Testing Login and Authentication Flows Using Cypress (The Smart Way)
- QA Vault
- May 2
- 3 min read
Login is one of the most critical parts of any web application. If users can’t log in, they are just blocked. Yet login flows are often fragile, full of edge cases, and tightly connected to backend APIs or session management. That’s why testing them properly — and efficiently — is essential.
As someone who worked on automation where authentication was tied to both security and compliance, I learned that simply testing login through the UI every time isn’t always the best option. In this post, I’ll walk you through different ways to test login using Cypress, from the basic to the more thoughtful approaches that can save you time and reduce test flakiness.
Why Test Login in the First Place?
Login is a critical path in your application. Any change in the backend, redirect logic, or authentication service can easily break the flow — and your users’ experience. Here’s why testing it matters:
It’s the gateway to all protected routes.
It’s often connected to external services like OAuth or SSO.
A small change in token handling or cookie storage can lock users out.
So yes, you should test the login. But how you test it makes all the difference.
🧪 Basic Login Test Using the UI
Let’s start with the traditional approach — filling in the login form through the Cypress UI commands:
cy.visit(‘/login’); cy.get(‘input[name=”email”]’).type(‘testuser@example.com’); cy.get(‘input[name=”password”]’).type(‘securePassword123’); cy.get(‘button[type=”submit”]’).click(); cy.url().should(‘include’, ‘/dashboard’);✅ Pros:
Mimics the exact user experience.
Good for validating frontend form behavior (validation, error messages, etc.).
❌ Cons:
Slower (each test has to go through the whole UI).
Fragile if DOM changes (e.g., button selector updates).
It is not ideal to repeat every test that requires a logged-in state.
⚡ Fast Login via API: Bypassing the UI
Cypress gives us a powerful alternative: logging in through the backend API and injecting the token/session manually.
Example:
cy.request(‘POST’, ‘/api/auth/login’, { email: ‘testuser@example.com’, password: ‘securePassword123’ }).then((response) => { window.localStorage.setItem(‘token’, response.body.token); });After setting the token, you can navigate directly to a protected route like /dashboard.
✅ Pros:
Fast — no need to go through UI.
Reliable — avoids frontend flakiness.
Reusable — perfect for tests that need an authenticated user as a precondition.
🔄 Reusing Auth with Custom Commands
Instead of repeating the login API request in every test, you can create a custom Cypress command:
// cypress/support/commands.js Cypress.Commands.add(‘login’, () => { cy.request(‘POST’, ‘/api/auth/login’, { email: ‘testuser@example.com’, password: ‘securePassword123’ }).then((res) => { window.localStorage.setItem(‘token’, res.body.token); }); });Then just call it in your tests:
beforeEach(() => { cy.login(); });This keeps your code clean and easy to manage.
💡 Pro Tip: Use Cypress.session() for Performance (Cypress 10+)
If you’re on Cypress 10 or later, you can cache login sessions like this:
beforeEach(() => {Cypress.session(‘loginSession’, () => {cy.request(‘POST’, ‘/api/auth/login’, {email: ‘testuser@example.com’,password: ‘securePassword123’}).then((res) => {window.localStorage.setItem(‘token’, res.body.token);});});});This will reuse the session instead of logging in on every test — huge performance win.🚪 Bonus: Testing Logout
Don’t forget logout! A simple logout test might look like this:
cy.get(‘#logout-button’).click();cy.url().should(‘include’, ‘/login’);
Also test that protected routes are no longer accessible after logout by checking token clearance or redirects.
🧠 Final Thoughts
Login is too important to test only one way. Use the UI method to validate the form and flow. But for most of your test suite, bypassing the UI and using API login is the smart move — it’s faster, more reliable, and easier to scale.
This approach helped us maintain a stable test suite while building a complex healthcare app with sensitive data and user permissions.
What about you? How are you testing authentication in your projects?
Are you using Cypress with tokens?
Or still relying on UI form submissions?
I’d love to hear what’s worked (or failed) for you!
Comments