GUIDE / performance
API Performance Testing Guide: From Baseline to CI
Learn API performance testing with scenarios, load models, tools, metrics, thresholds, CI gates, baselines, reports, and common mistakes in QA.
API performance testing helps teams understand whether services are fast, stable, and scalable under realistic traffic. A functional API test can prove that GET /orders/123 returns the correct data. An API performance test asks a different question: what happens when thousands of users, jobs, or integrations call that endpoint repeatedly under production like conditions?
This guide covers the practical workflow: choosing API scenarios, defining load models, preparing data, selecting tools, measuring response time percentiles, setting thresholds, connecting results to server metrics, adding CI gates, and avoiding mistakes that make API performance results misleading.
API Performance Testing: What You Are Measuring
API performance testing measures how an API behaves under traffic. The main signals are:
- Response time.
- Throughput.
- Error rate.
- Concurrency.
- Saturation.
- Resource usage.
- Scalability.
- Recovery.
Response time is not only an average. Percentiles matter. If p95 is 800 ms, 95 percent of requests completed at or below 800 ms and 5 percent were slower. Users often feel tail latency more than averages.
Throughput measures how much work the API completes, such as requests per second, orders per minute, or messages processed per minute. Error rate shows the percentage of failed responses. Saturation tells you whether CPU, memory, database connections, queues, thread pools, or external dependencies are reaching limits.
API Performance Testing vs API Functional Testing
Functional API testing and performance testing complement each other.
| Dimension | Functional API Testing | API Performance Testing |
|---|---|---|
| Main question | Is the response correct? | Is the response fast and stable under load? |
| Typical load | One request or small set | Many concurrent users or requests |
| Metrics | Status, schema, body, business rules | p95, p99, throughput, errors, saturation |
| Environment | Dev, test, CI | Performance, staging, controlled production |
| Failure example | Wrong status code | Timeout at 500 concurrent users |
| Tool examples | Postman, REST Assured, Playwright API | k6, JMeter, Gatling, Locust |
Start with functional correctness. A load test against a broken API is noise. If you need fundamentals first, read API testing tutorial.
Step 1: Pick the Right API Scenarios
Do not performance test every endpoint with the same intensity. Choose based on risk and usage.
Good candidates:
- Login and token refresh.
- Product search.
- Checkout and order creation.
- Payment authorization.
- User profile retrieval.
- Report generation.
- File upload metadata.
- Webhook ingestion.
- Inventory updates.
- High traffic public APIs.
Weak first candidates:
- Rare admin endpoints.
- Debug endpoints.
- Health checks only.
- Endpoints without clear user or system value.
- Scenarios that cannot be monitored.
A useful scenario represents business behavior. For example, "browse catalog" may include search, product details, recommendations, and pricing. "Submit order" may include cart validation, coupon calculation, payment, inventory reservation, and order creation.
Step 2: Define the Performance Goal
A test without a target is just traffic. Define the goal in measurable terms.
Examples:
- Product search p95 under 500 ms at 200 requests per second.
- Login error rate below 0.5 percent at expected morning peak.
- Order creation supports 1,000 orders per minute for 15 minutes.
- Report API completes p95 under 5 seconds for common date ranges.
- Webhook ingestion accepts 10,000 events in 5 minutes without queue loss.
The target should come from business needs, service objectives, historical baselines, or user experience expectations. For guidance on timing expectations, see what is a good API response time.
Step 3: Prepare Test Data
API performance tests are extremely sensitive to data. A query that returns ten records may behave differently from one that scans ten million. A cached product may be faster than a cold product. A repeated login using the same user may trigger security controls.
Data checklist:
- Use enough unique users or tokens.
- Vary IDs, search terms, filters, regions, and date ranges.
- Include realistic data volume.
- Avoid shared mutable records across virtual users.
- Use sandbox payment and email systems.
- Create data through setup APIs where possible.
- Clean up records safely after runs.
For read heavy APIs, include both popular and less common values if that reflects production. For write heavy APIs, plan how to avoid duplicate keys and data collisions.
Step 3A: Understand API Dependencies
An API endpoint is often a thin layer over several dependencies. A single request may call a database, cache, search index, identity provider, payment sandbox, queue, object storage system, and another internal service. API performance testing should make those dependencies visible.
Dependency mapping questions:
- Which downstream systems does the endpoint call?
- Are calls sequential or parallel?
- Are there retries?
- What are the timeout values?
- Is there caching?
- Does the endpoint write to a queue?
- Is the response eventually consistent?
- Are there rate limits or quotas?
This map helps you interpret results. If response time jumps only when cache hit rate drops, the cache may be protecting a slow query. If errors rise when an external dependency slows, the API may need better timeout and circuit breaker behavior.
Include dependency owners in important performance reviews. API performance is rarely owned by one class or controller.
Step 4: Choose Load Models
Different load models answer different questions.
| Model | Use It To Answer | Example |
|---|---|---|
| Baseline | What is normal behavior? | 50 RPS for 15 minutes |
| Load | Can we handle expected traffic? | Peak forecast traffic for 30 minutes |
| Stress | Where do we break? | Increase RPS until p95 or errors fail |
| Spike | Can we absorb bursts? | Jump from 50 to 500 RPS in 1 minute |
| Soak | Do we degrade over time? | 100 RPS for 6 hours |
Do not start with the biggest test. Run a smoke test first to validate scripts and data. Then run a baseline. Then increase load based on the question.
Step 5: Select a Tool
For API performance testing, k6, JMeter, Gatling, and Locust are common choices.
k6 is strong when teams want JavaScript scripts, clean thresholds, and CI friendly execution. JMeter is useful when testers want a GUI and broad protocol support. Gatling is strong for code based scenario modeling and detailed reports. Locust is useful for Python based user behavior modeling.
Example k6 API performance test:
import http from "k6/http";
import { check, sleep } from "k6";
export const options = {
stages: [
{ duration: "5m", target: 50 },
{ duration: "10m", target: 100 },
{ duration: "5m", target: 0 },
],
thresholds: {
http_req_failed: ["rate<0.01"],
"http_req_duration{endpoint:search}": ["p(95)<500"],
},
};
export default function () {
const response = http.get("https://api.example.com/search?q=shoes", {
tags: { endpoint: "search" },
});
check(response, { "search status is 200": (r) => r.status === 200 });
sleep(1);
}
The important parts are scenario, load shape, checks, and thresholds. Tool syntax is secondary.
Authentication and Token Strategy
Authentication can dominate API performance if it is modeled poorly. Decide whether authentication is part of the scenario or setup.
Two valid approaches:
| Approach | Use When | Risk |
|---|---|---|
| Token as setup | You want to test business endpoints under load | May hide auth bottlenecks |
| Login in scenario | Login or token refresh is part of the risk | Can overload identity systems |
For many tests, create or fetch tokens during setup, then reuse them safely during the run. For authentication specific tests, include login, token validation, refresh, logout, and invalid token behavior.
Avoid one shared token for every virtual user if the product behavior depends on user identity, permissions, quotas, or personalization. Use a pool of tokens or generate them per user. Keep secrets out of scripts and inject them through environment variables or secret managers.
Step 6: Add Checks and Assertions
A performance test must validate correctness. Otherwise the API could return fast errors and still look good.
Useful checks:
- Status code is expected.
- Response schema is valid enough for the scenario.
- Required field exists.
- Business status is correct.
- No error message appears.
- Response body is not empty when data should exist.
Assertions or thresholds should define run success:
- Error rate below 1 percent.
- p95 below target.
- p99 below tolerance.
- Throughput reaches expected level.
- No critical endpoint exceeds budget.
Avoid setting thresholds after seeing the result just to make the test pass. Thresholds are release criteria, not decoration.
Choosing Good Thresholds
Thresholds should be strict enough to catch meaningful regressions and realistic enough for the endpoint's purpose.
Example threshold set:
| Endpoint | Target |
|---|---|
GET /products | p95 under 400 ms, error rate under 0.5 percent |
GET /products/{id} | p95 under 300 ms, error rate under 0.5 percent |
POST /orders | p95 under 900 ms, error rate under 1 percent |
GET /reports/monthly | p95 under 5 seconds, error rate under 1 percent |
Not every endpoint needs the same target. A lightweight lookup and a complex report should not share one arbitrary response time budget. Tie thresholds to user experience, business impact, and baseline behavior.
Also decide what happens when thresholds fail. A failed threshold should create a clear action: investigate before release, compare with previous baseline, fix a bottleneck, or explicitly accept risk.
Step 7: Monitor Server Side Metrics
API performance testing without server monitoring is incomplete. The load tool tells you what clients experienced. Server metrics explain why.
Monitor:
- Application CPU and memory.
- Database CPU, connections, locks, slow queries.
- Cache hit rate and eviction.
- Thread pools and connection pools.
- Queue depth and processing latency.
- External service latency.
- Error logs by endpoint.
- Container throttling.
- Network saturation.
If p95 rises at the same time database slow queries increase, the bottleneck may be query performance or missing indexes. If errors begin when connection pool usage reaches maximum, pool sizing or downstream latency may be the issue.
API Gateway and Network Considerations
Many APIs sit behind gateways, load balancers, service meshes, or CDN layers. Those layers can affect performance results.
Watch for:
- Gateway rate limits.
- TLS handshake overhead.
- Request body size limits.
- Header size limits.
- Connection reuse behavior.
- Load balancer distribution.
- Regional routing.
- WAF or bot protection rules.
- Service mesh retries and timeouts.
If your load test runs from one network location, results may not represent global users. For user facing APIs, consider regional testing or at least document the load generator location. For internal service APIs, run load from a network path similar to production callers.
Step 8: Run in CI/CD Carefully
API performance tests can run in CI, but choose the right size.
Good CI pattern:
Pull request:
functional API tests, contract tests
Merge:
small API performance smoke test
Nightly:
expected load test for critical APIs
Release:
stress or spike test for high risk changes
Small tests can catch obvious performance regressions. Heavy tests should run in controlled environments because they can distort shared systems.
Publish reports as artifacts. Fail builds only on meaningful thresholds. A performance gate that fails randomly because the environment is shared or noisy will lose credibility.
Baselines and Regression Detection
API performance testing becomes stronger when each run is compared to a baseline. A single result tells you whether a target was met. A trend tells you whether performance is getting better or worse.
Track:
- p50, p95, and p99 over time.
- Throughput over time.
- Error rate over time.
- Slowest endpoints by release.
- Resource usage for the same workload.
- Test duration and environment notes.
If p95 for POST /orders moves from 450 ms to 700 ms over three releases, that trend matters even if the formal threshold is 900 ms. Performance regressions are easier to fix when caught early.
Baselines should include context. A baseline from a quiet dedicated environment should not be compared blindly with a run from a noisy shared environment.
Reading API Performance Results
Start with the goal. If the goal was p95 under 500 ms at 100 RPS, check that first. Then inspect supporting metrics.
Questions to ask:
- Did the API reach the requested throughput?
- Did error rate stay below threshold?
- Did p95 and p99 remain stable?
- Which endpoint was slowest?
- Did response time increase as load increased?
- Did server resources saturate?
- Did external dependencies slow down?
- Did the system recover after load dropped?
Do not celebrate low average response time if p99 is terrible. Do not ignore a small error rate if every error is a failed payment or lost order.
Example API Performance Report Summary
Objective:
Validate catalog and checkout APIs for expected campaign load.
Load profile:
Ramp to 250 requests per second over 10 minutes, hold for 20 minutes.
Result:
Catalog endpoints met targets. Checkout p95 increased from 620 ms baseline to 1.1 seconds.
Error rate stayed below 1 percent, but order creation showed connection pool waits.
Bottleneck:
Database connection pool reached maximum during checkout bursts.
Decision:
Do not block release for catalog changes. Investigate checkout pool waits before campaign launch.
This style is short, but it connects results to a release decision. That is what stakeholders need.
Common Mistakes in API Performance Testing
Mistake 1: Testing Only One Endpoint in Isolation
Endpoint tests are useful, but real workflows often chain multiple APIs. Include scenario based tests for critical flows.
Mistake 2: Ignoring Authentication Cost
Token generation, validation, and refresh can become bottlenecks. Decide whether the test includes auth as part of the scenario.
Mistake 3: Reusing One Data Record
Repeated use of one ID can create unrealistic caching or collisions. Vary data.
Mistake 4: Looking Only at Averages
Use percentiles. Tail latency matters.
Mistake 5: Running Heavy Tests in Shared CI
Heavy tests can overload shared environments and produce noisy failures. Schedule them intentionally.
Mistake 6: Missing Server Metrics
Without server metrics, you may know that the API slowed down but not why.
Mistake 7: Using Functional Assertions Only
Functional checks say the response is correct. Performance thresholds say whether it is acceptable under load. You need both.
API Performance Test Plan Template
Use this compact template:
| Field | Example |
|---|---|
| Objective | Verify product search p95 under 500 ms at 200 RPS |
| Environment | Performance staging, build 2026.07.10 |
| Scope | Search, product details, price lookup |
| Out of scope | Checkout, payment, admin reports |
| Tool | k6 |
| Data | 10,000 product IDs, 500 search terms |
| Load profile | Ramp to 200 RPS over 10 minutes, hold 20 minutes |
| Thresholds | Error rate below 1 percent, p95 under 500 ms |
| Monitoring | App, database, cache, gateway, load generator |
| Artifacts | Script, raw results, summary report, dashboards |
This template makes the test reviewable before execution.
Final Workflow
Follow this workflow for API performance testing:
- Choose the critical API scenario.
- Define measurable goals.
- Prepare realistic data.
- Select a load model.
- Write scripts with checks.
- Add thresholds.
- Run a smoke test.
- Run baseline and load tests.
- Monitor the full stack.
- Report bottlenecks and decisions.
API performance testing works best when it becomes part of normal engineering evidence. Use small tests for fast feedback, larger tests for release risk, and stress tests when you need to understand limits. For hands on practice, use QABattle to turn an API scenario into a measurable performance test plan before writing the first script.
One final habit helps: save the exact script, data version, environment, build number, dashboard links, threshold configuration, and owner notes with every result. Performance findings age quickly when context is missing. A reproducible result is far easier to defend, compare, and improve in the next release with the same evidence.
FAQ
Questions testers ask
What is API performance testing?
API performance testing measures how an API behaves under expected, increased, or sustained traffic. It focuses on response time, throughput, error rate, resource usage, scalability, and whether the API continues to meet service expectations under realistic workloads.
How do you test API response time?
Test API response time by choosing representative endpoints, preparing realistic data, running controlled load, measuring percentiles such as p95 and p99, monitoring server resources, and comparing results against agreed thresholds instead of relying only on averages.
Which tools are best for API performance testing?
Common tools include k6, JMeter, Gatling, Locust, and commercial platforms. k6 is popular for developer friendly API checks, JMeter is broad and familiar, and Gatling is strong for code based high volume simulations.
What is a good API response time?
A good API response time depends on the product and endpoint. Many interactive APIs target p95 under a few hundred milliseconds, while complex reports may have higher budgets. Define targets by user experience, business need, and baseline measurements.
Can API performance tests run in CI/CD?
Yes. Run small API performance smoke tests in CI and heavier load or stress tests on schedules or release gates. Use thresholds, publish reports, and avoid running heavy tests against shared environments without coordination.
RELATED GUIDES
Continue the route
API Testing Tutorial: A Beginner's Complete Guide
API testing tutorial for beginners: learn REST API checks, CRUD test cases, tools, status codes, and a practical checklist for reliable API quality.
What Is a Good API Response Time?
What is a good API response time? Learn p95 vs average targets, SLA vs SLO, industry benchmarks, and how to set latency goals your API can actually meet.
JMeter vs k6 vs Gatling: Performance Testing Guide
Compare JMeter vs k6 vs Gatling for performance testing, scripting, protocols, CI/CD, reports, scaling, maintainability, and team fit for QA.
How to Do Stress Testing: Complete QA Guide
Learn how to do stress testing with goals, workload models, tools, monitoring, stop conditions, failure analysis, reports, and QA examples safely.