GUIDE / manual
Test Cases for a Registration Form
Practical test cases for a registration form: validation, duplicates, email verify, password rules, security checks, examples, and a reusable QA suite.
Strong test cases for a registration form coverage protect the start of the user lifecycle. Registration is where accounts are created, credentials are set, consent is captured, and verification begins. Defects here cause support tickets, duplicate identities, weak passwords in production, blocked onboarding, and sometimes security exposure. A good registration suite checks not only whether the form submits, but whether the system creates the right account state and rejects unsafe or invalid input.
This guide gives you a practical scenario map, field-level cases, password and email examples, verification flow checks, security and accessibility coverage, prioritization guidance, and common mistakes. It follows the same depth and structure as a full test design exercise you can drop into Jira, TestRail, or a spreadsheet.
What a Registration Form Really Includes
A registration form is more than name, email, and password fields. End to end, the feature usually includes:
- Input collection and validation.
- Password policy enforcement.
- Unique identifier checks.
- Consent and legal acceptance.
- Bot resistance.
- Account creation transaction.
- Verification email or SMS.
- Initial profile defaults and role assignment.
- First login or onboarding redirect.
If your cases stop at "submit button works," you are only testing the shell.
Gather Rules Before Writing Cases
Read the story, UX copy, API contract, and password policy. Capture answers to these questions.
Identity rules
- Is the unique key email, phone, username, or a combination?
- Are emails case insensitive?
- Are
name+tag@gmail.comaddresses allowed? - Can one phone map to multiple accounts?
Password rules
- Minimum and maximum length.
- Character class requirements.
- Whether spaces are allowed.
- Whether breached or common passwords are blocked.
- Whether confirm password is required.
Verification rules
- Must users verify before login?
- Token expiry duration.
- Resend limits.
- What happens to unverified accounts after N days?
Legal and product rules
- Which checkboxes are mandatory?
- Age gate or country restrictions?
- Marketing opt-in default state?
- Username character set and reserved words?
Security rules
- Rate limits on sign up.
- Captcha triggers.
- Anti-enumeration messaging style.
- HTTPS only.
Write these as a one-page rules list. Every test case should trace to a rule, risk, or acceptance criterion. For general case quality standards, see how to write test cases.
Scenario Map for Registration
Happy path scenarios
- Register with all valid required fields.
- Register with valid required plus optional fields.
- Register and land on verification prompt.
- Register and auto login if product allows unverified sessions.
- Register via invite token if invite-only mode exists.
Field validation scenarios
- Each required field blank.
- Invalid email formats.
- Invalid phone formats.
- Username too short, too long, invalid characters.
- Password policy violations.
- Confirm password mismatch.
- Optional fields with extreme lengths.
Uniqueness and state scenarios
- Duplicate email exact match.
- Duplicate email different case.
- Duplicate phone.
- Re-registration after abandoned unverified signup.
- Registration with deleted account identifier if reuse is allowed later.
Consent and policy scenarios
- Submit without accepting terms.
- Marketing opt-in selected or cleared.
- Age below minimum.
- Restricted country or region if geo rules exist.
Post-submit scenarios
- Verification email content and link.
- Valid verification.
- Expired verification.
- Resend verification.
- First login after verification.
- Welcome email side effects if in scope.
Abuse and reliability scenarios
- Double click submit.
- API timeout on create.
- Script injection in name fields.
- Disposable email blocked if configured.
- High frequency signups from one client.
Reusable Registration Test Case Template
Test Case ID:
Title:
Requirement Reference:
Priority:
Type: Positive | Negative | Boundary | Security | Regression
Preconditions:
Test Data:
Steps:
Expected Result:
Actual Result:
Status:
Notes:
For suite planning, keep a compact matrix:
| ID | Area | Title | Priority |
|---|---|---|---|
| TC-REG-001 | Happy path | Valid registration with required fields | High |
| TC-REG-010 | Validation | Blank email rejected | High |
| TC-REG-020 | Password | Below minimum length rejected | High |
| TC-REG-030 | Uniqueness | Duplicate email rejected | High |
| TC-REG-040 | Verify | Valid email token activates account | High |
Test Cases for a Registration Form: Positive Coverage
| ID | Title | Preconditions | Test data highlights | Expected result |
|---|---|---|---|---|
| TC-REG-001 | Successful registration with required fields only | Email not registered, terms version current | Valid name, unique email, strong password, terms accepted | Account created in expected state, success UX shown |
| TC-REG-002 | Successful registration with optional fields | Same as above | Optional phone/company filled with valid values | Optional data stored, required path still succeeds |
| TC-REG-003 | Registration trims harmless surrounding spaces if policy says so | Unique email with spaces around it | user@example.com | Accepted as normalized email or explicit validation per rule |
| TC-REG-004 | Invite-based registration | Valid invite token | Invite URL + valid fields | Account linked to invite, token consumed if single use |
| TC-REG-005 | Marketing opt-in stored correctly | Valid registration | Opt-in checked | Preference saved as true |
| TC-REG-006 | Marketing opt-out stored correctly | Valid registration | Opt-in unchecked | Preference saved as false, registration still succeeds |
Detailed happy path example
Test Case ID: TC-REG-001
Title: Verify new user can register with valid required data
Requirement Reference: US-REG-01
Priority: High
Type: Positive
Preconditions:
- Registration page is reachable
- Email new.user.2026@example.com is not registered
- Email delivery is enabled in test environment
Test Data:
- Full name: Alex Buyer
- Email: new.user.2026@example.com
- Password: ValidPass#2026
- Confirm password: ValidPass#2026
- Terms: accepted
Steps:
1. Open the registration page.
2. Enter full name.
3. Enter email.
4. Enter password and confirm password.
5. Accept terms.
6. Submit the form.
Expected Result:
- Submission succeeds without server error.
- User sees success or verify-email guidance per design.
- Account exists in system with unverified or verified state as required.
- Password is stored hashed, not displayed later in UI.
- Verification email is sent if required.
- No duplicate account is created on single submit.
Field-Level Validation Cases
Required fields
For each required field, write at least:
- Field empty, others valid.
- Field whitespace only if relevant.
- Field removed from request in API-level testing if you test APIs too.
| ID | Title | Expected |
|---|---|---|
| TC-REG-010 | Blank full name | Name required message, no account |
| TC-REG-011 | Blank email | Email required message, no account |
| TC-REG-012 | Blank password | Password required message, no account |
| TC-REG-013 | Terms not accepted | Terms acceptance required, no account |
| TC-REG-014 | All required blank | All required errors shown usefully |
Email format cases
| ID | Input example | Expected |
|---|---|---|
| TC-REG-015 | user@ | Invalid email |
| TC-REG-016 | user@domain | Invalid or rejected if FQDN required |
| TC-REG-017 | user@@domain.com | Invalid email |
| TC-REG-018 | user domain@example.com | Invalid email |
| TC-REG-019 | user@example.com | Valid format |
| TC-REG-020 | USER@Example.com | Accepted and normalized if policy ignores case |
| TC-REG-021 | user+tag@example.com | Accepted if plus addressing allowed |
| TC-REG-022 | very-long-local-part...@example.com | Rejected at max length boundary |
Confirm whether validation is client only or also server side. Client-only validation is a defect if API accepts junk.
Username cases if present
- Minimum length minus one.
- Minimum length.
- Maximum length.
- Maximum length plus one.
- Allowed characters only.
- Unicode handling.
- Reserved names such as
admin,support,rootif blocked. - Profanity filter if product uses one.
Phone cases if present
- Missing country code if required.
- Too short and too long numbers.
- Letters in phone field.
- Valid E.164 format if that is the standard.
- Duplicate phone if unique.
Password Policy Test Cases
Password rules are a frequent source of incomplete testing. Build a matrix from the actual policy.
Example policy:
Password must be 8-64 characters, include upper, lower, number, and special character. Confirm password must match. Common passwords are blocked.
| ID | Title | Password data | Expected |
|---|---|---|---|
| TC-REG-030 | Below minimum length | Ab1!a (too short) | Rejected with clear rule guidance |
| TC-REG-031 | Exact minimum length valid composition | 8 char valid password | Accepted |
| TC-REG-032 | Exact maximum length | 64 char valid password | Accepted |
| TC-REG-033 | Over maximum length | 65 chars | Rejected |
| TC-REG-034 | Missing uppercase | all lower + number + special | Rejected |
| TC-REG-035 | Missing number | Upper lower special only | Rejected |
| TC-REG-036 | Missing special | Upper lower number only | Rejected |
| TC-REG-037 | Confirm password mismatch | Pass A / Pass B | Rejected, no account |
| TC-REG-038 | Common password blocked | Password1! if in blocklist | Rejected as too common |
| TC-REG-039 | Leading/trailing spaces in password | Policy-specific | Exactly matches whether spaces count |
Also test that error text helps the user without revealing confusing internals. After a valid registration, pair with test cases for login page to prove the new credential works.
Duplicate Account and Enumeration Cases
Functional uniqueness
| ID | Title | Setup | Expected |
|---|---|---|---|
| TC-REG-040 | Exact duplicate email | Email already registered | Registration rejected |
| TC-REG-041 | Duplicate email different case | User@example.com vs user@example.com | Rejected if case-insensitive identity |
| TC-REG-042 | Duplicate phone | Phone already used | Rejected if unique |
| TC-REG-043 | Same email after unfinished verify | Unverified account exists | Policy: block, replace, or resend |
Security messaging
Product security may require not saying "email already registered" on public forms. Your expected result must match the approved policy.
Examples of policy variants:
- Explicit: "An account with this email already exists."
- Generic: "If this email can be used, you will receive next steps."
- Hybrid: success-looking response without creating a second account.
Write cases for the chosen policy. Do not invent a friendlier message that weakens security.
Terms, Consent, Age, and Locale Cases
| ID | Title | Expected |
|---|---|---|
| TC-REG-050 | Submit without required terms | Blocked |
| TC-REG-051 | Terms link opens correct version | Correct legal document |
| TC-REG-052 | Marketing default state | Matches design (checked/unchecked) |
| TC-REG-053 | Under minimum age | Blocked with age policy message |
| TC-REG-054 | Supported locale labels render | Required local language strings correct |
| TC-REG-055 | RTL layout if supported | Form usable, errors visible |
Consent defects can be legal issues, not only UX bugs. Keep evidence of checkbox state and stored preference when testing.
Email or SMS Verification Flow Cases
Registration is unfinished if verification is required and untested.
| ID | Title | Expected |
|---|---|---|
| TC-REG-060 | Verification message sent on success | Message delivered to registered identifier |
| TC-REG-061 | Valid token verifies account | Account becomes verified, user can proceed |
| TC-REG-062 | Expired token | Clear expiry error, no verification |
| TC-REG-063 | Already used token | Rejected if single use |
| TC-REG-064 | Tampered token | Rejected safely |
| TC-REG-065 | Resend verification | New token works, old token behavior per policy |
| TC-REG-066 | Resend rate limit | Excess resends blocked |
| TC-REG-067 | Unverified login policy | Login blocked or limited exactly as specified |
Detailed example:
Title: Verify expired registration token cannot activate account
Preconditions:
- User registered and token generated
- System clock or token fixture can represent expiry
Steps:
1. Complete registration for unique email.
2. Obtain verification link.
3. Wait for token expiry or use expired fixture token.
4. Open the verification link.
Expected Result:
- Account is not verified.
- User sees expired link guidance.
- Resend verification is offered if in product scope.
- Login remains blocked if verification is mandatory.
Boundary and Equivalence Ideas for Registration Inputs
Use partitioning so you do not write infinite cases. Techniques from boundary value analysis and equivalence partitioning apply cleanly to names, passwords, and phones.
Example partitions for full name:
- Empty.
- Valid short name.
- Valid typical name.
- Valid max length.
- Over max length.
- Name with hyphen/apostrophe if allowed.
- Name with digits if disallowed.
- Name with script tags.
Example partitions for email:
- Valid standard.
- Valid plus tag.
- Invalid format class.
- Existing account class.
- Blocked domain class.
One case per meaningful partition is usually enough unless risk is extreme.
Security Test Cases for Registration
| ID | Title | Expected |
|---|---|---|
| TC-REG-070 | SQL-like payload in email/name | No bypass, no 500 crash, safe rejection |
| TC-REG-071 | XSS payload in name | Stored/reflected safely, no script execution |
| TC-REG-072 | Rapid-fire registrations | Rate limited or captcha challenged |
| TC-REG-073 | Password returned in response body | Password never returned |
| TC-REG-074 | Account created over HTTP if HTTPS required | Redirect or block |
| TC-REG-075 | Mass assignment of role=admin in API | Role ignored, default user role only |
Sample payloads for name field:
<script>alert('x')</script>
{{7*7}}
' OR '1'='1
../../etc/passwd
Expected: rejected or safely stored as inert text. Admin screens that later render the name should still be safe.
UX, Accessibility, and Reliability Cases
UX
- Password strength meter updates correctly if present.
- Inline validation timing matches design (on blur vs on submit).
- Errors clear when the user fixes the field.
- Submit button disabled or protected during in-flight request.
- Success page explains next step clearly.
Accessibility
- Labels are programmatically associated.
- Required fields are announced.
- Error summary is keyboard reachable.
- Focus management after errors is sane.
- Color contrast of errors meets target standard.
Reliability
- Network failure shows recovery guidance.
- Retry does not create duplicate accounts unexpectedly.
- Browser refresh after success does not re-POST duplicates.
- Back navigation does not create confusing half states.
API-Level Cases Complement UI Cases
If you can access registration APIs in test environments, add:
- Missing required JSON fields.
- Extra unexpected fields.
- Invalid content types.
- Unsupported Accept headers if relevant.
- Idempotency behavior for retries.
UI tests catch what users see. API tests catch what attackers and buggy clients can still do.
Prioritization for Registration Suites
| Suite | Cases to include |
|---|---|
| Smoke | One valid registration, one required field failure, one duplicate email |
| Release regression | Password policy sample, verification valid/expired, terms required, normalization |
| Security pack | XSS/SQL samples, rate limit, role tampering, password leakage checks |
| Localization pack | Key locales for labels and legal links |
Automate smoke and stable validation. Keep email token tests deterministic with mail catchers or test doubles.
Test Data Strategy
- Generate unique emails every run:
reg+<timestamp>@example.comif plus addressing works. - Clean up or isolate accounts by environment.
- Seed one existing user for duplicate tests.
- Keep a known weak password list aligned with product blocklist samples.
- Never use real customer emails in shared screenshots.
Common Mistakes When Testing Registration Forms
Mistake 1: Testing only client-side validation
If the API accepts invalid payloads, the product is still broken. Include at least a few server-side checks.
Mistake 2: Forgetting confirm password and terms
These are easy fields to skip in haste and easy defects to ship.
Mistake 3: No verification lifecycle coverage
"Email sent" is not enough. Token success, expiry, reuse, and resend matter.
Mistake 4: Weak expected results
"Error shown" is incomplete. State whether an account was created, whether email was sent, and whether the user can log in.
Mistake 5: Ignoring case normalization
Alex@Example.com and alex@example.com often should be the same identity. Missing this creates duplicate chaos.
Mistake 6: Not checking stored preferences
Marketing opt-in defaults can be legally sensitive. Verify stored values, not only UI clicks.
Mistake 7: One giant end-to-end case only
A 40-step mega case is hard to diagnose. Split validation, uniqueness, verification, and first login.
Mistake 8: Leaving temporary debug messages as expected text
Anchor expected results to stable meaning, and update when product copy changes intentionally.
Sample Starter Suite (Copy and Extend)
- TC-REG-001 Valid registration.
- TC-REG-010 Blank name.
- TC-REG-011 Blank email.
- TC-REG-012 Blank password.
- TC-REG-015 Invalid email format.
- TC-REG-030 Password below minimum.
- TC-REG-037 Confirm password mismatch.
- TC-REG-013 Terms not accepted.
- TC-REG-040 Duplicate email.
- TC-REG-041 Duplicate email different case.
- TC-REG-060 Verification email sent.
- TC-REG-061 Valid token verifies.
- TC-REG-062 Expired token fails.
- TC-REG-071 XSS name payload safe.
- TC-REG-072 Rate limit on rapid signups.
Fifteen well written cases already form a credible registration pack for many SaaS apps.
From Failure to Defect Report
When registration fails unexpectedly, capture:
- Exact payload or form values.
- Whether account row was created.
- Email delivery evidence.
- Timestamps for token tests.
- Browser and environment.
Use a clear defect structure from how to write a bug report. Auth onboarding bugs need reproducible identity data more than most UI bugs.
Automation Guidance
Automate:
- Valid registration against disposable mail inbox.
- Required field validations that are stable.
- Duplicate identifier rejection.
- Password policy samples.
- Verification confirm with test hooks.
Be careful with:
- Real SMS costs and provider flakiness.
- Third-party captcha.
- Legal copy assertions that change often.
Prefer asserting account state via test APIs after UI submit when available.
Practice Assignment
Take any public demo sign-up page or a practice arena app and do this in one hour:
- List every field and rule you can observe.
- Write 20 scenarios.
- Fully detail 8 test cases with data and expected results.
- Mark any anti-enumeration uncertainty as an open question.
- Identify 5 automation candidates.
If you want competitive reps writing cases under constraints, create an account via QABattle sign-up and use manual battles to practice turning a form into a prioritised suite.
Registration Review Checklist
- Happy path creates the correct account state.
- All required fields validated.
- Email/phone/username rules covered.
- Password policy covered at boundaries.
- Confirm password covered if present.
- Duplicate identity handling covered.
- Consent and age rules covered.
- Verification lifecycle covered when required.
- Security samples included.
- Accessibility smoke included.
- Messaging matches security policy.
- Test data strategy is repeatable.
- Cases are traceable to requirements.
Conclusion
Effective test cases for a registration form features verify creation, rejection, consent, verification, and safe failure, not just a green success toast. Build from product rules, partition inputs, force uniqueness and password boundaries, and follow the account through verification and first login. When registration quality is high, login testing becomes easier, support volume drops, and users start their journey in a trustworthy account state.
Treat registration as identity infrastructure. Your test suite should be good enough that a new teammate can execute it and decide, without guesswork, whether the product is safe to open for new users.
FAQ
Questions testers ask
What are the most important test cases for a registration form?
Prioritize successful registration with valid data, required field validation, email or phone format checks, password policy enforcement, duplicate account handling, terms acceptance, and post-submit verification flow. Add security cases for injection, enumeration, and rate limiting when accounts are public-facing.
How do you test email validation on sign up?
Test valid standard emails, missing @, missing domain, spaces, plus-addressing if allowed, uppercase normalization, disposable domains if blocked, and maximum length. Confirm both client-side hints and server-side enforcement. Verify the verification email is sent only when registration is accepted.
Should registration allow duplicate emails?
Almost never for primary login identifiers. The system should reject or merge according to product policy. Test exact duplicates, case variants, and leading/trailing spaces. Check that error messaging does not leak whether an email exists if security policy requires anti-enumeration.
What password test cases are needed for registration?
Cover minimum and maximum length, required character classes, common weak passwords if blocked, password and confirm password mismatch, paste behavior, and rejected passwords with clear guidance. After success, confirm the user can log in with the new password and not with a previous temporary value.
How do you test email verification after registration?
Verify email send on accepted sign up, valid token activates account, expired token fails, reused token fails if single use, wrong token fails, and unverified login policy is enforced. Also test resend verification limits and that verified users are not prompted again incorrectly.
What negative test cases apply to registration forms?
Blank required fields, invalid formats, weak passwords, mismatched confirm password, existing account identifiers, unchecked required terms, unsupported characters where restricted, script/SQL payloads, and rapid repeated submissions. Negative cases should assert no account creation when rejection is expected.
RELATED GUIDES
Continue the route
How to Write Test Cases for a Login Page (with Examples)
Write test cases for a login page with positive, negative, security, and lockout examples, plus a reusable template and practical QA checklist.
How to Write Test Cases: Complete Guide with Examples
Learn how to write test cases with practical steps, examples, a QA template, common mistakes, and review tips for reliable software coverage.
Boundary Value Analysis and Equivalence Partitioning Explained
Learn boundary value analysis and equivalence partitioning with examples, robust BVA rules, interview tips, and how to design sharper test cases.
Bug Report Template: How to Write a Great Defect Report
Learn how to write a bug report with a clear template, steps to reproduce, severity vs priority, expected vs actual results, and examples developers trust.