Introduction of API Testing
API stands for Application Programming Interface. API describes how one software program communicates and exchanges data with other software programs. It behaves like an interface between different software systems for being interactive with each other. API is a set of functions, subroutines, protocols, standards, and code which glues our technical world together.
Let us understand API through one example. Consider you have booked an UBER for your commute. UBER uses Google maps for directions and live updates. That doesn’t mean UBER has developed their own maps for the same functionality. They are using Google Maps API to plug the same functionality in their app. This is how an API is used to plug and play the functionality.
There are many other famous APIs like YouTube API, Twitter API, Amazon Advertising API, etc.
Any application is made up of 3 layers.
- Presentation Layer
- Business Layer
- Database Layer
GUI testing is done on the presentation layer. API testing is totally different than GUI testing. It is applied to the business layer of an application. API testing is done to check whether API is giving the expected results, whether it is reliable, how its performance is and whether it is secure or not. API testing doesn’t focus on the application’s look and feel. It concentrates on API’s performance and integration.
Types of API Testing
There are various types of tests done on API. They are categorized in below 9 categories.
- Unit testing
- Security Testing
- UI testing
- Interoperability and WS Compliance testing
- Functional Testing
- Load Testing
- Run time or Error Detection
Let us discuss about each and every testing type in detailed
Unit Testing: Unit testing is defined as the testing of a unit or some specific functionality
Functional Testing: Functional testing is defined as a test of functions in the codebase. These tests are run to ensure API functions are within expected parameters and errors are handled properly.
Load Testing: Load testing is done to ensure the performance and functionality of an API under load.
Security Testing: Security testing is carried to ensure the API is secure from external threads.
UI Testing: UI testing is termed as a test of your user interface for API and its components. It is specially concerned with the function of UI, whether interface depends on command line calls or graphical in nature.
Runtime Error Detection: This test is carried to identify exceptions or resource leaks to prevent future erroneous scenarios.
Penetration Testing: Penetration testing is done to identify how vulnerable the application is for attackers.
Fuzz Testing: Fuzz testing is negative testing to see how API behaves in a worst-case scenario. In this testing, a lot of random data is given as input to create fuzz and check how API handles with this forced crash.
Interoperability and WS Compliance Testing: It is only applicable for SOAP APIs. It generally checks 2 fields. Firstly, Interoperability is checked by making sure with Web Services Interoperability Profiles. Secondly, compliance is checked to make sure standards like WS-Discovery, WS-Addressing, WS-Federation, WS-Security, WS-Policy, and WS-Trust are properly utilized and maintained.
API Testing Vs. Unit Testing
Due to test-driven development, unit testing becomes an integral part of every development effort. On the other hand, there are many applications which provide API for code-level access for functionality. Both types of testing target to the code-level and have similar tools. Let us see how they are different from each other.
Below table states the difference between API and Unit testing.
|API Testing||Unit Testing|
|API testing is termed as black box testing which mainly focuses on the result of the system under test.||Unit testing tests each module and ensures each module delivers its functionality. It is an important activity for a developer to make the necessary changes|
|API tests are implemented and executed once the build is ready and developed by the QA team.||Unit test codes are developed by programmers only.|
|API testing targets the whole system. So, while designing test cases, one needs to consider the ‘full’ functionality of the system||Unit tests are developed for each module. They are designed for each module in isolation. It doesn’t consider the interactions between those units.|
API Test Environment Setup
API Testing is different than other testing as GUI is not involved in API Testing. To test API, we need to setup an environment, which accepts input parameters, invoke APIs with those parameters and derive the result.
To setup the API Test environment, we need to configure database and server as per application requirements. Once that is installed, we can call API functions to verify if API is working or not.
Test Cases for API Testing.
Subscribe to our youtube channel to get new updates..!
Below is the list of some common tests we carry for API testing:
Return value for an input condition: we need to verify responses based on the request. It is comparatively easy to test as input variables are known and results can be authenticated.
Effect of updating data structure: If we update data structures, it will affect the outcome of an API. This outcome needs to be authenticated.
Redirection of an API – an event or another API call: If an API redirects control to an event or another API then those also should be tracked.
In case of no return value: When API doesn't return any value, its behavior must be verified.
Resource Modification: If API calls modify some resources, then those resources must be verified and validated by accessing them.
API Testing Approach
There are various points which help us to choose the best API testing approach
- Define the scope of the program by understanding the functionality of the API program
- Setup the test environment which includes database and server configuration as per the application requirements.
- Perform API testing by using different testing techniques like boundary value analysis, equivalence classes, and error guessing. Also write test cases for the API.
- Plan and define input parameters for the API properly
- Perform test cases with known input configurations and ensure API meets the expected result.
Once you have applied above points, you need to start organizing yourself for API test. Try to answer the below questions:
- Who consumes API? Who is the target audience?
- Which environment API should use?
- What is the expected result in normal circumstances?
- Any preference for testing API?
- For which problems we are testing?
- What will happen in abnormal circumstances?
- Which another API can communicate with this API?
- What are your pass and fail scenario?
This will be helpful to create testing boundaries and requirements. Altogether, all these points help us to decide on a perfect API test strategy.
How to do API Testing?
Once we have decided on testing boundaries and requirements, we need to decide what exactly we want to test API for. Apart from usual SDLC process, below are few testing methods.
Discovery testing: Testing team need to manually test the set of calls included in API such as ensuring a resource used by API is listed, created or deleted as required.
Usability testing: This testing verifies if API integrates with other platforms properly. This method is to check if API is user-friendly and functional.
Security testing: This testing method verifies the type of authentication required and ensures sensitive and confidential data is encrypted over HTTP.
Automated testing: This testing method creates a script which executes and trigger API regularly without any manual efforts.
Documentation testing: This method verifies if documentation is providing enough information about API. This documentation is delivered as a part of final deliverable by the development team. There are many API documentation template available like Miredot, Slate, RestDoc, API blueprint, FlatDoc, Swagger etc.
What you need to verify in API Testing?
In API Testing, we generally send a request to API with some input parameters and analyze the response we received for those known data. Below are the key areas we need to verify while performing API testing:
- Response Time
- HTTP Status Codes
- Data Accuracy
- API return value (error codes if API returns any error)
- Authorization checks
- Non-functional testing like security testing, performance testing.
Types of Bugs and errors detected by API Testing
There are various types of bugs or errors detected by API testing. Below are some of them:
- Security issues
- Performance issues
- Multi-Threading issues
- Unused flags
- Duplicate or missing functionality
- Reliability issue i.e. difficulty while connecting and getting a response from API
- Improper warnings or errors to the caller
- Unstructured response data
- Valid arguments not handled correctly
Best Practices of API Testing
Once you have prepared your test plan, make sure you follow some thumb rules to succeed in test as much as possible:
- Start testing with typical or expected results.
- Add stress to the system by carrying series of API load tests
- Test for a failure condition. Make sure API fails consistently for negative cases.
- To ease the work for tester, prioritize API function calls
- Verify how an API behaves and handles for any unforeseen problems
- Automate any API testing task if possible.
- Group test cases based on their category.
- Try to cover all possible input combinations for maximum test coverage
- Mention parameter selection in test cases explicitly.
- Test Chaining should be avoided
- Call Sequencing should be well planned.
Make sure each test case is independent from dependencies if possible.
Advantages of API Testing
API testing provides several advantages to improve the test coverage which provides a faster and effective result. Some of the advantages are mentioned below:
Core Functionality Test: Application can be accessed without any user interface through API testing. Core functionality tests result into an early evaluation of any build before any GUI tests are applied on it. This practice identified small issues which can become larger while performing GUI testing. This will reduce the testing cost.
Language Independent: Data is exchanged in JSON or XML while performing API testing. Transfer modes here are completely language independent. You can select any core language while automating testing for your application.
Time and Cost-Effective: API testing is less time consuming than GUI testing. API tests require lesser code and hence provide faster and better coverage than GUI testing.
Risk Reduction: API testing is helpful to find bugs early in test cycle, hence reduce risks.
GUI Integration: You can easily integrate GUI testing with API testing. This is most helpful when you want to perform API testing followed by functional GUI testing.
Challenges of API Testing
There are some challenges that we face while doing API testing.
- Choosing right parameters and their combinations
- Validating the output
- Choosing the parameter category properly
- Difficulty in providing input value due to absence of GUI
- Call sequencing should be proper in order to avoid inadequate coverage while testing
- Testing exception handling function
- Coding knowledge is required by a tester.
Tools for API Testing
API testing can be done through various tools. Having the right tool and process for API testing is the most important task as it is the crucial component for any application. There are many open-source and commercial tools available for API testing.
Below is the list of some of the best tools available in the market for API testing:
SoapUI: Automation testing tool for REST and SOAP API. It supports cross-platform and has free and aid plans.
Katalon Studio: It is a Web, API, and Mobile testing tool. It is good for beginners as well as experts. It has a free license and paid support services.
JMeter: It is designed for load testing and functional testing.
Postman: It is an API development environment. It has free as well as paid but cheap plans.
Fiddler: It is a tool to monitor, reuse and manipulate existing HTTP requests. Its APITest extension allows us to validate APIs behaviors across the web.
Apigee: Apigee is a cross-cloud API testing tool which allows users to validate API performance along with building and supporting APIs with other tools like Swagger.
Rest-Assured: It is a tool used for testing REST services in Java environment. It is an open-source tool.
Swagger: It is a tool for API designing process which includes whole API lifecycle.
Assertible: Assertible is an API testing tool known for automation and reliability.
Karate DSL: It is a tool which allows testers to write test cases using domain-specific language for web service.
RestSharp: It is an API testing tool which is used to test REST for the .NET environment.
There are many other tools available in the market for API testing. Choose according to your requirement and environment.
API testing plays an important role in any application. If it is not tested properly, it can create problems while calling the application. It is a crucial and mandatory test in the software lifecycle.