How to Test Signup Flow (Mobile and Web)

Signup is the first engineering touchpoint with a new user. Failure here costs the user forever. Bugs in signup — validation errors, slow responses, confusing requirements, bad error handling — direct

Signup is the first engineering touchpoint with a new user. Failure here costs the user forever. Bugs in signup — validation errors, slow responses, confusing requirements, bad error handling — directly translate to lost conversion. This guide covers the test matrix.

What to test

Form

1. Email field accepts valid emails
2. Email validation inline (blur or short delay)
3. Password with visibility toggle
4. Password complexity rules clear upfront
5. Confirm password (or single with toggle)
6. Name / profile fields
7. Required fields marked
8. Terms / privacy policy checkbox
9. Submit disabled until required fields valid (optional but user-friendly)

Validation

1. Duplicate email detected (already-registered)
2. Weak password rejected with clear reason
3. Invalid email format flagged
4. Name field handles unicode, special chars
5. Age verification (if required)

Submission

1. Network submission works
2. Success creates account
3. Failure preserves field values
4. Loading state during submit
5. Duplicate-submit prevented

Post-signup

1. Account created — can log in immediately
2. Verification email sent (if applicable)
3. Welcome screen / onboarding starts
4. Default profile state makes sense
5. Data stored correctly

Email verification

1. Link in email opens app or web
2. Deep link from email works across email clients
3. Verification works
4. Re-send option available
5. Link expiration handled

Social signup

1. OAuth providers (Google, Apple, Facebook) work
2. Returning user matches existing account
3. Profile data imported (name, avatar, email)
4. Edge case: email already registered with different provider

Password reset

1. Reset link in email works
2. New password rules enforced
3. Old sessions invalidated (if security-critical)
4. Re-login after reset

Edge cases

1. Cold start mid-signup, return — draft preserved or restart
2. Device rotation — form state preserved
3. Network drop mid-submit — retry not duplicate
4. Very long name / bio — accepted or limit stated
5. Email with non-ASCII (IDN, unicode domains)
6. Concurrent signup from two devices with same email — one succeeds

Security

1. Password never logged
2. Password not in URL / query parameters
3. Email verification link unique, unpredictable, expires
4. Rate limiting on signup endpoint (prevent abuse)
5. Captcha / bot protection (where appropriate)

Accessibility

1. All fields labeled
2. Error messages announced to screen reader
3. Keyboard navigable through entire flow
4. Touch targets ≥ 48dp on mobile
5. Password visibility toggle keyboard-accessible

Privacy

1. Terms and privacy policies linked, readable
2. Age gate where required (COPPA, etc.)
3. Data collection disclosed
4. Marketing opt-in / opt-out clear

Testing approach

Manual

• Fresh install
• Valid signup: full happy path
• Invalid inputs per field
• Duplicate email
• Interrupted flows (app background, network drop)
• Verification email + deep link
• Social providers (one each at minimum)
• Accessibility pass with screen reader

Automated (Appium / Playwright)

def test_signup_happy(driver):
    driver.find_element(By.ID, "email").send_keys("new-" + uuid4() + "@example.com")
    driver.find_element(By.ID, "password").send_keys("StrongP@ss123")
    driver.find_element(By.ID, "name").send_keys("Test User")
    driver.find_element(By.ID, "terms").click()
    driver.find_element(By.ID, "submit").click()
    # Assert next screen loaded
    WebDriverWait(driver, 10).until(EC.presence_of_element_located((By.ID, "welcome")))

Include: negative paths, duplicate email test, verification flow, password reset.

How SUSA handles signup

Signup flow auto-detected (registration keyword + 3+ inputs). Driven with test email (UUID to ensure uniqueness). Verdict: success / failure / stuck-on-validation / stuck-on-verification.

The adversarial persona tries invalid emails, weak passwords, boundary-length inputs, injection patterns. elderly checks readability and touch targets. accessibility_user drives with screen reader semantics.

susatest-agent test myapp.apk --persona adversarial --steps 100

Common production bugs

1. Signup succeeds but user cannot login immediately — account creation delayed in backend
2. Email verification link expired too quickly (5 minutes, should be hours)
3. Password rules stricter than client validation — server rejects passwords client accepted
4. Duplicate email check case-sensitive — USER@example.com and user@example.com both allowed
5. Social signup collides with existing email-password account

Signup is a tight moment. Reduce friction, prevent errors, smooth the recovery. Run SUSA per release on this flow specifically.