API Testing — What, Why and How

As we continue to explore more about APIs, from the example I gave in my previous blog, we saw that the API of the Instacart application communicates with the APIs of various grocery stores and transfers data from their databases. But what if one of these APIs fails? — The entire service stops working! If one single API doesn’t work efficiently and effectively, it will never be adopted, regardless if it is free or not. Also, the risk of putting a bad, and potentially insecure, product on the market is greater than the cost to test it. Thus to avoid such situations, API’s are tested before they are put to use.

Photo from istockphoto

‘API Testing’ involves the process of checking whether the output that comes from one application/database is accurate, well-structured and valuable to another application. It is intended to identify irregularities/abnormalities from the expected behavior. In the API development lifecycle, API testing plays a vital role and should not be neglected and is often based on protocols and standards. It is used to determine the return value (Response). Behavior of data should be based on input (Request) parameter, how much time the API is taking to retrieve the value, what type of authentication is required and whether the sensitive data is transmitted securely over the network. In other words, APIs are tested to determine if they meet expectations for functionality, reliability, performance, and security.

While developers tend to test only the basic functionality they are working on, testers are in charge of testing functionality, performance and security of APIs, discovering how all components work together from end to end.

Why should we do API Testing?

Because API testing offers a number of advantages over other kinds of testing apart from being an important activity, the testers should focus on it. Some advantages are:

  • Sooner the better: As soon as the business logic is designed, tests can be built to validate the correctness in responses and data without having to wait for various teams to finish their work or for full applications to be built — test cases are isolated and ready to be built immediately.
  • No Language dependency: Data is exchanged via XML and JSON, so any language can be used for automation, independent from the languages used to develop the application.
  • No GUI dependency: Can be done to check the core functionality of the application to expose small errors and to evaluate a build’s strength without a user interface.
  • Better Test Coverage and agility: Most API’s have features, that allow a tester to create automated tests with high test coverage including positive and negative cases. We can rarely find test cases that can’t be automated. It means you’ll find more bugs in less time, while also being about to fix them immediately.
  • Cheaper Testing Cost: Before we perform GUI testing, with API testing we can find minor bugs which usually become bigger during GUI testing. So finding those bugs while performing API testing will be cost effective.
  • Quicker Releases: The test cases with API testing allow companies to release builds faster.
  • Easier Test Maintenance: API changes are much more controlled and infrequent — often times can help make refactoring tests only a seconds of work.
  • Faster Time To Resolution: When API tests fail, we can find exactly where our system broke and where the defect is; thus reducing time to report bugs between builds, integrations and even different team-members.

Where is API testing performed?

There are three separate layers in a typical application: the presentation (or user interface) layer, the business layer, and the database layer for modeling and manipulating data.

API testing is performed at the most critical layer: business, in which business logic processing is carried out and all transactions between the user interface and database layers happen.

How to Perform API Testing?

Step 1: API Specification Review

Document the API testing requirements — the purpose of the API, the workflow of the application, integrations supported by the API, features of the API. This will help in planning API tests throughout the testing process.

Step 2: Setting Up Test Environment

Test environment should be set up with the required set of parameters around the API which involves configuring the database and server for the application requirements.

Step 3: Integrating Application Data

Combine application data with the API tests to ensure that the API functions as expected against all possible input configurations.

Step 4: Deciding Type of API Test

Decide what to test the API for after creating the testing boundaries and requirements; accordingly choose from the different types of API testing.

Step 5: Executing Text & Reporting

Create test cases around the requirements and execute them. Identify the most common parameters and conditions that an end developer will use when calling the APIs and test these scenarios extensively. Then document the test results for further use.

What kind of API Testing to perform?

  • Functionality Testing — Ensures that all the API endpoints are up and working and doing what exactly they are supposed to so.
  • Reliability Testing — Checks API can be consistently connected to various devices and lead to consistent results
  • Validation Testing — Verifies the aspects of product, behavior, and efficiency of an API and whether the API is working according to the requirements
  • Load Testing — Ensures the performance of API under both normal and at peak conditions and how it responds to requests from different servers at the same time
  • Stress Testing — Tests the behavior of the API when more than set number of requests is received by the API if sends some message; works as intended
  • UI Testing — Tests the user interface for the API and other integral parts
  • Security Testing — Tests the API is secure against all possible external threats; consists of authentication, permission, access control and validation of encryption methodologies avoiding any security breaches
  • Penetration Testing — Detects vulnerabilities of an application from an attackers perspective
  • Fuzz Testing — Tests the API in terms of the limits to prepare for the “worst case scenarios” involving forced crashes or negative behaviors while giving random/ invalid inputs
  • Integration Testing — Ensures all the APIs connected to each other communicate properly and addition of features in the API do not cause addition of some bugs in other API modules

What to test the API for?

  • Duplicate or missing functionality
  • Improper messaging
  • Error handling mechanism is incompatible
  • Multi-threaded issues
  • Security issues
  • Performance issues
  • Reliability issues

API Testing Tools

For successfully performing API testing, we will need a tool to structure and manage our test cases.

Some of the top API testing tools that can be used for Rest API and Soap API are:

SoapUI: Most widely used; open-source; provides the reports for testing and will allow you to export the data. Can perform functional testing, performance testing, security testing, and data-driven testing.

Postman: Most popular; allows to set up all the headers and cookies your API expects, and then check the response. Runs on Mac, Windows, Linux & Chrome Apps.

Katalon Studio: Robust and comprehensive; provides easy deployment by including all frameworks, ALM integrations, and plugins in one package; supports both SOAP and REST requests, also supports various types of commands and parameterization functionalities.

Tricentis Tosca: Model based; supports a wide array of protocols including HTTP(s) JMS, SOAP, REST, IBM MQ, NET TCP, etc.

REST-assured: Open-source Java Domain-specific language (DSL) tool that makes testing REST service simple and validates complex responses. Supports XML and JSON requests.

Apart from these popular tools, there are also tools like Apache JMeter, HttpMaster, Parasoft, HP QTP, Karate DSL, and many others.

Though these tools make API testing easy, you might still come across some challenges while performing API testing.

While testing an API, building a solid automated API testing strategy is the best way to ensure that your applications “work the same today as they did yesterday”. API testing allows us to build a solid framework for identifying defects at multiple layers of our application. These tests can all be automated and run continuously, so we can ensure that our application is aligned to business expectations while also functionally precise. API testing will let us have consistency and the tests that we are building will last for a long time to come.

Originally published at https://www.numpyninja.com on April 30, 2021.