API stands for Application Programming Interface. API describes how one software program communicates and exchanges data with other software programs. It behaves like an interface between different software systems for being interactive with each other. API is a set of functions, subroutines, protocols, standards, and code which glues our technical world together.
Let us understand API through one example. Consider you have booked an UBER for your commute. UBER uses Google maps for directions and live updates. That doesn’t mean UBER has developed their own maps for same functionality. They are using Google Maps API to plug the same functionality in their app. This is how an API is used to plug and play the functionality.
There are many other famous APIs like YouTube API, Twitter API, Amazon Advertising API, etc.
Any application is made up of 3 layers.
GUI testing is done on presentation layer. API testing is totally different than GUI testing. It is applied on business layer of an application. API testing is done to check whether API is giving the expected results, whether it is reliable, how its performance is and whether it is secure or not. API testing doesn’t focus on application’s look and feel. It concentrates on API’s performance and integration.
There are various types of tests done on API. They are categorized in below 9 categories.
Let us discuss about each and every testing type in detailed
Unit Testing: Unit testing is defined as testing of a unit or some specific functionality
Functional Testing: Functional testing is defined as test of functions in codebase. These tests are run to ensure API functions are within expected parameters and errors are handled properly.
Load Testing: Load testing is done to ensure performance and functionality of an API under load.
Security Testing: Security testing is carried to ensure the API is secure from external threads.
UI Testing: UI testing is termed as a test of your user interface for API and its components. It is specially concerned with the function of UI, whether interface depends on command line calls or graphical in nature.
Runtime Error Detection: This test is carried to identify exceptions or resource leaks to prevent future erroneous scenarios.
Penetration Testing: Penetration testing is done to identify how vulnerable the application is for attackers.
Fuzz Testing: Fuzz testing is a negative testing to see how API behaves in worst case scenario. In this testing, a lot of random data is given as input to create a fuzz and check how API handles with this forced crash.
Interoperability and WS Compliance Testing: It is only applicable for SOAP APIs. It generally checks 2 fields. Firstly, Interoperability is checked by making sure with Web Services Interoperability Profiles. Secondly, compliance is checked to make sure standards like WS-Discovery, WS-Addressing, WS-Federation, WS-Security, WS-Policy and WS-Trust are properly utilized and maintained.
Due to test-driven development, unit testing becomes an integral part of every development effort. On the other hand, there are many applications which provide API for code-level access for functionality. Both types of testing target to the code-level and have similar tools. Let us see how they are different from each other.
Below table states the difference between API and Unit testing.
|API Testing||Unit Testing|
|API testing is termed as black box testing which mainly focuses on the result of the system under test.||Unit testing tests each module and ensure each module delivers its functionality. It is an important activity for a developer to make the necessary changes|
|API tests are implemented and executed once the build is ready and developed by QA team.||Unit test codes are developed by programmers only.|
|API testing targets the whole system. So, while designing test cases, one needs to consider the ‘full’ functionality of the system||Unit tests are developed for each module. They are designed for each module in isolation. It doesn’t consider the interactions between those units.|
API Testing is different than other testing as GUI is not involved in API Testing. To test API, we need to setup an environment, which accepts input parameters, invoke APIs with those parameters and derive the result.
To setup the API Test environment, we need to configure database and server as per application requirements. Once that is installed, we can call API functions to verify if API is working or not.
Below is the list of some common tests we carry for API testing:
Return value for an input condition: we need to verify responses based on the request. It is comparatively easy to test as input variables are known and results can be authenticated.
Effect of updating data structure: If we update data structures, it will affect outcome of an API. This outcome needs to be authenticated.
Redirection of an API – an event or another API call: If an API redirects control to an event or another API then those also should be tracked.
In case of no return value: When API doesn't return any value, its behavior must be verified.
Resource Modification: If API calls modify some resources, then those resources must be verified and validated by accessing them.
There are various points which help us to choose the best API testing approach
Once you have applied above points, you need to start organizing yourself for API test. Try to answer below questions:
This will be helpful to create testing boundaries and requirements. Altogether, all these points help us to decide a perfect API test strategy.
Once we have decided on testing boundaries and requirements, we need to decide what exactly we want to test API for. Apart from usual SDLC process, below are few testing methods.
Discovery testing: Testing team need to manually test the set of calls included in API such as ensuring a resource used by API is listed, created or deleted as required.
Usability testing: This testing verifies if API integrates with other platforms properly. This method is to check if API is user-friendly and functional.
Security testing: This testing method verifies the type of authentication required and ensures sensitive and confidential data is encrypted over HTTP.
Automated testing: This testing method creates a script which execute and trigger API regularly without any manual efforts.
Documentation testing: This method verifies if documentation is providing enough information about API. This documentation is delivered as a part of final deliverable by development team. There are many API documentation template available like Miredot, Slate, RestDoc, API blueprint, FlatDoc, Swagger etc.
In API Testing, we generally send a request to API with some input parameters and analyze the response we received for those known data. Below are the key areas we need to verify while performing API testing:
There are various types of bugs or errors detected by API testing. Below are some of them:
Once you have prepared your test plan, make sure you follow some thumb rules to succeed in test as much as possible:
Make sure each test case is independent from dependencies if possible.
API testing provides several advantages to improve the test coverage which provides faster and effective result. Some of the advantages are mentioned below:
There are some challenges that we face while doing API testing.
API testing can be done through various tools. Having the right tool and process for API testing is the most important task as it is the crucial component for any application. There are many open-source and commercial tools available for API testing.
Below is the list of some of the best tools available in market for API testing:
SoapUI : Automation testing tool for REST and SOAP API. It supports cross-platform and has free and aid plans.
Katalon Studio: It is a Web, API, and Mobile testing tool. It is good for beginners as well as experts. It has free license and paid support services.
JMeter: It is designed for load testing and functional testing.
Postman: It is an API development environment. It has free as well as paid but cheap plans.
Fiddler: It is a tool to monitor, reuse and manipulate existing HTTP requests. Its APITest extension allows us to validate APIs behaviours across the web.
Apigee: Apigee is a cross-cloud API testing tool which allows users to validate API performance along with building and supporting APIs with other tools like Swagger.
Rest-Assured: It is a tool used for testing REST services in Java environment. It is an open source tool.
Swagger: It is a tool for API designing process which includes whole API lifecycle.
Assertible: Assertible is an API testing tool known for automation and reliability.
Karate DSL: It is a tool which allows testers to write test cases using domain specific language for web service.
RestSharp: It is an API testing tool which is used to test REST for .NET environment.
There are many other tools available in market for API testing. Choose according to your requirement and environment.
API testing plays an important role for any application. If it is not tested properly, it can create problems while calling the application. It is a crucial and mandatory test in software lifecycle.
Free Demo for Corporate & Online Trainings.