A robust, Go-based API testing tool designed to verify connectivity, authentication, and successful API responses for Azure-protected endpoints using Microsoft Entra ID (formerly Azure Active Directory) authentication.
- ✅ Entra ID Authentication: Client credentials flow using Azure Identity SDK
- ✅ Multi-Endpoint Testing: Test multiple APIs with different configurations
- ✅ All HTTP Methods: Support for GET, POST, PUT, PATCH, DELETE
- ✅ Comprehensive Testing: Checks connectivity, authentication, and response status
- ✅ Detailed Reporting: Console output with pass/fail status and error details
- ✅ Configuration-Based: JSON configuration file for endpoints and credentials
- ✅ Well-Tested: Comprehensive unit tests for all components
- ✅ Best Practices: Built following Go and Azure SDK best practices
- Go 1.25 or higher
- Azure service principal credentials (Client ID, Client Secret, Tenant ID)
- Access to the APIs you want to test
Download the latest release for your platform from the Releases page.
Available for:
- Linux: amd64, arm64, armv6, armv7
- macOS: amd64 (Intel), arm64 (Apple Silicon)
- Windows: amd64
Quick install:
# macOS/Linux - download and install
curl -L https://github.com/hutstep/entra-id-api-tester/releases/latest/download/entra-id-api-tester_$(uname -s)_$(uname -m).tar.gz | tar xz
sudo mv api-tester /usr/local/bin/go install github.com/hutstep/entra-id-api-tester/cmd/api-tester@latest- Clone or download this repository
- Navigate to the project directory
- Install dependencies:
go mod download- Build:
go build -o api-tester ./cmd/api-testerCreate a config.json file in the project root with your API endpoints.
Quick Start: Copy the example configuration:
cp config.example.json config.jsonThen edit config.json with your actual credentials and endpoints:
{
"endpoints": [
{
"name": "My API - Production",
"url": "https://api.example.com/endpoint",
"method": "GET",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"tenantId": "your-tenant-id",
"scope": "api://your-app-id/.default",
"requestBody": null
},
{
"name": "My API - POST Example",
"url": "https://api.example.com/resource",
"method": "POST",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"tenantId": "your-tenant-id",
"scope": "api://your-app-id/.default",
"requestBody": {
"key": "value",
"foo": "bar"
}
}
]
}| Field | Required | Description |
|---|---|---|
name |
Yes | Descriptive name for the endpoint |
url |
Yes | Full URL of the API endpoint to test |
method |
Yes | HTTP method (GET, POST, PUT, PATCH, DELETE) |
clientId |
Yes | Azure AD application (client) ID |
clientSecret |
Yes | Azure AD client secret |
tenantId |
Yes | Azure AD tenant ID |
scope |
Yes | OAuth scope (typically api://<app-id>/.default) |
requestBody |
No | JSON object for POST/PUT/PATCH requests |
go build -o api-tester ./cmd/api-tester# Using default config.json
./api-tester
# Using custom config file
./api-tester -config path/to/config.json
# Verbose output
./api-tester -verbose-config: Path to configuration file (default:config.json)-verbose: Enable verbose output showing detailed test steps-version: Print version information and exit
Loaded configuration with 2 endpoint(s)
================================================================================
[1/2] Testing: My API - Production
URL: https://api.example.com/endpoint
Method: GET
✓ PASS - All checks passed (Duration: 1.234s)
[2/2] Testing: My API - POST Example
URL: https://api.example.com/resource
Method: POST
✗ FAIL - Unexpected status code: 401 (Duration: 567ms)
• Authentication: PASSED
• Connectivity: PASSED
• Response Status: FAILED (Status Code: 401)
================================================================================
SUMMARY
--------------------------------------------------------------------------------
Total Endpoints: 2
Passed: 1 (50.0%)
Failed: 1 (50.0%)
• Authentication Failures: 0
• Connectivity Failures: 0
• Response Failures: 1
================================================================================
Run the unit tests:
# Run all tests
go test ./...
# Run tests with coverage
go test -cover ./...
# Run tests with verbose output
go test -v ./...
# Run tests for a specific package
go test ./internal/auth
go test ./internal/client
go test ./internal/config.
├── cmd/
│ └── api-tester/
│ └── main.go # Main application entry point
├── internal/
│ ├── auth/
│ │ ├── auth.go # Authentication logic
│ │ └── auth_test.go # Authentication tests
│ ├── client/
│ │ ├── client.go # HTTP client logic
│ │ └── client_test.go # HTTP client tests
│ └── config/
│ ├── config.go # Configuration handling
│ └── config_test.go # Configuration tests
├── config.example.json # Example configuration file
├── go.mod # Go module definition
├── go.sum # Go module checksums
└── README.md # This file
- Configuration Loading: Reads and validates the JSON configuration file
- Authentication: For each endpoint, acquires an access token from Microsoft Entra ID using client credentials flow
- API Request: Makes an HTTP request to the endpoint with the Bearer token
- Response Validation: Checks if the response status code indicates success (2xx)
- Reporting: Outputs detailed results for each endpoint and a summary
- ✅ Never commit
config.jsonwith real credentials to version control - ✅ Use environment-specific configuration files
- ✅ Rotate client secrets regularly
- ✅ Use Azure Key Vault for production deployments
- ✅ Follow the principle of least privilege when assigning API permissions
- Verify your Client ID, Client Secret, and Tenant ID are correct
- Ensure the service principal has the necessary permissions
- Check that the scope matches your API's application ID
- Verify the URL is correct and accessible
- Check network connectivity and firewall rules
- Ensure DNS resolution is working
- Check if the API requires specific headers or query parameters
- Verify the HTTP method is correct
- Review the API's documentation for required request format
Contributions are welcome! Here are some ways you can contribute:
- Use GitHub Issues to report bugs or request features
- Include clear reproduction steps for bugs
- Provide sample configurations (without secrets!) when relevant
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Add tests for new functionality
- Ensure all tests pass (
make test) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow Go best practices and idiomatic code style
- Maintain or improve test coverage
- Update documentation for new features
- Run
make lintbefore committing
- Support for custom headers
- Certificate-based authentication
- Response body validation (JSON schema)
- Export results to JSON/CSV formats
- Parallel endpoint testing
- Retry logic with exponential backoff
- Docker container support
- CI/CD pipeline examples
This project uses GitHub Actions for continuous integration and automated releases:
- Lint: Code formatting (gofmt), go vet, golangci-lint
- Test: Unit tests with race detector on Go 1.25
- Build: Cross-platform builds (Linux, macOS, Windows)
- Security: Gosec security scanner and govulncheck vulnerability checks
- Dependency Review: Checks for vulnerable dependencies
All checks must pass before PRs can be merged.
Releases are automated using GoReleaser and Conventional Commits:
- On merge to main: Version is calculated from commit messages
- Semantic versioning: Based on commit types (feat, fix, etc.)
- Multi-platform builds: Automatic binaries for all platforms
- GitHub Releases: Changelog and assets auto-generated
For contributors: See RELEASE.md for commit message guidelines and release process details.
MIT License - see LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Follow Go best practices and idioms
- Write tests for new features
- Ensure all tests pass before submitting PR
- Update documentation as needed
- Run
go fmt ./...andgo vet ./...before committing
# Format code
go fmt ./...
# Lint
go vet ./...
# Run tests with coverage
go test -v -race -coverprofile=coverage.out ./...
# Build
go build -o api-tester ./cmd/api-testerThis project uses Dependabot to automatically keep dependencies up to date:
- Go modules: Weekly updates for Azure SDK and other dependencies
- GitHub Actions: Weekly updates for CI/CD workflows
- Security alerts: Immediate notifications for vulnerable dependencies
Dependabot creates PRs automatically which are validated by CI before merging.
For issues, questions, or contributions, please open an issue on GitHub.