Start with a reproducible request

API bugs become easier to understand when you can repeat the same request and compare the same response. Capture the method, URL path, query string, request headers, request body, response status, response headers, and response body before changing code.

Avoid beginning with a theory such as authentication, caching, or a backend regression. First make the behavior observable. A short reproducible request gives frontend, backend, QA, and support teams a shared artifact to inspect.

  • Record the HTTP method, endpoint, status code, and exact error message.
  • Reduce the request body to the smallest safe sample that still reproduces the issue.
  • Replace private values with placeholders while keeping the same data shape.

Format the response before reading it

Minified JSON can hide the actual problem. Format the response body before scanning it so missing fields, null values, unexpected arrays, and nested error objects are visible.

If JSON parsing fails, check for common syntax problems first: trailing commas, comments, unquoted keys, broken escaping, or a response that is actually HTML from an error page or proxy.

  • Use JSON Formatter for API payloads, config snippets, and copied log values.
  • Use HTML Entity Encoder if a response contains escaped markup.
  • Keep the original response text until you know formatting did not change the sample.

Check authentication without trusting decoded tokens

Authentication issues often look like ordinary API failures. Decode the JWT or session token enough to inspect issuer, audience, subject, scope, issued-at, not-before, and expiration claims.

Decoding a token is not verification. A decoded JWT only shows what the token says; it does not prove that the signature is valid or that the server should accept it. Use server-side verification and application logs for the final trust decision.

  • Compare token audience and issuer with the API configuration.
  • Check whether scopes or roles match the endpoint being called.
  • Never paste production tokens into bug reports or public issue trackers.

Normalize time and encoding assumptions

Many API issues come from representation mismatches rather than business logic. Unix seconds can be confused with Unix milliseconds, local time can be confused with UTC, and a query value may fail because it was not URL encoded correctly.

Convert timestamps into both UTC and local time before deciding they are wrong. Decode URL components, Base64 values, and HTML entities only in the context where that encoding belongs.

  • A 10-digit Unix timestamp is usually seconds; a 13-digit value is usually milliseconds.
  • URL encoding is for query values and path segments, not complete arbitrary payloads.
  • Base64 is encoding, not encryption, so decoded values may still be sensitive.

Separate client, network, and server causes

Once the payload is readable, compare the failing request with a known-good request. Look for differences in headers, content type, request body shape, authorization, cookies, CORS behavior, and cache state.

If the same request succeeds in one environment and fails in another, inspect environment-specific configuration: base URLs, feature flags, secrets, clock settings, deploy versions, and proxy rules.

  • Client causes often include stale state, wrong payload shape, or missing headers.
  • Network causes often include CORS, redirects, proxies, DNS, or blocked requests.
  • Server causes often include validation, authorization, migrations, or dependency failures.

Write the final bug note

A good API debugging note is short, safe, and repeatable. Include the observed behavior, expected behavior, reduced request, reduced response, environment, timestamp, and what you already ruled out.

The goal is not to prove who caused the bug. The goal is to make the next debugging step obvious for the person who owns the failing layer.

  • Use synthetic IDs, emails, and tokens in shared examples.
  • Include formatted JSON and decoded timestamps when they help explain the issue.
  • Link related logs, deploys, or tickets instead of copying sensitive operational data.

FAQ

What should I inspect first when an API response looks wrong?

Start with the response status, content type, and formatted body. Then inspect auth, timestamps, encoding, and request differences.

Can a local formatter replace API contract tests?

No. Local tools help you inspect examples, but contract tests and server-side validation should enforce production behavior.

How do I share an API bug safely?

Remove secrets and personal data, keep the same request shape, include a reduced response, and explain the exact expected behavior.

Use the related tool