Schemathesis Property-Based API Testing: The 2026 Guide
Learn Schemathesis property-based API testing with Python and pytest. Generate thousands of test cases from your OpenAPI schema, catch edge cases, and find real bugs.
Schemathesis Property-Based API Testing: The Complete 2026 Guide
Most API test suites are a collection of hand-written examples. An engineer thinks of three or four inputs, writes assertions for the happy path, adds one or two error cases, and calls it covered. The problem is that real production traffic does not look like the inputs you imagined. It contains empty strings where you expected names, integers at the edge of 64-bit range, deeply nested JSON, Unicode that breaks your encoder, and combinations of optional fields you never thought to try. Those are exactly the inputs that crash services at 3 a.m.
Schemathesis flips the model. Instead of you writing example inputs, it reads your OpenAPI (formerly Swagger) or GraphQL schema and generates test cases automatically using property-based testing powered by the Hypothesis library. It does not just throw random bytes at your API. It understands your schema constraints (types, formats, required fields, enums, min and max values) and produces valid and intentionally invalid inputs that exercise the boundaries. Then it checks universal properties that every well-behaved API should satisfy: the server should never return a 500, every response should match the documented schema, and the API should not violate its own contract.
This guide is a hands-on tutorial. You will install Schemathesis, run it against a live API from the command line, integrate it into pytest so it lives alongside your other tests, write custom property checks, handle authentication, and wire the whole thing into CI. By the end you will understand why property-based API testing finds bugs that example-based testing structurally cannot, and you will have runnable Python you can drop into your own project today. If you are coming from a contract-testing background, you may also want to read our contract testing with Pact and Python guide afterward, because the two approaches are complementary rather than competing.
What Property-Based Testing Actually Means
In example-based testing you assert: "given input X, the output is Y." In property-based testing you assert a property: "for all valid inputs, this statement holds." The testing tool then generates many inputs and tries to falsify your statement. If it finds a counterexample, it shrinks it to the smallest, simplest input that still triggers the failure, so you debug {"age": 0} instead of {"age": -2147483648, "name": "x9$@...", ...}.
Schemathesis applies this idea to HTTP APIs. The "property" is usually one of the built-in checks, and the "inputs" are full HTTP requests generated from your schema. Consider this contrast:
| Aspect | Example-based testing | Property-based testing (Schemathesis) |
|---|---|---|
| Input source | Hand-written by engineer | Generated from OpenAPI/GraphQL schema |
| Coverage | Only cases you imagined | Boundary, edge, and random cases automatically |
| Maintenance | Update tests when API changes | Re-reads schema, tests adapt automatically |
| Failure output | Single failing assertion | Minimized, shrunk reproducer |
| Bugs found | Logic bugs in known paths | Crashes, schema drift, unhandled input |
| Setup effort | High (write every case) | Low (point at a schema URL) |
The big idea: your OpenAPI schema is already a machine-readable specification of what inputs are legal and what outputs are promised. Schemathesis treats that document as a test oracle.
Installing Schemathesis
Schemathesis is a Python package. It works as both a standalone CLI and a pytest plugin. Create a virtual environment first so you do not pollute your system Python.
python -m venv .venv
source .venv/bin/activate # on Windows: .venv\Scripts\activate
pip install schemathesis
Verify the install and check the version. As of 2026 the 4.x line is current and ships a fast Rust-based core for schema parsing and generation.
schemathesis --version
# Schemathesis 4.x.x
If you intend to use the pytest integration (covered later) you already have everything, because the schemathesis package bundles the pytest plugin. For GraphQL targets the same package works; you just point it at a GraphQL endpoint instead of an OpenAPI document.
Your First CLI Run
The fastest way to feel the value is to run Schemathesis against a live API from the command line. The run subcommand takes the location of your schema. It can be a URL or a local file path.
schemathesis run https://example.com/openapi.json
If your API serves the schema and the endpoints from the same host, that single command will discover every operation in the document, generate inputs for each, send real requests, and report failures. When the schema lives at a path that differs from the base URL of the running service, pass the base URL explicitly with --url:
schemathesis run ./openapi.yaml --url http://localhost:8000
A typical run prints one line per API operation with a pass/fail summary, followed by detailed failure reproductions. Here is a representative slice of output:
GET /users/{user_id} . [ 25%]
POST /users . [ 50%]
GET /orders F [ 75%]
POST /orders/{order_id}/cancel . [100%]
=================================== FAILURES ===================================
_________________________________ GET /orders _________________________________
1. Test Case ID: a1B2c3
- Server error
[500] Internal Server Error
Reproduce with:
curl -X GET 'http://localhost:8000/orders?limit=0'
The crucial part is the reproducer. Schemathesis discovered that limit=0 crashes the orders endpoint and hands you a curl command to reproduce it instantly. That is a real bug found with zero hand-written test cases.
Understanding the Built-In Checks
Each generated request is validated against a set of checks. You do not have to write these; they are the "properties" that hold for any correct API. The most important ones:
| Check | What it verifies | Why it matters |
|---|---|---|
not_a_server_error | Response status is not 5xx | Unhandled inputs crashing the server |
status_code_conformance | Status code is one the schema documents | Undocumented error paths |
content_type_conformance | Content-Type matches the schema | Clients parsing wrong format |
response_schema_conformance | Body matches the documented schema | Schema drift, missing/extra fields |
response_headers_conformance | Required headers are present | Broken pagination/caching contracts |
positive_data_acceptance | Valid data is accepted (not wrongly rejected) | Over-strict validation |
negative_data_rejection | Invalid data is rejected (not silently accepted) | Missing input validation |
You can select a subset with --checks (3.x style) or the equivalent include flag in 4.x. To run only the server-error and schema-conformance checks:
schemathesis run https://example.com/openapi.json \
--checks not_a_server_error,response_schema_conformance
The response_schema_conformance check is the one teams underestimate. It catches the slow drift where the code returns a field the schema forgot to document, or returns null where the schema promised a string. Those mismatches break generated clients and SDKs long before anyone files a bug.
Controlling Generation Intensity
By default Schemathesis generates a moderate number of examples per operation. You can crank that up for deeper coverage or down for faster feedback. The example count maps to Hypothesis's max_examples setting.
# More thorough: 200 generated cases per operation
schemathesis run https://example.com/openapi.json --max-examples 200
# Faster smoke run for local development
schemathesis run https://example.com/openapi.json --max-examples 20
You can also restrict which operations run, which is useful when you only want to test the endpoints you just changed. Filtering by path and method keeps CI fast on large schemas:
schemathesis run https://example.com/openapi.json \
--include-path '/orders' \
--include-method POST
A practical pattern: run a small --max-examples on every pull request for quick feedback, and a large --max-examples on a nightly schedule for deep fuzzing. The same approach scales well with broader API suites, which we cover in our complete API testing guide.
Handling Authentication
Real APIs require auth. Schemathesis supports static headers, basic auth, and more advanced flows. For a bearer token, pass it as a header:
schemathesis run https://api.example.com/openapi.json \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1Niated.token.here'
For HTTP basic auth there is a dedicated flag:
schemathesis run https://api.example.com/openapi.json \
--auth 'username:password'
When tokens are short-lived you do not want to paste them by hand. The cleanest approach is to move into pytest and obtain the token programmatically, which the next sections cover. That also lets you share the auth logic with the rest of your test suite.
Integrating Schemathesis With pytest
The CLI is excellent for ad-hoc and CI fuzzing, but most teams want Schemathesis tests to live next to their other tests, share fixtures, and report through the same pytest infrastructure. The pytest integration makes each API operation a parametrized test.
Create test_api_properties.py:
import schemathesis
# Load the schema once at import time. Point it at a URL or a local file.
schema = schemathesis.openapi.from_url("http://localhost:8000/openapi.json")
@schema.parametrize()
def test_api(case):
# 'case' is one generated request for one operation.
# Hypothesis will call this function many times with different cases.
case.call_and_validate()
That is a complete property-based suite. The @schema.parametrize() decorator turns every operation in the schema into a test, and Hypothesis generates many case objects for each. The case.call_and_validate() call sends the request and runs every built-in check, raising an assertion error with a shrunk reproducer on failure.
Run it like any pytest file:
pytest test_api_properties.py -v
If you prefer to point at a local schema file instead of a running URL during unit-style runs, load it from a path:
import schemathesis
schema = schemathesis.openapi.from_path("./openapi.yaml")
@schema.parametrize()
def test_api(case):
case.call_and_validate()
If you are new to pytest fixtures, parametrization, and markers, our pytest complete guide pairs well with this section.
Adding Custom Property Checks
The built-in checks cover universal correctness, but you often have domain-specific invariants. For example: "a 200 response from /orders must always include a non-empty order_id," or "the response time must stay under one second." You can register custom checks that run on every generated case.
import schemathesis
from schemathesis import Case
from schemathesis.checks import CheckContext
schema = schemathesis.openapi.from_url("http://localhost:8000/openapi.json")
@schemathesis.check
def order_id_present(ctx: CheckContext, response, case: Case) -> None:
# Only assert on successful order reads.
if case.path == "/orders" and response.status_code == 200:
body = response.json()
assert "order_id" in body, "200 response missing order_id"
assert body["order_id"], "order_id must not be empty"
@schema.parametrize()
def test_api(case):
case.call_and_validate()
Custom checks compose with the built-ins. Every generated request now runs the standard correctness checks and your domain rule, and any violation is shrunk to a minimal reproducer just like the built-in failures.
Stateful Testing: Linking Operations Together
Single-operation testing is powerful, but many bugs only appear in sequences: create a resource, then fetch it, then delete it, then fetch it again. Schemathesis supports stateful testing that uses OpenAPI links to chain operations, feeding outputs of one call into the inputs of the next.
import schemathesis
schema = schemathesis.openapi.from_url("http://localhost:8000/openapi.json")
# Generates valid call sequences based on schema links.
TestAPIWorkflow = schema.as_state_machine().TestCase
Run it the same way as any pytest case. The state machine explores sequences such as POST then GET then DELETE, surfacing bugs like "deleting a resource returns 200 but a subsequent GET still returns the resource." These are the integration-level defects that example tests almost never catch because nobody scripts the exact unlucky order.
Reproducing and Debugging Failures
When a failure occurs, the reproducibility story is what makes property-based testing practical. Hypothesis records a seed and Schemathesis prints a ready-to-paste curl command. To re-run a flaky-looking failure deterministically, pass the same seed:
schemathesis run https://example.com/openapi.json --seed 12345
For pytest, Hypothesis stores its example database on disk between runs, so a failing example is automatically replayed first on the next run until it passes. You can also drop into a debugger inside the test function and inspect case.path, case.query, case.body, and case.headers to see exactly what was generated. The combination of shrinking plus a copy-paste curl reproducer is the single biggest day-to-day productivity win over naive fuzzing.
Running Schemathesis in CI
The whole point is to run this automatically. Here is a GitHub Actions workflow that boots the service, waits for it, and fuzzes it on every push. It assumes your app is a Python service started with uvicorn, but the shape is the same for any stack.
name: api-fuzz
on: [push, pull_request]
jobs:
schemathesis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install deps
run: pip install -r requirements.txt schemathesis
- name: Start API
run: uvicorn app.main:app --port 8000 &
- name: Wait for API
run: |
for i in $(seq 1 30); do
curl -sf http://localhost:8000/openapi.json && break
sleep 1
done
- name: Run Schemathesis
run: |
schemathesis run http://localhost:8000/openapi.json \
--max-examples 50 \
--checks all \
--report junit
The --report junit flag emits a JUnit XML file your CI can ingest for test reporting. For a deeper treatment of wiring testing into pipelines, see our CI/CD testing pipeline with GitHub Actions guide. Keep the per-PR --max-examples modest so the gate stays fast, and schedule a heavier nightly run with a much larger value for deep coverage.
Common Pitfalls and How to Avoid Them
A few issues trip up first-time users. First, an inaccurate schema produces inaccurate tests: if your OpenAPI document lies about types or required fields, Schemathesis will generate inputs your real API rejects, creating noisy false positives. The fix is to treat the schema as a first-class artifact and keep it honest. Second, side effects matter: fuzzing a POST endpoint against a shared database will create junk data, so run against an ephemeral or transactional test environment. Third, rate limits will throttle a fuzzer; either disable them in test environments or use Schemathesis's request-rate controls. Fourth, generation can hang on overly permissive schemas with no constraints, so add format, minLength, maximum, and enum where they belong. Each of these is really a nudge toward a better schema, which is a side benefit of adopting the tool.
When to Use Schemathesis Versus Other Approaches
Schemathesis is not a replacement for everything. It excels at correctness and robustness: does the API ever crash, does it ever break its own contract. It is weaker at business-logic assertions that depend on specific data states, where example-based tests in Postman or Playwright remain valuable. A mature suite layers them: Schemathesis for broad property coverage, Postman or Playwright for targeted scenarios, and contract tests for consumer-provider agreements. If you are weighing tools for the example-based layer, our comparison of Postman vs Playwright for API testing breaks down the trade-offs.
Think of it as a defense-in-depth strategy rather than a single tool decision. Property-based testing answers the question "is my API robust against the inputs I never imagined," which is precisely the class of failure that escapes manual review. Example-based and scenario tests answer "does my API do the specific right thing for this specific business case," which property-based testing cannot know because it has no notion of your domain rules beyond what you encode in custom checks. Contract tests answer "do my consumers and providers still agree on the shape of the data they exchange." When all three layers run in the same pipeline, a regression has to slip past generated edge cases, hand-written scenarios, and a contract gate before it reaches production, and very few do.
A Realistic Adoption Roadmap
Teams that succeed with Schemathesis tend to follow the same incremental path rather than trying to fuzz everything on day one. Week one is a single ad-hoc CLI run against staging with the default settings, just to see what falls out; almost every first run finds at least one undocumented status code or a 500 on an empty collection parameter. Week two is moving that run into the pytest suite with @schema.parametrize() so the property tests share fixtures and reporting with everything else. Week three is adding two or three domain-specific custom checks that encode your real invariants, the rules that matter to your business and that the built-ins cannot know. Week four is gating it in CI with a modest per-PR example count and scheduling a heavier nightly run. By the end of a month the tool has gone from a curiosity to an automatic guardrail, and the schema it depends on has measurably improved because every inaccuracy it surfaced got fixed along the way.
Frequently Asked Questions
What is Schemathesis used for?
Schemathesis is a Python tool for property-based and fuzz testing of web APIs. It reads your OpenAPI or GraphQL schema, automatically generates thousands of valid and invalid requests, and verifies that the API never crashes and always conforms to its documented contract. It finds edge-case bugs that hand-written example tests miss.
How is property-based testing different from regular API testing?
Regular API testing checks specific inputs you write by hand. Property-based testing asserts a general property ("the server never returns a 500") and lets the tool generate many inputs trying to break it. When it finds a failure, it shrinks the input to the smallest reproducer, so coverage is far broader with less hand-written code.
Does Schemathesis work with both REST and GraphQL?
Yes. Schemathesis supports OpenAPI 2.0, 3.0, and 3.1 for REST APIs, and it also supports GraphQL endpoints. For REST you point it at the OpenAPI document; for GraphQL you point it at the GraphQL endpoint and it introspects the schema to generate queries and mutations automatically.
Can I run Schemathesis inside pytest?
Yes. The schemathesis package ships a pytest plugin. You load the schema, decorate a test function with @schema.parametrize(), and call case.call_and_validate(). Each API operation becomes a parametrized test driven by Hypothesis, so your property-based tests run alongside the rest of your pytest suite and share fixtures.
How does Schemathesis handle authentication?
For the CLI you can pass headers with --header 'Authorization: Bearer ...' or basic credentials with --auth user:pass. For short-lived tokens, use the pytest integration to fetch a token programmatically in a fixture and attach it to each generated case, so auth logic is shared with the rest of your tests and tokens stay fresh.
Will Schemathesis create junk data in my database?
It can, because it sends real requests including POST, PUT, PATCH, and DELETE. Always run it against an ephemeral, seeded, or transaction-rolled-back test environment rather than production or a shared dev database. Wrapping each request in a transaction that rolls back, or resetting the database between runs, keeps generated data from accumulating.
How many test cases should I generate per endpoint?
Use a small --max-examples (around 20 to 50) for fast pull-request feedback and a large value (200 or more) for scheduled nightly deep runs. More examples mean broader coverage but longer runtime. Splitting fast PR gates from deep nightly fuzzing gives you both quick feedback and thorough bug hunting.
Is Schemathesis only for Python APIs?
No. Schemathesis itself is written in Python, but it tests any HTTP API regardless of the language it is built in, because it works over the network against your schema. You can fuzz a Go, Java, Node, or Rust service as long as it exposes a valid OpenAPI or GraphQL schema and is reachable over HTTP.
Conclusion and Next Steps
Schemathesis closes the gap between the API you documented and the API you actually shipped. By generating inputs from your schema and checking universal properties on every response, it surfaces crashes, schema drift, and unhandled edge cases that example-based tests structurally cannot reach. The adoption path is gentle: start with a single CLI command against a running service, graduate to a one-line pytest integration, add domain-specific custom checks, layer in stateful testing for sequence bugs, and finally gate it in CI with modest per-PR runs plus deep nightly fuzzing.
The compounding benefit is that it pressures your OpenAPI schema toward accuracy, and an accurate schema pays dividends everywhere: better client generation, clearer documentation, and stronger contracts. Install it today, point it at your staging API, and watch how quickly it finds the bug you did not know you had.
Ready to go deeper into QA tooling for AI-era engineering teams? Browse the full catalog of testing skills at qaskills.sh/skills to find ready-to-use property-based testing, contract testing, and API fuzzing skills you can drop straight into your agent workflow.