API through Postman

• manual api tool= postman

• automation api tool=rest assured

• web testing comes undr frnot end testing while Api + DB testing comes backed testing

• client is a machine where we can access the application

• server where the application installed

• client is always not a browser but it may be a mobile in which difrnt apps we use

• where exactly search pages installed called server

• web app follows 3 tier architure

• 1 tier architure= in same computer save the file and no need of internet

• 2 tier architure= a banking aplication have their own internal db and thier staff(i.e multiple
clients) access the db) , differnt clients will access the same db and in 2 tire db present in
difrnt machine not on the same machine

• Api act as an imidiater between db and presentation layer

• responsibility of API layer is to fetch the data from db(backend) and display on front end

• front end layer-> web testingy

• middle layer-> API testing

• backend layer-> db testing

• first develop= db then api then web

• if API testing perform then 80% testing is complete only 20% is remaning for ui testing

• API = functional testing

• front end testing= GUI testing

• soap= xml but rest api support= xml , json, text

• when api is placed on the internet then it is called web service

• All web services are APIs but all apis are not web services bcz for api not net require
 • api take some requst frm use and give respons and make within company

• once the API is production and make it to use for public then which is called web services

Workspace: Area where we maintain files and saved

workspace-create wokspace,rename and delete

Create collection: Inside workspace we can create 'N' no of collections because sometimes you have
different types of request and we can group them into folders. contains number of foders and http
request.

we can create the collection , delete, run and rename.

we can create any no of collection under workspace.,,,,

HTTP request:

Get--------------> retrive the resource from database.

Post-------------->create resources on db

Put--------------> update esisting resources on DB.

Patch--------------> update partial details of the resources.

Delete--------------> existing data from database

Request payload is nothing the data which we request through the URL.

Always do validations on the response payload.

//JSON Viewer

http://jsonviewer.stack.hu/

Tutoral link

https://www.youtube.com/watch?v=8BfshV5n6ac
// JSON Schema

https://www.jsonschemavalidator.net/

// JSON Schema video link

https://www.youtube.com/watch?v=8BfshV5n6ac

https://jsonschema.net/

https://www.youtube.com/watch?v=oXW-C2bM0wE

API understand all

API url is made 2 things base and end points.

End points: To hit specific functionality.(e.g login, regristration, add to cart and form
submittion)
.
https://developer.atlassian.com/cloud/trello/guides/rest-api/api-introduction/

https://jsonformatter.org/json-parser

https://www.youtube.com/watch?v=5YVEuJu4GzQ&list=PLwbMf8x0S9vDIvIHubBo-0BtG3Ya
QdqUy&index=3

https://www.youtube.com/watch?v=5YVEuJu4GzQ&list=PLwbMf8x0S9vDIvIHubBo-0BtG3Ya
QdqUy&index=4
Created by Khadija Tabassum
 What is API testing?
API testing is the process of sending requests to an API and monitoring the responses to
ensure its behaving as expected. API testing is designed to assess the functionality,
reliability, performance, and security of an API, and is therefore an essential part of the
API development lifecycle.
https://blog.hubspot.com/website/api-testing

So API testing is designed to validate the business logic as well as the

performance, security, and other aspects of the application. API testing does
not focus on the individual components of an application, like unit testing, or
the look and feel of the application, like user interface (UI) testing, but on what
the application does.

Why is API testing important?

API testing is important for ensuring that your API performs as expected when faced
with a wide variety of expected and unexpected requests. This process is designed to
not only test the API’s functionality — but also its reliability, performance, and
security.
what are questions asked in API testing intrview?
ChatGPT
In an API testing interview, you can expect a range of questions related to various aspects of API
testing. Here are some common questions that may be asked during an API testing interview:

1. What is API testing, and why is it important?

2. What are the differences between API testing and UI testing?
3. What are the different types of API testing?
4. What is the difference between SOAP and REST APIs?
5. What are the HTTP methods commonly used in API testing?
6. What are the typical steps involved in API testing?
7. How do you handle authentication and authorization in API testing?
8. What is endpoint testing, and how is it performed?
9. How do you handle error conditions in API testing?
10. What are the best practices for API testing?
11. How do you handle data-driven testing in API testing?
12. What tools have you used for API testing?
13. How do you handle security testing for APIs?
14. How do you perform load and performance testing for APIs?
15. Have you worked with API documentation? How do you use it in API testing?
16. How do you handle versioning of APIs?
17. Have you used any automation frameworks for API testing? If so, which ones?
18. Can you explain the concept of mocking in API testing?
19. How do you ensure API test coverage?
20. Have you worked with continuous integration and continuous delivery (CI/CD) pipelines for API
testing?

What is performance testing?

1. Nonfunctional testing
2. Ensures application performs well under expected workload
3. Examines application behavior under unexpected workload
4. Eliminates performance bottlenecks
5. Some tools to do performance testing are –HP loadRunner, Apache JMeter etc

Why performance testing is required?

1. Speed
2. Scalability
Explain: suppose 10 users are use the app at 10am and after 10 mins the no of users
are increased it would be 20,30,40 users are work with the app so when the users are
increased then check the performance of the app is well and good.
3. Stability

What are different types of performance testing?

Types of API Testing

There are multiple API testing approaches, including:

• Functional testing. These API tests are designed to check that an API returns the
right response for a given request.
• Load testing. This type of API test gauges how an API handles a large volume of
requests over a short period.
• Runtime and error detection testing. These API tests are designed to evaluate the
actual running of the API and typically focus on monitoring, execution errors,
resource leaks, or error detection.
• Security testing. These tests assess how an API responds to and resists cyberattacks.
• Penetration Testing. Penetration tests involve users with limited API knowledge
trying to attack the API, which enables testers to assess the threat vector from an
outside perspective.
• Fuzz Testing. This type of API test sends a large number of randomized requests to
see if your API responds with errors, processes any of these inputs incorrectly, or
crashes.
• Validation testing. Validation tests are run late in the testing stage to verify the
behavior and efficiency of the API.

Load testing: it checks the app ability to perform under anticipated user load

Stress testing: It checks the app ability to perform under extreme workload to see how it
handles heavy workload. The objective is to identify the breaking point of an application

Endurance testing: It is done to make sure the software can handle the expected load over a
long period of time. It may last for 5-10 hours or few or a month

Spike testing: This tests the software’s reaction to sudden large spikes in the load generated
by users.

List some of the common performance problems faced by users?

Longer loading time

Poor response time

Poor scalability: when the number of users are increased then the app behavior is not stable.

List out some common performance bottlenecks?

What are the parameters for performance testing?

Memory usage

Processor usage

Bandwidth

Memory pages

Response time

CPU interruption per second

Thread counts

Top waits
 What is jmeter? How it works?

How to Do API Testing

1. Review the API specification.

2. Determine API testing requirements.

3. Define input parameters.

4. Create positive and negative tests.

5. Select an API testing tool.

What is API testing, and why is it important?

ChatGPT

API testing, or Application Programming Interface testing, is a type of software testing that
focuses on testing the interfaces (APIs) that enable communication between different
software components or systems. APIs define the methods and protocols through which
different software components interact and exchange data.

API testing is important for several reasons:

Functional Testing: API testing helps ensure that the APIs are functioning correctly and
providing the expected results. It verifies that the API is correctly implementing the defined
functionality and adhering to the specified requirements.

Integration Testing: APIs are often used to integrate different software systems or
components. API testing allows for the verification of the integration between these systems,
ensuring that they can communicate and exchange data effectively.

Early Bug Detection: API testing can help identify issues or bugs in the early stages of
development. By testing APIs independently before complete integration, potential problems
can be detected and resolved early, reducing the overall development cycle time and costs.
 Automation and Efficiency: APIs lend themselves well to automation, and API testing can be
automated to a great extent. Automated API tests can be executed repeatedly, rapidly, and
reliably, providing quick feedback on the system's behavior and detecting regressions
efficiently.

Performance and Load Testing: APIs are often subjected to heavy loads and need to perform
optimally under different usage scenarios. API testing helps evaluate the performance and
scalability of the APIs, ensuring they can handle the expected load and response times.

Security Testing: APIs are potential entry points for security vulnerabilities. API testing allows
for the identification of security risks and vulnerabilities, such as unauthorized access,
injection attacks, or data exposure, helping ensure the security of the overall system.

Collaboration and Documentation: API testing requires a clear understanding of the API
specifications and documentation. Testing APIs encourages collaboration between
developers, testers, and stakeholders, leading to improved documentation and a better
understanding of the system's behavior.

Overall, API testing plays a crucial role in ensuring the reliability, functionality, performance,
and security of software systems by verifying the interfaces through which they interact. It
helps deliver high-quality software that meets the expectations of users and stakeholders.

What is the difference between SOAP and REST APIs?

ChatGPT
SOAP (Simple Object Access Protocol) and REST (Representational State Transfer) are two different
architectural styles used for building APIs (Application Programming Interfaces). Here are the key
differences between SOAP and REST APIs:

1. Protocol and Messaging Format:

• SOAP: SOAP APIs use the SOAP protocol for communication. SOAP messages are typically
XML-based and are sent over protocols such as HTTP, SMTP, or MQ. The SOAP envelope
includes a header and a body containing the request and response data.
 • REST: REST APIs use the HTTP protocol for communication. RESTful APIs leverage the existing
HTTP methods like GET, POST, PUT, DELETE, etc., and use different formats for data exchange,
including JSON, XML, or even plain text.
2. Communication Style:
• SOAP: SOAP APIs follow a more rigid and formal communication style. They often use WS-*
standards and provide a well-defined contract through a Web Services Description Language
(WSDL). SOAP APIs are typically based on a remote procedure call (RPC) model.
• REST: REST APIs follow a more flexible and lightweight communication style. They are based
on the principles of the web and use URLs (Uniform Resource Locators) to represent
resources. RESTful APIs focus on resource manipulation through stateless interactions.
3. State and Session Handling:
• SOAP: SOAP APIs can maintain stateful communication using features like session
management and message-level security. They require more overhead for managing session
and state information.
• REST: REST APIs are inherently stateless, meaning each request from the client must contain
all the necessary information for the server to understand and process it. Any required state
information is typically managed on the client side.
4. Scalability and Performance:
• SOAP: SOAP APIs can be more heavyweight in terms of message size and processing
overhead due to the XML-based messaging format. They may require additional parsing and
processing steps.
• REST: REST APIs are generally more lightweight and have a simpler message format (e.g.,
JSON). They can be more scalable and performant, particularly for large-scale systems and
mobile applications.
5. Standards and Tooling:
• SOAP: SOAP APIs have a more standardized approach with well-defined specifications and
tooling support. WSDL and XML Schema Definition (XSD) are used to define the contract and
data structures.
• REST: REST APIs are more flexible and allow developers to choose the level of standardization
they require. They often leverage existing web standards like HTTP, and there is a wide range
of tooling available for building RESTful APIs.

In summary, SOAP APIs are more formal, use XML-based messaging, and provide a strict contract,
while REST APIs are more lightweight, leverage HTTP methods, and focus on resource manipulation.
The choice between SOAP and REST depends on the specific requirements of the project, the existing
infrastructure, and factors such as performance, scalability, and developer preferences.

What are the different authentication are used in the API explains with real life example?
ChatGPT
There are several authentication mechanisms used in APIs to ensure secure access and protect
sensitive data. Here are some commonly used authentication methods along with real-life examples:

1. API Key Authentication:

 • API keys are unique tokens issued to clients to authenticate their requests. Clients include the
API key in the request header or query parameters.
• Example: Many popular APIs, such as Google Maps API, Twitter API, or SendGrid API, use API
key authentication. Developers generate an API key from the service provider's developer
portal and include it in their API requests to authenticate and authorize access.
2. Basic Authentication:
• Basic authentication involves sending the client's username and password encoded in Base64
format with each request.
• Example: When accessing certain resources in GitHub's API, basic authentication can be used.
The client includes their GitHub username and password in the request headers, encoded in
Base64. However, this method is being phased out in favor of token-based authentication.
3. Token-based Authentication (JWT):
• Token-based authentication involves exchanging a token for subsequent API requests after
initial authentication. One popular token format is JSON Web Tokens (JWT).
• Example: When using the Auth0 authentication service, clients authenticate with their
credentials once, and upon successful login, receive a JWT. This token is then included in the
authorization header for subsequent API requests to access protected resources.
4. OAuth 2.0:
• OAuth 2.0 is an authorization framework that enables users to grant limited access to their
resources to third-party applications without sharing their credentials.
• Example: When logging into a website or mobile app using a social media account like
Facebook or Google, OAuth 2.0 is often used. The user grants the application permission to
access certain data from their social media account, and the application receives an access
token to make API requests on behalf of the user.
5. OpenID Connect:
• OpenID Connect is an authentication layer built on top of OAuth 2.0. It provides identity
verification and information about the authenticated user.
• Example: When logging into applications using their Google or Microsoft accounts, OpenID
Connect is often used. The user is redirected to their respective provider's authentication
page, authenticates there, and the application receives an ID token containing user
information.

These are just a few examples of authentication methods used in APIs. The choice of authentication
mechanism depends on factors such as security requirements, the sensitivity of data being accessed,
ease of implementation, and integration capabilities with existing systems.

What is basic auth?

ChatGPT
Basic authentication is a simple and widely used authentication scheme in HTTP-based
communication, including APIs. It is a straightforward method for authenticating clients by sending
their credentials (username and password) with each request.
 Here's how Basic authentication works:

1. Client Request: When making an HTTP request to a server that requires basic authentication, the
client includes an "Authorization" header in the request.
2. Encoding Credentials: The client combines the username and password into a single string, in the
format "username:password".
3. Base64 Encoding: The combined string from the previous step is then Base64 encoded. Base64
encoding is a reversible encoding method that transforms arbitrary binary data into ASCII characters.
4. Authorization Header: The client includes the encoded credentials in the "Authorization" header of
the request using the "Basic" authentication scheme. The header value is structured as "Basic
<base64-encoded-credentials>".
5. Server Verification: Upon receiving the request, the server extracts the encoded credentials from the
"Authorization" header.
6. Decoding Credentials: The server decodes the Base64-encoded credentials to retrieve the original
username and password.
7. Credential Validation: The server verifies the received credentials against the stored user credentials
or an authentication system. If the credentials are valid, the server processes the request; otherwise, it
returns an appropriate error response.

Basic authentication is relatively simple to implement and does not require additional infrastructure
or complex protocols. However, it is worth noting that the credentials are transmitted in
base64-encoded format, which can be easily decoded. Therefore, it is important to use HTTPS (HTTP
over SSL/TLS) alongside basic authentication to ensure the confidentiality and integrity of the
transmitted credentials.

While Basic authentication is still supported, it is considered less secure compared to other
authentication mechanisms like token-based authentication or OAuth. It is gradually being replaced
by more advanced authentication schemes in many systems and APIs.
what is digest authentication?
ChatGPT
Digest authentication is an HTTP-based authentication scheme that provides a more secure
alternative to Basic authentication. It addresses the limitations of Basic authentication, such as
sending credentials in plaintext, by using a challenge-response mechanism and a cryptographic
hashing algorithm.

Here's how Digest authentication works:

1. Client Request: The client makes an HTTP request to a server that requires authentication.
2. Server Challenge: The server responds with a "WWW-Authenticate" header in the response,
indicating the use of Digest authentication and providing a unique "nonce" value.
3. Client Response: The client calculates a hashed response using the nonce, the request method, and
other parameters, along with the user's credentials (username and password).
4. Hashed Response: The client sends the hashed response in an "Authorization" header with the
subsequent request.
5. Server Verification: Upon receiving the request with the hashed response, the server performs its own
calculation of the expected response using the stored password, nonce, and other parameters.
6. Response Validation: The server compares the calculated response with the received hashed
response from the client. If they match, the server considers the client authenticated and proceeds
with processing the request; otherwise, it returns an appropriate error response.

Digest authentication helps overcome the limitation of transmitting credentials in plaintext by

utilizing cryptographic hashing. It ensures that the password is not sent directly over the network and
protects against eavesdropping attacks.

However, it is important to note that Digest authentication is still vulnerable to certain attacks, such
as replay attacks or man-in-the-middle attacks. To mitigate these risks, it is recommended to use
Digest authentication over a secure connection (HTTPS) to ensure the confidentiality and integrity of
the authentication process.

Digest authentication is less commonly used today compared to other authentication mechanisms
like token-based authentication or OAuth, which offer more advanced security features and flexibility.
what is bearer token?
ChatGPT
A bearer token is a type of access token commonly used in authentication and authorization
schemes, particularly in the context of web APIs. It is a security credential that allows a client to
access protected resources on behalf of an authenticated user or system.

Here's how bearer tokens work:

1. Authentication: The client authenticates with the server using a suitable authentication method such
as username/password, social login, or another authentication mechanism.
2. Token Issuance: Upon successful authentication, the server generates a bearer token and associates it
with the authenticated user or system. The token is typically a long, randomly generated string.
3. Token Inclusion: The server includes the bearer token in the response to the client, typically within
the "Authorization" header. The token value is prefixed with the word "Bearer" followed by a space,
such as "Bearer <token-value>".
4. Token Usage: The client subsequently includes the bearer token in the "Authorization" header of
each request to the server's protected resources. This informs the server that the client has been
authenticated and has permission to access the requested resources.
5. Server Validation: Upon receiving the request, the server validates the bearer token. It verifies the
token's integrity, authenticity, and expiration. If the token is valid, the server grants access to the
requested resources; otherwise, it returns an appropriate error response (e.g., "401 Unauthorized").

Bearer tokens are self-contained and hold all the necessary information for authorization. They are
typically encoded in a compact format such as JSON Web Tokens (JWT) or simple string values. The
server uses the information within the token to authenticate the client and authorize access to
specific resources.
 One advantage of bearer tokens is their simplicity and ease of use. They can be easily included in the
request headers and do not require additional server-side state management. However, it is crucial
to protect bearer tokens against unauthorized access or interception, as anyone possessing a valid
bearer token can access the associated resources.

Bearer tokens are widely used in OAuth 2.0 authentication and authorization frameworks, where they
play a vital role in granting access to APIs and web services.
what is JWT?
ChatGPT
JWT stands for JSON Web Token. It is an open standard (RFC 7519) for securely transmitting
information between parties as a compact and self-contained token. JWTs are commonly used for
authentication and authorization in web applications and APIs.

Here are the key components and characteristics of JWT:

1. Structure: A JWT is composed of three sections separated by dots ('.'): Header, Payload, and
Signature. The structure is as follows: header.payload.signature .
2. Header: The header contains information about the type of token (JWT) and the cryptographic
algorithm used to sign the token. It is encoded as a JSON object and typically includes properties like
"alg" (algorithm) and "typ" (token type).
3. Payload: The payload, also known as the claims or the body, holds the actual data or claims being
transmitted. It contains information such as user identification, expiration time, permissions, or any
custom data. The payload is also encoded as a JSON object.
4. Signature: The signature is created by combining the encoded header, payload, and a secret key
known only to the server. The signature ensures the integrity of the token and prevents tampering.
The signature is used to verify the authenticity of the token during validation.
5. Secure Transmission: JWTs are designed to be compact and can be easily transmitted over HTTP
headers, query parameters, or within the body of a request or response. To ensure secure
transmission, JWTs are often used in conjunction with HTTPS (HTTP over SSL/TLS).
6. Stateless and Self-Contained: JWTs are self-contained, meaning all the necessary information for
authentication and authorization is contained within the token itself. This eliminates the need for the
server to store session state or perform database lookups. However, this also means that the server
must trust the information contained within the token.
7. Verification: When a server receives a JWT, it verifies the integrity of the token by checking the
signature. It also validates the token's claims, such as expiration time, issuer, and audience, to ensure
it is still valid and has not been tampered with.

JWTs offer a flexible and lightweight solution for authentication and authorization. They are widely
used in modern web applications and APIs, including implementations of OAuth 2.0 and single
sign-on (SSO) systems. JWTs provide a stateless mechanism that allows for scalability,
interoperability, and decoupling between services while maintaining security.
what is authentication?
ChatGPT
 Authentication is the process of verifying the identity of a user or system to ensure that they are who
they claim to be. It is a fundamental aspect of information security and is commonly used in various
contexts, including accessing systems, resources, or services.

In the context of user authentication, the typical steps involved in the authentication process are as
follows:

1. User Identification: The user provides their unique identifier, such as a username, email address, or
employee ID, to initiate the authentication process.
2. Presentation of Credentials: The user presents their credentials, typically in the form of a password or
passphrase, as a proof of their identity.
3. Credential Verification: The system or service validates the provided credentials by comparing them
to the stored or known values associated with the user. This step may involve additional security
measures like hashing or encryption for password storage.
4. Authentication Outcome: If the provided credentials match the expected values, the user is
authenticated, indicating that they are indeed the legitimate owner of the claimed identity. They are
granted access to the system, resource, or service. Otherwise, if the credentials do not match, the
authentication fails, and access is denied.

Authentication can also involve additional factors beyond just username and password. These factors
are known as multi-factor authentication (MFA) or two-factor authentication (2FA) and typically
include something the user knows (password), something they have (a physical token or
smartphone), or something they are (biometric data like fingerprints or facial recognition).

Authentication serves to protect sensitive information, restrict unauthorized access, and ensure the
privacy and security of systems and user accounts. It forms the basis for establishing trust and
controlling access to resources in various domains, including websites, applications, networks, and
APIs.
what is postman?
ChatGPT
Postman is a popular collaboration platform and API development tool used by developers and
testers to design, build, document, and test APIs. It provides a user-friendly interface for making
HTTP requests, organizing API endpoints, and automating API testing and workflows. Postman is
available as a desktop application and also offers cloud-based collaboration features.

Here are some key features and functionalities of Postman:

1. API Request Builder: Postman allows users to easily create and send HTTP requests (such as GET,
POST, PUT, DELETE) to API endpoints. Users can specify request headers, query parameters, request
body, and other details necessary for API testing.
2. Collection Organization: Postman provides a structured way to organize API endpoints into
collections. Users can create folders, subfolders, and add API requests to organize and manage their
APIs effectively.
3. Environment Variables: Postman allows users to define and manage environment variables, which can
be used to parameterize requests, making it easier to switch between different environments (e.g.,
development, staging, production) without manually modifying request details.
4. Request History and Favorites: Postman keeps track of previously sent requests, allowing users to
easily access and re-send them. Users can also mark specific requests as favorites for quick access.
5. Test Automation: Postman supports writing and running automated tests for APIs using JavaScript.
Users can define test scripts to validate response data, status codes, headers, and more. Test results
and assertions can be used to automate API testing and monitor API performance.
6. Collection Sharing and Collaboration: Postman provides collaboration features that allow users to
share collections with team members, collaborate on API development, and synchronize changes. It
facilitates teamwork and simplifies the process of documenting and sharing APIs.
7. API Documentation: Postman offers the ability to generate interactive API documentation based on
the requests and collections created. This documentation can be shared with others to provide clear
instructions on how to use the API.

Postman is widely used by developers, QA engineers, and API providers for testing, debugging, and
exploring APIs. It streamlines API development workflows, enhances team collaboration, and
simplifies API testing and documentation, making it a valuable tool in the API development lifecycle.

https://www.youtube.com/watch?v=9zNfsYAPntA