testing infrastructure from the ground up. James is certified in ISTQB and holds multiple testing tool certifications. He's an active contributor to the testing community, regularly sharing automation scripts on GitHub and hosting monthly API testing workshops. When not testing APIs, James enjoys rock climbing and photography

Related Articles

Data-Driven Testing | API Testing With ReadyAPI
Data-Driven Testing

Data-Driven Testing | API Testing With ReadyAPI

Learn how to master Data-Driven Testing | API Testing With ReadyAPI. Use Excel and CSV files to automate your functional and performance api tests easily.

By Dr. Priya Sharma February 13, 2026 5 min read
common.read_full_article
Documenting REST API test cases
REST API test cases

Documenting REST API test cases

Learn how to document REST API test cases effectively. We cover status codes, payload validation, security checks, and tools for better api testing.

By Dr. Priya Sharma February 11, 2026 5 min read
common.read_full_article
Crowd Testing Guide
crowd testing guide

Crowd Testing Guide

Learn how to scale your quality assurance with our Crowd Testing Guide. Discover benefits for API performance, security, and global localization testing.

By James Wellington February 9, 2026 7 min read
common.read_full_article
API Testing: A Developer's Tutorial and Complete Guide
api testing

API Testing: A Developer's Tutorial and Complete Guide

Master api testing with this developer-focused guide. Learn functional, performance, and security testing for REST APIs using modern tools and best practices.

By James Wellington February 6, 2026 9 min read
common.read_full_article