Enable Web services Enable all protocols Create a service and add several functions to it, make sure at least one function has 'loginrequired'=>false and one does not. Examples are "core_fetch_notifications" and "core_webservice_get_site_info" Make sure the capabilities to use all webservices are enabled in Authenticated and Unauthenticated users roles Create a token for some user (not admin) for use with the service above Access each WS function via each protocol for both simple (username/password) authentication and token authentication. Remove credentials from each call and make sure you can execute only functions that have loginrequired->false Try fiddling with parameters - specify wrong token or username or password, wrong function, etc. Try revoking caps to use WS In SOAP make sure wsdl=1 returns only available functions for both auth user and guest Examples of calling WS with REST: curl "http://YOURSITE/webservice/rest/server.php?wsfunction=core_webservice_get_site_info&wstoken=TOKEN" curl "http://YOURSITE/webservice/rest/simpleserver.php?wsfunction=core_webservice_get_site_info&wsusername=USERNAME&wspassword=PASSWORD" Examples of requesting WSDL with SOAP: http://YOURSITE/webservice/soap/simpleserver.php?wsdl=1&wsusername=USERNAME&wspassword=PASSWORD http://YOURSITE/webservice/soap/server.php?wsdl=1&wstoken=TOKEN But using Site administration>Development>WS test client is probably the best way to test all WS. If MDL-60033 is not integrated yet, cherry-pick it for testing