Dokven is an AI-supercharged QA platform. You draw a user journey (signup, login, checkout) on a visual canvas, then run it in a real browser with video and self-healing AI selectors. Behind every step it also runs a full toolbox of audits: SEO, security headers, performance, accessibility, copy, API, responsive, and analytics tags, plus AI-generated test plans.

Is there a free website QA and testing tool?

Yes. Dokven has a free tier with all 10 tools and free tokens that never expire, with no credit card and no SDK required. You can also try any tool on any URL as a guest before you sign up.

How do I test a checkout or login flow without writing code?

In Journey Studio you drag the steps of the flow onto a canvas (open a page, fill a form, click, assert). A real Chromium browser runs it end to end and records video, so there are no selectors to hand-write. Self-healing AI locators keep the run going when the page changes.

Does Dokven check SEO, performance, accessibility, and security too?

Yes. Point one tool at any URL or run them all together. You get real-browser Core Web Vitals, WCAG 2.2 accessibility, TLS/CSP/header security, an SEO crawl with schema validation, copy and analytics-tag audits, and responsive snapshots, with an AI crosswalk that connects findings into one root cause.

Do I need to install anything?

No. Dokven runs entirely in the browser against any public, staging, or pre-launch URL. There is no SDK, agent, or browser extension to install. A REST API and CLI are included for wiring runs into CI.

Can Dokven monitor a site on a schedule?

Yes. Save a journey and put it on a daily or weekly schedule. Dokven re-runs it in a real browser and alerts Slack, Discord, or a webhook the moment a score regresses or a flow breaks.

Advanced 10 min read

API testing basics

What an API really is (a waiter analogy), REST and HTTP methods, the status codes you'll meet daily, the anatomy of a request and response, and exactly what to check when you test one.

Picture a restaurant. You sit at the table (you're the app the user sees) and you want food from the kitchen (the server, where the real work happens). You don't barge into the kitchen. You tell the waiter what you want; the waiter carries your order back, and returns with your dish. An API is that waiter. It's the agreed way one piece of software asks another for something and gets an answer, without either side needing to know how the other works inside.

Almost every app you use is quietly chatting through APIs: your weather app asks a weather API for today's forecast, your shopping app asks a payment API to charge your card. When testers talk about API testing, they mean checking these conversations directly: skipping the buttons and screens, and talking to the kitchen's waiter ourselves.

Why test the API and not just the screen?

API tests are faster and steadier than clicking through a UI, and they catch problems closer to the source. If the waiter brings back the wrong dish, you want to know it's the kitchen's fault, not waste an hour wondering if you read the menu wrong. Testing the API directly removes the screen as a place for confusion to hide.

REST and the four everyday verbs

Most web APIs today follow a style called REST. You don't need its full theory; you need its everyday grammar. In REST, you act on resources (a user, an order, a photo) using a small set of HTTP methods, the verbs that say what you want to do:

Method	Means	Restaurant version
GET	Read / fetch something (changes nothing)	"What's on the menu?"
POST	Create something new	"I'd like to place a new order."
PUT	Update / replace something that exists	"Change my order to the large size."
DELETE	Remove something	"Cancel my order."

A key safety idea: GET should never change anything. Reading the menu shouldn't place an order. If a GET request quietly creates or deletes data, that's a bug worth catching.

Status codes: the kitchen's reply in three digits

Every time you ask an API for something, it answers with a three-digit status code that summarises how it went. You'll see these constantly, and they cluster into families. Learn the families and you can read any code at a glance:

Family	Meaning	Common ones you'll meet
2xx	Success: it worked	200 OK, 201 Created
3xx	Redirect: look somewhere else	301 Moved, 304 Not Modified
4xx	You made a mistake in the request	400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xx	The server broke while handling it	500 Internal Error, 503 Service Unavailable

The big idea: 4xx is the client's fault, 5xx is the server's fault.

4xx vs 5xx in one line

4xx means you asked wrong (bad data, not logged in, page doesn't exist). 5xx means the server stumbled while trying to help. A good API returns a clear 4xx for bad input instead of a vague 5xx crash. Testing for that difference is part of the job.

The anatomy of a request and response

A request has a few parts: the method (GET, POST…), the URL (which resource), headers (extra info, like who you are and what format you speak), and sometimes a body (the data you're sending, usually as JSON). The response comes back with a status code, its own headers, and a body (the data you asked for). Here's a small, real example, reading a user, then creating one:

# Read a user (GET)
curl https://api.example.com/users/42

# Create a user (POST): send JSON in the body, prove who you are with a token
curl -X POST https://api.example.com/users \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Ada", "email": "ada@example.com" }'

A GET reads; a POST creates. The headers carry your identity and format; the body carries the data.

A typical successful response to that POST might look like this, now that the server has created the record and filled in an id:

{
  "id": 1024,
  "name": "Ada",
  "email": "ada@example.com",
  "createdAt": "2026-06-24T10:15:00Z"
}

The response body is usually JSON: a tidy set of key/value pairs the app can read.

What to actually check when testing an API

Pointing at an API and getting a response isn't testing. Testing is checking the right things. A solid API test covers:

Status code: did you get the code you expected (200 for a read, 201 for a create, 404 for something missing)?
Body content: is the data correct, complete, and the right values?
Schema / shape: are the fields present and the right types (a number where a number belongs, not a string)?
Authentication: does it correctly block you without a valid token and allow you with one?
Edge cases: empty fields, missing fields, wrong types, huge inputs, and requests for things that don't exist.
Graceful errors: bad input returns a clear 4xx with a helpful message, never a raw 5xx crash.

Notice the pattern from earlier lessons returning: you test the happy path (a valid request that should work) and the unhappy paths (missing token, malformed data, a record that isn't there). The unhappy paths are where the real bugs live.

Key takeaways

An API is a waiter: the agreed way one piece of software asks another for something and gets an answer.
REST uses four everyday verbs (GET reads, POST creates, PUT updates, DELETE removes) and GET should never change anything.
Status codes cluster into families: 2xx success, 3xx redirect, 4xx your mistake, 5xx the server's mistake.
A request has a method, URL, headers, and sometimes a body; the response has a status code, headers, and a body (usually JSON).
Good API testing checks status, body, schema, auth, edge cases, and graceful errors: happy paths and unhappy paths alike.