// AUTONOMOUS API TESTING

Find the bugs hiding
between your API calls.

VenomQA explores every sequence of API calls automatically — the stateful bugs that pytest, Schemathesis, and Postman never see.

pip install venomqa View on GitHub

20+ STATES EXPLORED

∞ SEQUENCES TESTED

0 TEST SCRIPTS WRITTEN

// LIVE DEMO OUTPUT

bash

$ venomqa demo Unit Tests: 3/3 PASS ✓ VenomQA Exploration ──────────────────────── States visited: 8 Transitions: 20 Invariants checked: 40 ╭─ CRITICAL VIOLATION ──────────────────────────╮ │ Sequence: create_order → refund → refund │ │ Bug: refunded $200 on a $100 order │ ╰───────────────────────────────────────────────╯ Summary: 3 tests passed. 1 sequence bug found. Your tests passed. VenomQA found the bug.

// 01 THE PROBLEM

Your tests pass.
The bug ships.

POST /refund → 200 · POST /refund → 200 → over-refund: refunded more than original amount
DELETE /user → 204 · GET /user → 200 → stale state: deleted user still accessible
POST /order → 201 · POST /order → 201 → duplicate creation: idempotency not enforced

// WHY SEQUENCES MATTER

Why sequences
matter.

Unit tests are stateless. Each request runs in isolation, against a clean fixture, with a predetermined response. That's not how production works.

In production, your API has state. When a user creates an order, then requests a refund, then requests another refund — each individual HTTP call looks valid. The bug only appears in the sequence.

VenomQA explores the state graph your application creates. It tries every combination: create→refund→refund, create→cancel→refund. With DB rollback between branches, it covers paths no human would think to write.

// 02 HOW IT WORKS

Three concepts.
No test scripts.

01

Define Actions

Write the API calls your users actually make. create_order, refund, cancel. That's it. Each action is a Python function: (api, context) → response.

02

Define Invariants

Rules that must always hold. refunded ≤ original_amount. VenomQA checks them after every single step — not just at test boundaries.

03

Explore

VenomQA tries every sequence: create→refund→refund, create→cancel→refund. The DB rolls back between branches. Violations surface automatically.

// 03 MINIMAL EXAMPLE

Twenty lines.
One bug found.

qa/test_orders.py PYTHON

from venomqa import Action, Agent, BFS, Invariant, Severity, World
from venomqa.adapters.http import HttpClient

api   = HttpClient("http://localhost:8000")
world = World(api=api, state_from_context=["order_id"])

def create_order(api, context):
    resp = api.post("/orders", json={"amount": 100})
    context.set("order_id", resp.json()["id"])
    return resp

def refund_order(api, context):
    order_id = context.get("order_id")
    return api.post(f"/orders/{order_id}/refund")

no_over_refund = Invariant(
    "no_over_refund",
    lambda world: world.api.get("/orders").json()[0]["refunded"] <= 100,
    Severity.CRITICAL,
)

result = Agent(
    world=world,
    actions=[Action("create_order", create_order), Action("refund_order", refund_order)],
    invariants=[no_over_refund],
    strategy=BFS(), max_steps=50,
).explore()

print(f"States: {result.states_visited}, Violations: {result.violations}")

// 04 WHERE IT FITS

The only tool that
tests sequences.

Others test endpoints in isolation. VenomQA tests what happens between them.

Capability	VenomQA	Schemathesis	pytest	Postman	Hypothesis	Dredd
Sequence / ordering bugs	✓ Only tool	✗	✗	✗	✗	✗
DB rollback & branching	✓ Only tool	✗	✗	✗	✗	✗
Autonomous exploration	✓ Sequences	~ Per endpoint	✗ Manual	✗ Manual	~ Per function	✗
OpenAPI integration	✓	✓	✗	✓	✗	✓
Fuzz / random inputs	✗	✓ Best	✗	✗	✓ Best	✗
Python native	✓	✓	✓	✗ JS	✓	✗ JS

// Recommended: run Schemathesis + VenomQA together. They catch entirely different bugs.

// 05 CAPABILITIES

Everything you need
to test sequences.

State Graph Exploration

BFS, DFS, and Coverage-Guided strategies across all reachable sequences. Configurable depth and step budget.

Invariant Checking

Rules checked after every single action — not just at test boundaries. CRITICAL, HIGH, MEDIUM severity levels.

DB Checkpoint & Rollback

PostgreSQL SAVEPOINTs, SQLite file copy, Redis DUMP/RESTORE, and in-memory mocks. True branching exploration.

OpenAPI Generation

venomqa scaffold openapi spec.json generates all action stubs automatically from your API spec.

HTML Trace Reporter

D3 force graph of the full state space explored. See every path taken, every invariant checked, every violation found.

CLI Zero-Config

venomqa demo finds a bug in 30 seconds, no setup needed. venomqa doctor diagnoses your environment.

// 06 USE CASES

Built for stateful
APIs everywhere.

🛒

E-commerce Platforms

Order lifecycles, payment flows, inventory management. Catch double-refunds, race conditions in cart updates, and inventory synchronization bugs.

💳

Fintech Applications

Transaction sequences, account state transitions, compliance workflows. Ensure money never appears or disappears unexpectedly across operation chains.

⚡

SaaS Products

Subscription management, user permissions, feature flags. Test upgrade→downgrade→cancel sequences and permission inheritance across state changes.

🔧

Internal APIs

Microservice communication, event-driven workflows, async job queues. Validate state consistency across service boundaries and message ordering.

// 08 FAQ

Common questions
about stateful testing.

How is VenomQA different from pytest or Schemathesis?

pytest tests functions in isolation. Schemathesis fuzzes individual endpoints with random inputs. VenomQA tests sequences: what happens when you call create→refund→refund? It explores the state graph, finding bugs that only appear in specific orderings.

Do I need to write test scripts?

You define Actions (what can be done) and Invariants (what must always be true). VenomQA autonomously explores all sequences. No linear test scripts needed—it's model-based testing, not script-based testing.

What databases does VenomQA support?

PostgreSQL (via SAVEPOINT/ROLLBACK), SQLite (file copy), Redis (DUMP/RESTORE), and in-memory mocks. The rollback mechanism lets VenomQA branch and reset state between exploration paths.

Can I use VenomQA with my existing test suite?

Yes. VenomQA complements pytest, not replaces it. Run your unit tests for coverage, Schemathesis for input fuzzing, and VenomQA for sequence bugs. They catch entirely different classes of issues.

// 09 GET STARTED

Start in
30 seconds.

$ pip install venomqa

$ venomqa demo

Documentation GitHub

Stateful API Testing for Python Developers

VenomQA is the leading Python library for autonomous stateful API testing and integration testing. Unlike traditional testing tools, VenomQA specializes in finding sequence-dependent bugs—the kind that only appear when API calls are made in specific orders.

Automated API Quality Assurance

Automate your E2E testing and API quality workflows with VenomQA's intelligent exploration engine. It automatically discovers and tests API sequences like create→refund→refund, catching double-refund bugs, stale state issues, and idempotency failures that pytest, Schemathesis, and Postman miss.

Integration Testing for Modern APIs

Perfect for teams building REST APIs, GraphQL endpoints, and microservices. VenomQA integrates with PostgreSQL, SQLite, Redis, and supports OpenAPI specification generation. Zero-config CLI gets you started in 30 seconds with pip install venomqa.

Keywords

API testing, Python testing, stateful testing, integration testing, E2E testing, automated testing, sequence testing, API quality, REST API testing, microservices testing, pytest alternative, Schemathesis complement, OpenAPI testing, Python 3.10, MIT license, open source.

Find the bugs hidingbetween your API calls.

Your tests pass.The bug ships.

Why sequencesmatter.

Three concepts.No test scripts.