Let’s build ideas! Reach out via the links below.

REST API Quality Gates

REST API Quality Gates

If you’re building AI-powered applications, a solid understanding of REST is not optional, it’s foundational. The same principles that made REST the backbone of traditional web systems have made it a perfect fit for AI services: clear resource modeling, stateless interactions, and standard HTTP semantics.

Most AI models don’t manage state. Every request must carry its own context. That’s not a limitation, it’s exactly where REST shines. While refreshing my own skills and preparing for an upcoming APIOps talk, I built my own REST API and defining quality gates around it.

Reframing, while remembering Testing Automation Pyramid by M.Cohn: API testing is not just another layer, it’s the layer where quality gate actually takes shape. Think about it: If you’re working with AI, it’s worth asking: are you validating your system where it matters or only where it’s visible?

Testing Automation Pyramid by M.Cohn

So how and why API testing adds the layer of quality?

REST API Quality gates

Pyramid

Travel Expense Tracker (AI Features in Progress)

Before AI new feature change is merged into the Travel Expense Tracker, I expect a certain level of confidence in overall quality. Not assumed, not implied, but verified. And yet, without the structure, these checks are drifting. This is why I started to draft quality gates.

Quality gates are automated checks that must pass before a change is considered ready. They are not just a checklist, but a structure for thinking about where and how we validate behavior. And as with test automation in general, the effectiveness of these gates depends on how well they are distributed.

They follow the same principle as the test automation pyramid: many fast, focused checks at the bottom, and only a few broader, slower checks at the top.

At the foundation are unit-level gates. Fast, precise, and close to the code. When they fail, they point directly to the problem area. This is where most validation should happen, because it is the cheapest place to detect issues and the easiest place to fix them.

Above that sits the API layer 1, first in-process. REST rules, validation logic, authentication resolution. This layer ensures that the application behaves correctly as a service.

Moving further up, the API layer 2 is exercised again, but this time over real HTTP. This layer acts as a contract, ensuring that what is exposed externally matches expectations.

At the top are end-to-end gates. These cover critical user journeys: registering, adding an expense, logging out and back in, handling authentication redirects. They are the most visible tests, but also the most expensive. For that reason, they are kept intentionally small in number. Their purpose is not to validate every detail, but to confirm that the system works as a whole.

In practice what often goes wrong is not the absence of tests, but imbalance. Too many checks at the top, too few at the bottom. Too much reliance on slow, brittle validation, and not enough confidence built early. Thinking in Quality gates is meant to correct that imbalance. This ensures that most issues are caught where they are cheapest to fix, while still preserving a thin layer of high-level validation where it matters most.

Journey to be continued ..

More Posts

  1. Snuffling Cards JavaScript
  2. Travel Expense Tracker
  3. When QA meets AI or Everything Everywhere All at Once
  4. Testing Assembly
  5. Finnish Testing Meetup
  6. Agentic Copilot
  7. API Days Conference
  8. Building Website with AI