Skip to main content


CATS is a REST API fuzzer and negative testing tool for OpenAPI endpoints. It helps you run thousands of self-healing API tests within minutes with no coding effort!

Be careful!

Running CATS against production systems might produce unwanted behaviour like performance issues, consistency issues or crashes.


CATS is:

  • 🧐 Comprehensive: tests are generated automatically based on a large number of scenarios and cover every request field and header
  • 💡 Intelligent: tests are generated based on data types and structural constraints; each Fuzzer has specific expectations depending on the scenario under test
  • ⚙️ Highly Configurable: high amount of customizations: you can filter specific Fuzzers, HTTP response codes, HTTP methods, request paths, provide business context and a lot more
  • 🏥 Self-Healing: as tests are generated, any OpenAPI spec change is picked up automatically
  • 📖 Simple to Learn: flat learning curve, with intuitive configuration and syntax
  • ⚡️ Fast: automatic process for writing, running and reporting

By using a simple and minimal syntax, with a flat learning curve, CATS (Contract API Testing and Security) enables you to generate thousands of API tests within minutes with no coding effort. All tests are generated, run and reported automatically based on a pre-defined set of 130+ Fuzzers. The Fuzzers cover a wide range of boundary testing and negative scenarios from random large Unicode values to well crafted, context dependant values based on the request data types and constraints. Even more, you can leverage the fact that CATS generates request payloads dynamically and write simple end-to-end functional tests.

Fast Track ⏱️

Get started by running CATS in ◼️ --blackbox mode.

Make sure you have CATS installed following the instructions on the installation page.

What you'll need

  • 📝 the OpenAPI spec file for the API you want to test (openapi.yml)
  • 🌎 connectivity to the API (you should be able to access (
  • 🔐 credentials to access the API ($token)

You can now run CATS using the following command:

cats --contract=openapi.yml -H "Authorization=$token" --server= -b -k

When running in blackbox (-b) mode CATS will only report 500 http response codes as 🛑 errors (-k).

The 📊 report is available at cats-report/index.html.