Code coverage tells you which lines ran. It can’t tell you which of your APIs are actually tested. Karate Labs API Coverage measures against the contract itself — every operation, method, and topic — across REST, gRPC, GraphQL and Kafka, with requirement-to-test traceability and audit-grade reports.
Part of Karate Enterprise · self-hosted, multi-project, agent-callable
The coverage gap
“90% code coverage” can still ship
a third of your API untested.
Line coverage rewards code that ran, not contracts that were verified. An endpoint can be green in your code-coverage report and never once have been called the way a consumer calls it. API Coverage measures the surface that actually matters — the operations, methods and topics your integrations depend on — so the gaps become impossible to hide.
What API Coverage gives you
One coverage model, three things every other tool makes you stitch together by hand.
Beyond REST
OpenAPI operations, gRPC methods, GraphQL, Kafka topics — all measured against the same coverage model. New sources plug in without changing the engine, so coverage keeps pace with your architecture instead of being stuck at REST.
Audit-ready
Ask which tests cover a requirement, which endpoints a scenario exercises, or where your security coverage of POST /orders comes from — and get one joined answer. Tests bind to coverage items with simple tags, so the traceability graph builds itself from the suite you already have.
No blind spots
Uncovered operations, undocumented responses, deprecated endpoints still being exercised, and calls hitting endpoints that aren’t even in your spec — each surfaced in its own section. You see not just the coverage number, but precisely where the next test needs to go.
The report
Every run produces a single HTML report with all of its data embedded — no server, no database, no login required to open or share it. The same shell as your Karate test reports, with deep links straight back to the run that produced each result.
API Coverage
82%
41 covered
9 uncovered
3 warnings
Illustrative — your report, your data, embedded in one file.
Built for the enterprise
Coverage doesn’t stop at a single project. Aggregate runs across teams and roll cross-cutting views up by domain, owner, or release.
Combine results from many projects into one coverage matrix — rows, columns and cells across every team’s suite.
“Which projects affect domain billing?” “Where’s our security coverage for this endpoint?” One query, no spreadsheets.
Shared API operations and rule libraries live once at the org level, with per-project display and behaviour overrides — no forking.
Agent-callable
Coverage is exposed through a JS API and MCP tools, so coding agents and your CI pipeline can ask what’s tested, what the gaps are, and where the next test belongs. Computation runs on demand — never an expensive eager step on every ingest.
# ask an agent what's missing coverage_gaps(runId) // uncovered ops + @todo placeholders coverage_matrix(project) // rows × cols × cells coverage_by_tag(tagSlug) // cross-cutting view // or from JS Coverage.matrix({ project, source, last }) Coverage.gaps(runId)
FAQ
Code coverage tells you which lines of source ran during a test. It says nothing about whether your actual API surface — the operations, methods and topics your consumers depend on — was exercised. API Coverage measures against the contract itself: every OpenAPI operation, gRPC method, GraphQL field and Kafka topic is a coverage target, and a test counts only when it genuinely calls that target with a matching method and path. The result is an honest answer to the question code coverage cannot: which of the APIs we ship are actually tested?
Coverage is built on one extensible model that spans REST/OpenAPI operations, gRPC methods, GraphQL and Kafka — alongside requirements, business-calculation rules, security findings (CWE/scanner provenance), accessibility, visual, and imported manual or Xray test cases. New sources plug in without changing the engine, so coverage grows with your stack rather than being locked to REST.
Yes. Coverage is bidirectional. You can ask which tests cover requirement REQ-101, which endpoints a given scenario exercises, where your security coverage of POST /orders comes from, or which projects touch a given domain — and get a single, joined answer. Tests bind to coverage items with simple tags, so the traceability graph is built from your existing test suite rather than maintained by hand.
Every run produces a single, self-contained HTML report with the data embedded inside it — no server required to view or share it. It opens on a dashboard with overall coverage, covered/uncovered counts and per-tag progress bars, then drills into a sortable, filterable endpoint table, bidirectional endpoint-to-test traceability, a separate section for undocumented calls hitting endpoints not in your spec, and warnings for things like undocumented responses or deprecated operations still being exercised. Light and dark themes included.
Yes. Coverage aggregates results from multiple test runs and projects into one matrix, so a platform or QA lead can see a coverage matrix for an entire team across all of their projects and roll cross-cutting views up by domain or owner. Shared API operations and rule libraries can live once at the org level with per-project display and behaviour overrides.
Yes. Coverage is exposed through a JS API and MCP tools (coverage_items, coverage_matrix, coverage_gaps, coverage_by_tag), so coding agents like Claude, Cursor or Copilot — and your CI pipeline — can ask what is covered, what the gaps are, and where to write the next test. Computation runs on demand rather than eagerly on ingest, so coverage stays cheap to keep up to date.
API Coverage ships as part of Karate Enterprise. Talk to our team about a scoped pilot against your own specs and test suite.