Before we explore API Testing, let’s first understand cover some of the terminology we will be using:
What is an Application Programming Interface?
In essence, an Application Programming Interface (API) is a formal specification that acts as a contract between components of software systems for communication and data exchange. This can be as part of a single software system, where perhaps the API provides a business logic layer independent of the user interface or the API may provide web services to other independent software applications e.g. A Weather API.
What are the different types of APIs?
An API is merely a formal specification for communication between software, but some standard data formats and API call types have developed, particularly in the web API space based around the HTTP protocol, and provide similar core functionality. Examples of commonly implemented API endpoints are:
- Representational State Transfer (REST)
- Simple Object Access Protocol (SOAP)
A comprehensive ecosystem of prebuilt libraries and components has been developed to support these API protocols which can be used to augment your own code when developing Application Programming Interfaces.
What is API Testing?
API testing is part of the software engineering process where an API is exercised, typically in a testing environment, to assess its functionality, reliability and performance.
Functional API test cases are designed to provide input parameters to an API. An API call is made to exercise one or more test cases by making an API Request. The API triggers processing by the business layer which processes the request and returns a Response with some data, or a code and message in case of an error. The data responses are can then be validated against expected results.
When is API Testing Performed?
Tests are often discrete test cases to exercise API function, typically performed during the Unit Testing phase of the development lifecycle.
Can API Testing be part of Integration Testing?
They can also form part of more complex business processes, as a sequential series of API calls, typically part of Integration Testing. API testing is also often performed alongside Graphical User Interface (GUI tests) to provide test data for GUI testing or to wider business logic, beyond just the API functions themselves.
What types of API Testing are there?
Apart from testing API Functionality, there is also Non-functional API Testing. Non-functional testing would include load testing, performance testing and more specialist areas such as security testing, fuzz testing and compliance testing. These aim to explore the reliability, performance and security of an API rather than its functionality reliability issues. We will focus on functional testing for the purposes of this article.
How do you test an API?
As APIs are designed for communication between software systems they do not provide a user interface that is suitable for manual functional testing directly. API Testing is very different to User Interface (UI testing) in that it necessitates the use of an API testing tool or a software solution that is written in code in order to exercise API function.
What API Testing tools are there?
There are a number of API testing tools that are in common use for this purpose including:
- API Fortress
The API testing tools listed above have specific functionality for API testing alone, there are however other API test automation tools that provide more comprehensive functionality for GUI testing alongside their API testing capabilities:
All of the tools provide an interface whereby a user can set up a test case in one of the protocols mentioned above, e.g. REST API testing, and implement validation of API responses.
Are there other ways to test API apart from using tools?
Code based libraries or frameworks are also available to create tests, an example of which is REST-Assured a Java Domain Specific Language (DSL) and Karate DSL both of which require knowledge of Java source code development to utilize for testing.
Can I just write tests in code?
These typically require a deeper technical understanding of the programming language to achieve results quickly, it is easier for those new to API testing to start using a specialist tool.
API Test Environment and Test Data
It is common best practice to create a test API environment separate from production and development environments in order to start testing. This enables the testing team to have better control over test data and is particularly important when conducting API automation testing.
A good Test Data strategy is important to successful API Testing. Suitable test data must be sought in order to exercise the test cases being executed. There are a number of approaches to sourcing suitable data for API testing, including:
- Manual Creation
- Synthetic Data Creation
- De-sensitized production data
- Hybrid approaches
Selecting the right test data strategy is vital when embarking on your API Testing journey. Tools like iData can help automate the process of data creation or obfuscation and are applicable for all types of software testing.
How do I create API tests?
Starting API testing using an API testing tool with a UI such as POSTMAN or Scriptworks can be a surprisingly straightforward process, particularly if a test environment with suitable test data is available.
Information on the following are general pre-requisites to identify before creating a test:
- The API endpoint Uniform Resource Locators (URLs)
- Authentication Mechanisms if present
- HTTP Headers requirements
- Query Parameters
- Data Structures and Data Types for the Request
- Data Structure of the Response
We will explore some of these areas in the subsequent sections.
What are the types of API Authentication mechanisms?
Most APIs will utilize an authentication mechanism of sorts to secure access. Authentication of the common API types mentioned is based on HTTP Authentication, generally on provision of credentials, a key or token passed in an Authorization Header.
Some Authorization mechanisms require a separate authentication Request to obtain an Access token or passcode which is used on subsequent calls until expiry.
The types of Authentication include:
- Basic Auth
- API Key or Bearer Token
- Digest Auth
- OAuth 1.0 and 2.0
- Hawk Authentication, AWS Signature, and NTLM Authentication
HTTP headers are discrete pieces of meta information that allow software systems to pass additional information about the nature of an API Request or Response. They can include information on the content being passed or requested or any custom information, they can include:
- Request Headers
- Response Headers
- Representation headers
- Payload Headers
An example set of headers for a REST API request is shown in the illustration below from Scriptworks logs:
What is REST testing?
REST API Testing is testing performed on an HTTP API endpoint with which supports a more substantial set of the different HTTP methods (GET, POST, PUT, DELETE, PATCH) typically there are different URL endpoints specifying different Resources which return a fixed data structure in XML or JSON format.
An example REST test is shown below from Scriptworks:
What is SOAP testing?
SOAP API testing is testing performed on an HTTP based API endpoint with a particular set of HTTP headers and a specific XML data structure, called a SOAP envelope. A SOAP API test is similar to a REST POST method with an XML SOAP envelope as its body.
An example SOAP test is shown below from Scriptworks logs:
What is GraphQL testing?
GraphQL testing is performed against an HTTP based API endpoint where the POST Request body contains a JSON structure that describes the content required in the Response. Essentially a Query which is fulfilled by the API.
An example GraphQL request is shown below from Scriptworks:
Can API testing be Automated?
API testing lends itself perfectly to automated testing and most of the tools and frameworks listed above are commonly used for building automated tests.
There are many benefits to automated API testing, reducing overall software testing time, increasing test coverage, and repeatability of tests means as the API changes, testing can be accommodated quickly.
Many of the tools listed above enable you to store configured tests and organize them by test category or in collections. These groupings of tests can be executed on-demand, in a concurrent fashion in some tools e.g. Scriptworks, as required by the software development process.
In Continuous Testing environments, automated API tests can be configured to run as often as on every source code check-in, usually in Unit testing with the aim of achieving complete test coverage.
Functional API Testing is typically performed with an API Testing tool such as Scriptworks, it lends itself well to automated testing and is often used in the unit testing and integration testing phases of development prior to UI testing.
API Tests can be organized and triggered by Continuous Integration tools and execution results presented in dashboards. There are other types of API Testing, such as performance testing and security testing.
Getting started with API Testing
You can quickly get started with API Testing by Signing up for a Free Trial account of the Scriptworks platform