API TESTING DETAILED

DOCUMENT

ad
PREPARED BY

Le
Inaam Ullah - SQA Lead

QA
-S
h
la
Ul
m
aa
In

NOV 29, 2022

What is API Testing?
❖ In software application development, API is the middle layer between the
presentation (UI) and the database layer. APIs enable communication and data
exchange from one software system to another.
❖ API testing is a software testing practice that tests the APIs directly — from
their functionality, reliability, performance, to security. Part of integration testing,
API testing effectively validates the logic of the build architecture within a short

ad
amount of time.
❖ Applications frequently have three layers: a data layer, a service layer -- the API

Le
layer -- and a presentation layer -- the user interface (UI) layer. The business
logic of the application guides how users can interact with the services,
functions and data held within the app in the API layer. API testing focuses on

QA
analyzing the business logic as well as the security of the application and data
responses. An API test is generally performed by making requests to one or
-S
more API endpoints and comparing the response with expected results.
❖ API testing is a type of software testing that analyzes an application program
interface (API) to verify it fulfills its expected functionality, security, performance
h

and reliability. The tests are performed either directly on the API or as part of
la

integration testing. An API is middleware code that enables two software

programs to communicate with each other. The code also specifies the way an
Ul

application requests services from the operating system (OS) or other

applications.
❖ API testing is frequently automated and used by DevOps, quality assurance
m

(QA) and development teams for continuous testing practices.

aa

How to approach API testing?

In

❑ An API testing process should begin with a clearly defined scope of the program as
well as a full understanding of how the API is supposed to work. Some
questions that testers should consider include:
❖ What endpoints are available for testing?
❖ What response codes are expected for successful requests?
❖ What response codes are expected for unsuccessful requests?
 ❖ Which error message is expected to appear in the body of an unsuccessful
request?
❖ How to test JSON, XML Schema validation?
❖ How to verify the Response Header and Test cases response?
❖ How the Error codes are handled?
❖ How to validate Response Payload?

❑ Once factors such as these are understood, testers can begin applying various

ad
testing techniques.
➔ Test cases should also be written for the API. These test cases define the

Le
conditions or variables under which testers can determine whether a specific
system performs correctly and responds appropriately. Once the test cases have
been specified, testers can perform them and compare the expected results to

QA
the actual results. The test should analyze responses that include:
1. Reply time,
-S
2. Data quality,
3. Confirmation of authorization,
4. HTTP status code and
h

5. Error codes.
la

★ API testing can analyze multiple endpoints, such as web services, databases or
web user interfaces.
Ul

★ Testers should watch for failures or unexpected inputs. Response time should
be within an acceptable agreed-upon limit, and the API should be secured
against potential attacks.
m

★ Tests should also be constructed to ensure users can't affect the application in
aa

unexpected ways, that the API can handle the expected user load and that the
API can work across multiple browsers and devices.
★ The test should also analyze the results of nonfunctional tests as well, including
In

performance and security.

 API Testing Process

ad
Le
QA
-S
h
la
Ul

Benefits of API Testing

Earlier Testing:
With API testing, once the logic is designed, tests can be built to validate the
m

correctness in responses and data. We don't have to wait for various teams to
finish their work or for full applications to be built - test cases are isolated and
aa

ready to be built immediately.

In

Easier Test Maintenance:

UIs are constantly changing and moving around based on how they are accessed -
browsers, devices, screen orientation, etc.
This creates a nightmare scenario where tests are being constantly rewritten to
keep up with the actual code in production.
 API changes are much more controlled and infrequent - often API definitions files
like OpenAPI Spec can help make refactoring tests take only a few seconds of work.

Faster Time To Resolution:

When API tests fail, we know exactly where our system broke and where the
defect can be found. This helps reduce time triaging bugs between builds,
integrations, and even different team-members. The small, isolated footprint of an
API test is perfect for faster MTTR stats, a valuable KPI for DevOps teams.

ad
Speed and Coverage of Testing:

Le
300 UI tests may take 30 hours to run. 300 API tests could be run in 3 minutes.
That means user will find more bugs in less
time, while also being about to fix them immediately.

QA
Language-independent:
Data is exchanged via XML and JSON formats, so any language can be used for
-S
test automation. XML and JSON are typically structured data, making the
verification fast and stable. There are also built-in libraries to support comparing
data using these data formats.
h
la

GUI-independent:
API testing can be performed in the app prior to GUI testing. Early testing means
Ul

early feedback and better team productivity. The app's core functionalities can be
tested to expose small errors and to evaluate the build's strengths.
m

Improved test coverage:

aa

Most API/web services have specifications, allowing you to create automated tests
with high coverage — including functional testing and non-functional testing.
In
Why is API Testing important?
❖ User interface tests are often inefficient for validating API service functionality
and often do not cover all the necessary aspects of back-end testing. This can
result in bugs left within the server or unit levels -- a costly mistake that can
greatly delay the product release and often requires large amounts of code to be
rewritten.
❖ API testing allows developers to start testing early in the development cycle

ad
before the UI is ready. Any request that doesn't produce the appropriate value at
the server layer will not display it on the UI layer. This enables developers to kill
at least half of the existing bugs before they become more serious problems. It

Le
also enables testers to make requests that might not be possible through the UI
--a necessity for exposing security flaws.

QA
❖ Many companies are using microservices for their software applications because
they allow software to be deployed more efficiently. If one area of the app is
being updated, the other areas can continue functioning without interruption.
-S
Each application section has a separate data store and different commands for
interacting with that data store. Most microservices use APIs;Therefore, as more
businesses adopt the use of microservices, API testing will become increasingly
h

necessary to ensure all parts are working correctly.

la

❖ API testing is also integral to Agile software development, in which instant

feedback is necessary to the process flow. In Agile environments, unit tests and
Ul

API tests are preferred over graphical user interface (GUI) tests because they are
easy to maintain and more efficient. GUI tests often require intense reworking if
m

they want to keep pace with the frequent changes in an Agile environment.
❖ Overall, incorporating API tests into the test-driven development process can
aa

benefit engineering and development teams across the entire development

lifecycle. These benefits are then passed along to customers in the form of
In

improved services and better-quality products.

Types of API Testing:

API testing typically involves the following practices:
❖ Unit testing - Testing the functionality of individual operations.
❖ Validation Testing - It occurs among the final steps and plays an essential role in
the development process. It verifies the aspects of product, behavior, and
 efficiency. In other words, validation testing can be seen as an assurance of the
correct development.
❖ UI testing - It is defined as a test of the user interface for the API and other
integral parts. UI testing focuses more on the interface which ties into the API
rather than the API testing itself. Although UI testing is not a specific test of API
in terms of codebase, this technique still provides an overview of the health,
usability, and efficiency of the app’s front and back ends.
❖ Functional testing - Testing the functionality of broader scenarios, often using

ad
unit tests as building blocks for end-to-end tests. Includes test case definition,
execution, validation, and regression testing.

Le
❖ Load testing - Validating functionality and performance under load, often by
reusing functional test cases.
❖ Runtime error detection - Monitoring an application's execution of automated

QA
or manual tests to expose problems such as race conditions, exceptions, and
resource leaks.
-S
❖ Security testing - Includes penetration testing and fuzz testing as well as
validating authentication, encryption, and access control.
❖ Web UI testing - Performed as part of end-to-end integration tests that also
h

cover APIs, enables teams to validate GUI items in the context of the larger
la

transaction.
❖ Interoperability testing - (SOAP only) Checking conformance to Web Services
Ul

Interoperability profiles.
❖ Penetration testing - Considered the second test in the auditing process. In this
type, users with limited API knowledge will try to assess the threat vector from
m

an outside perspective, which is about functions, resources, processes, or aim to

aa

the entire API and its components.

❖ Fuzz-testing - Massive amounts of purely random data, sometimes referred to
as "noise" or "fuzz", is forcibly input into the system in order to attempt a forced
In

crash, overflow, or other negative behavior. This is done to test the API at its
absolute limits and serves somewhat as a "worst case scenario".

API Testing Best Practices

❖ API Test cases should be grouped by test category
 ❖ On top of each test, users should include the declarations of the APIs being
called.
❖ Parameter selection should be explicitly mentioned in the test case itself.
❖ Prioritize API function calls so that it will be easy for testers to test.
❖ Each test case should be as self-contained and independent from dependencies
as possible.
❖ Avoid “test chaining” in test script development
❖ Special care must be taken while handling one-time call functions like –Delete,

ad
CloseWindow etc.
❖ Call sequencing should be performed and well planned

Le
❖ To ensure complete test coverage, create API test cases for all possible input
combinations of the API.

QA
API Testing Tools:
● When performing an API test, developers can either write their own framework
-S
or choose from a variety of ready-to-use API testing tools. Designing an API test
framework enables developers to customize the test; they are not limited to the
capabilities of a specific tool and its plugins.
h

● Testers can add whichever library they consider appropriate for their chosen
la

coding platform, build unique and convenient reporting standards and

incorporate complicated logic into the tests. However, testers need sophisticated
Ul

coding skills if they choose to design their own framework.

● Conversely, API testing tools provide user-friendly interfaces with minimal
coding requirements that enable less-experienced developers to feasibly deploy
m

the tests. Unfortunately, the tools are often designed to analyze general API
aa

issues and problems more specific to the tester's API can go unnoticed.
● A large variety of API testing tools is available, ranging from paid subscription
tools to open source offerings. Some specific examples of API testing tools
In

include:
❖ SoapUI: The tool focuses on testing API functionality in SOAP and REST
APIs and web services.
❖ Apache Jmeter: An open-source tool for load and functional API testing.
 ❖ BlazeMeter: Load testing platform as a service, which is compatible with
open-source Apache JMeter, the performance testing framework from the
Apache Software Foundation.
❖ Apigee: A cloud API testing tool from Google that focuses on API
performance testing.
❖ REST Assured: An open source, Java-specific language that facilitates and
eases the testing of REST APIs.
❖ Postman: A Google chrome app used for verifying and automating API

ad
testing.
❖ Katalon: An open-source application that helps with UI automated testing.

Le
❖ Swagger UI: An open-source tool that creates a webpage that documents
APIs used.

QA
Types of Bugs that API testing detects:
● Fails to handle error conditions gracefully
-S
● Unused flags
● Missing or duplicate functionality
● Reliability Issues. Difficulty in connecting and getting a response from API.
h

● Security Issues
la

● Multi-threading issues
● Performance Issues. API response time is very high.
Ul

● Improper errors/warning to a caller

● Incorrect handling of valid argument values
m

● Response Data is not structured correctly (JSON or XML)Challenges of API

Testing
aa

● Main challenges in Web API testing is Parameter Combination, Parameter

Selection, and Call Sequencing
In

● There is no GUI available to test the application which makes difficult to give
input values
● Validating and Verifying the output in a different system is little difficult for
testers
● Parameters selection and categorization is required to be known to the testers
● Exception handling function needs to be tested
● Coding knowledge is necessary for testers