API Testing Guide and Beginner s Tips SOAP REST
How to approach API testing
An API testing process should begin with a clearly defined scope of theprogram as well as a full understanding of how the API is supposed to work.Some questions that testers should consider include: * What endpoints are available for testing? * What response codes are expected for successful requests? * What response codes are expected for unsuccessful requests? * Which error message is expected to appear in the body of an unsuccessful request?Once factors such as these are understood, testers can begin applying varioustesting techniques. Test cases should also be written for the API. These testcases define the conditions or variables under which testers can determinewhether a specific system performs correctly and responds appropriately. Oncethe test cases have been specified, testers can perform them and compare theexpected results to the actual results. The test should analyze responses thatinclude: * reply time, * data quality, * confirmation of authorization, * HTTP status code and * error codes.API testing can analyze multiple endpoints, such as web services, databases orweb user interfaces. Testers should watch for failures or unexpected inputs.Response time should be within an acceptable agreed-upon limit, and the APIshould be secured against potential attacks.Tests should also be constructed to ensure users can’t affect the applicationin unexpected ways, that the API can handle the expected user load and thatthe API can work across multiple browsers and devices.The test should also analyze the results of nonfunctional tests as well,including performance and security.
Types of API tests
Various types of API tests can be performed to ensure the applicationprogramming interface is working appropriately. They range from general tospecific analyses of the software. Here are examples of some of these tests.Validation testing includes a few simple questions that address the wholeproject. The first set of questions concerns the product: Was the correctproduct built? Is the designed API the correct product for the issue itattempts to resolve? Was there any major code bloat — production of code thatis unnecessarily long, slow and wasteful — throughout development that wouldpush the API in an unsustainable direction?The second set of questions focuses on the API’s behavior: Is the correct databeing accessed in the predefined manner? Is too much data being accessed? Isthe API storing the data correctly given the data set’s specific integrity andconfidentiality requirements?The third set of questions looks at the efficiency of the API: Is this API themost efficient and accurate method of performing a task? Can any codebase bealtered or entirely removed to reduce impairments and improve overall service?Functional testing ensures the API performs exactly as it is supposed to. Thistest analyzes specific functions within the codebase to guarantee that the APIfunctions within its expected parameters and can handle errors when theresults are outside the designated parameters.Load testing is used to see how many calls an API can handle. This test isoften performed after a specific unit, or the entire codebase, has beencompleted to determine whether the theoretical solution can also work as apractical solution when acting under a given load.Reliability testing ensures the API can produce consistent results and theconnection between platforms is constant.Security testing is often grouped with penetration testing and fuzz testing inthe greater security auditing process. Security testing incorporates aspectsof both penetration and fuzz testing, but also attempts to validate theencryption methods the API uses as well as the access control design. Securitytesting includes the validation of authorization checks for resource accessand user rights management.Penetration testing builds upon security testing. In this test, the API isattacked by a person with limited knowledge of the API. This enables testersto analyze the attack vector from an outside perspective. The attacks used inpenetration testing can be limited to specific elements of the API or they cantarget the API in its entirety.Fuzz testing forcibly inputs huge amounts of random data — also called noiseor fuzz — into the system, attempting to create negative behavior, such as aforced crash or overflow.
Benefits of API testing
API testing guarantees that connections among platforms are reliable, safe andscalable. Specific benefits include: * API test automation requires less code than automated GUI tests, resulting in faster testing and a lower overall cost. * API testing enables developers to access the app without a UI, helping the tester identify errors earlier in the development lifecycle, rather than waiting for them to become bigger issues. This also saves money because errors can be more efficiently resolved when caught early. * API tests are technology and language independent. Data is exchanged using JSON or XML and it contains HTTP requests and responses. * API tests use extreme conditions and inputs when analyzing applications. This removes vulnerabilities and guards the app from malicious code and breakage. * API tests can be integrated with GUI tests. For example, integration can enable new users to be created within the app before a GUI test is performed.While API testing presents these various benefits, it also produceschallenges. The most common limitations found in API tests are parameterselection, parameter combination and call sequencing. Parameter selectionrequires the parameters sent through API requests to be validated — a processthat can be difficult. However, it is necessary that testers guarantee thatall parameter data meets the validation criteria, such as the use ofappropriate string or numerical data, an assigned value range and conformancewith length restrictions.Parameter combination can be challenging because every combination must betested to see if it holds problems related to specific configurations. Callsequencing is also a challenge because every call must appear in a specificorder to ensure the system works correctly. This quickly becomes a challenge,especially when dealing with multithreaded applications.
API testing tools
When performing an API test, developers can either write their own frameworkor choose from a variety of ready-to-use API testing tools. Designing an APItest framework enbles developers to customize the test; they are not limitedto the capabilities of a specific tool and its plugins. Testers can addwhichever library they consider appropriate for their chosen coding platform,build unique and convenient reporting standards and incorporate complicatedlogic into the tests. However, testers need sophisticated coding skills ifthey choose to design their own framework.Conversely, API testing tools provide user-friendly interfaces with minimalcoding requirements that enable less-experienced developers to feasibly deploythe tests. Unfortunately, the tools are often designed to analyze general APIissues and problems more specific to the tester’s API can go unnoticed.A large variety of API testing tools is available, ranging from paidsubscription tools to open source offerings. Some specific examples of APItesting tools include: * SoapUI. The tool focuses on testing API functionality in SOAP and REST APIs and web services. * Apache JMeter. An open source tool for load and functional API testing. * Apigee. A cloud API testing tool from Google that focuses on API performance testing. * REST Assured. An open source, Java-specific language that facilitates and eases the testing of REST APIs. * Swagger UI. An open source tool that creates a webpage that documents APIs used. * Postman. A Google chrome app used for verifying and automating API testing. * Katalon. An open source application that helps with UI automated testing.
Examples of API tests
While the use cases of API testing are endless, here are two examples of teststhat can be performed to guarantee that the API is producing the appropriateresults.When a user opens a social media app — such as Twitter or Instagram — theyare asked to log in. This can be done independently — through the app itself– or through Google or Facebook. This implies the social media app has anexisting agreement with Google and Facebook to access some level of userinformation already supplied to these two sources. An API test must then beconducted to ensure that the social media app can collaborate with Google andFacebook to pull the necessary information that will grant the user access tothe app using login information from the other sources.Another example is travel booking systems, such as Expedia or Kayak. Usersexpect all the cheapest flight options for specific dates to be available anddisplayed to them upon request when using a travel booking system. Thisrequires the app to communicate with all the airlines to find the best flightoptions. This is done through APIs. As a result, API tests must be performedto ensure the travel booking system is successfully communicating with theother companies and presenting the correct results to users in an appropriatetimeframe. Furthermore, if the user then chooses to book a flight and paysusing a third-party payment service, such as PayPal, then API tests must beperformed to guarantee the payment service and travel booking systems caneffectively communicate, process the payment and keep the user’s sensitivedata safe throughout the process.
Best practices for API testing
API testing best practices include: * When defining test cases, group them by category. * Include the selected parameters in the test case itself. * Develop test cases for every potential API input combination to ensure complete test coverage. * Reuse and repeat test cases to monitor the API throughout production. * Use both manual and automated tests to produce better, more trustworthy results. * When testing the API, note what happens consistently and what does not. * API load tests should be used to test the stress on the system. * APIs should be tested for failures. Tests should be repeated until it produces a failed output. The API should be tested so that it fails consistently to identify the problems. * Call sequencing should be performed with a solid plan. * Testing can be made easier by prioritizing the API function calls. * Use a good level of documentation that is easy to understand and automate the documentation creation process. * Keep each test cases self-contained and separate from dependencies, if possible.API Testing Guide and Beginner’s Tips (SOAP & REST)
API Testing Guide and Beginner’s Tips (SOAP & REST)
API (application programming interface) testing is a type of software testingthat performs verification directly at the API level. It is a part ofintegration testing that determines whether the APIs meet the testers’expectations of functionality, reliability, performance, and security. UnlikeUI testing, API testing is performed at the message layer without GUI.Learn more: Introduction to API TestingThere are two broad classes of web service for Web API: SOAP and REST. SOAP(Simple Object Access Protocol) is a standard protocol defined by the W3Cstandards for sending and receiving web service requests and responses. REST(REpresentational State Transfer) is the web standards-based architecture thatuses HTTP. Unlike SOAP-based Web services, there is no official standard forRESTful Web APIs.Here are 10 basic tips that you need to know for API testing:
Testing Strategy for APIs
While testing APIs, a tester should concentrate on using software to make APIcalls in order to receive an output before observing and logging the system’sresponse. Most importantly, tests that the API returns a correct response oroutput under varying conditions. This output is typically one of these three: * A Pass or Fail status * Data or information * A call to another APIHowever, there also could be no output at all or something completelyunpredicted occurs. This makes the tester’s role crucial to the applicationdevelopment process. And because APIs are the central hub of data for manyapplications, data-driven testing for APIs can help increase test coverage andaccuracy.In testing the API directly, specifying pass/fail scenarios is slightly morechallenging. However, in comparing the API data in the response or incomparing the behavior after the API call in another API would help you setupdefinitive validation scenarios.API testing is one of the most challenging parts of the whole chain ofsoftware testing and QA testing because it works to assure that our digitallives run in an increasingly seamless and efficient manner. While developerstend to test only the functionalities they are working on, testers are incharge of testing both individual functionalities and a series or chain offunctionalities, discovering how they work together from end to end.
Types of API Testing
First, identify what type of tests you need to perform on API. Like testers dodifferent type of testing for features of their product, the same goes forAPIs. Common testing of APIs includes: * Unit Testing: To test the functionality of individual operation. For example, Google provides geocoding API to get the longitude and latitude of any location. This usually takes the address as input and returns lat-longs. Now for unit testing of this API, the tester may pass different location and verify the result. * Functional Testing: This type of testing mainly focuses on the functionality of API. This would include test cases to verify HTTP response codes, validation of response, error codes in case API return any error, etc. * Load Testing: This type of test is necessary in cases where API is dealing with huge data and chances of application to be used by no.of users at the same time. This increases the API hits at the same time and it may crash and not able to take that load. * Security Testing: Security testing is particularly critical as API are used to create a link between two different applications. The core purpose of using an API is to abstract or hide the application’s database from other. This may include test cases like authorization checks, session management, etc. * Interoperability Testing: This is to test that API is accessible to the applications where it should be. This applies to SOAP APIs. * WS compliance Testing: API is tested to ensure standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust are properly implemented and utilized * Penetration Testing: This is to find the vulnerability of API from external sources.
Tools for API Testing and Automation
There are several tools to test the APIs. When a tester gets to test an API,they must ask for its document, whether it is a REST or SOAP API or its not-web based API there should always be a document where the details should bewritten. To approach API testing 1. Ask for Doc 2. Write functional or service level cases first 3. Write integration tests 4. When API is stable enough and passes most of the above tests, perform security, performance and load testing. * A typical API doc has all the information related to the API like its request format, response, error codes, resource, mandatory parameters, optional parameters, headers, etc. The doc can be maintained in various tools like Swagger which is open source. * After that, try to write service-level cases for the API. For example, if an API takes n parameters to get the response in which m are mandatory parameters and others are optional, then one test case should be to try different combinations of parameters and verify the response. Another test case might verify the headers and try to run API without passing authentication and verify the error code. * Next comes the step of integration testing, where you need to test the API and all its dependent APIs or functions. This also includes testing API response, the data it should return to another API or method and what happens if this API fails. * Once the API is stable and functional testing is almost done, the tester can perform load, security and performance testing.
Why perform API testing?
As more companies make the shift left toward DevOps, continuous integration(CI), and continuous deployment (CD), test feedback needs to be quicker thanever. Focusing solely on UI automation—which is notoriously slow—can kill yourtest automation efforts.As you scramble to ensure that your applications are ready to ship, APItesting should be part of your overall automation strategy.APIs are the basis of modern software development, especially as more and moreteams move away from monolithic applications and begin adopting amicroservices approach to software development.With microservices making up the backbone of most newer development efforts,API testing becomes even more critical than before.
Roadblocks to API testing adoption
Thinking that API testing was about to take off, I wrote a book about it backin 2014. It still hasn’t taken off, though, for several reasons.For one, even though many organizations claim to be agile, many still havedistinct roles defined for developers and testers.Testers believe developers should be doing API testing, while developersbelieve the opposite. Testers also may be technically unaware of how to evenget started testing an API, so they simply focus on what they know—which is UIautomation.