The integration of Application Programming Interfaces (APIs) has become the foundation of modern web architecture, allowing for the delivery of various functionalities to users. It is essential for testers to comprehend and test APIs, which we will discuss in this article. Additionally, we will cover examples of API testing, potential defects and failures, and the testing tools at our disposal.
What is an API?
An Application Programming Interface (API) facilitates communication and data sharing between different components to achieve functionality. For the purpose of this article, we will focus on web-based APIs that provide connectivity to web services and microservices.
It is important to note that APIs are also used in desktop applications to interface with operating system components.
Figure 1 illustrates an example of a web-based API being utilized to execute a user query on a website. The API connects to a web service, which in turn queries a large database to retrieve the necessary information.
What is API Testing?
API testing can have multiple objectives, such as testing:
- Functionality of the API
- API performance
- API security
- API reliability
Since this is a basic guide to API testing, we will focus on testing API functionality.
An Application Programming Interface (API) facilitates communication and data sharing between different components to achieve functionality. For the purpose of this article, we will focus on web-based APIs that provide connectivity to web services and microservices.
It is important to note that APIs are also used in desktop applications to interface with operating system components.
Figure 1 illustrates an example of a web-based API being utilized to execute a user query on a website. The API connects to a web service, which in turn queries a large database to retrieve the necessary information.
Types of APIs
APIs can be classified based on their source and function. These classifications include:
- Internal or Private APIs – These APIs are not available to the public or any other organization. Due to the sensitive nature of the information being transmitted, secure keys are often required to ensure privacy.
- Partner APIs – These APIs are used to communicate with other entities, such as business partners. For example, retail applications use partner APIs to share information such as pricing and inventory availability between multiple stores.
- Composite APIs – These APIs can access multiple endpoints in a single call, eliminating the need for multiple APIs.
- Open APIs – These APIs are available to the public, often in an open-source format. Some open APIs require security measures, while others do not.
It is essential to understand the type of API you are working with to ensure the appropriate level of security is implemented.
Benefits of API Testing
Although black-box functional testing involves invoking APIs and testing them from a user perspective, it may not be sufficient to thoroughly test APIs. Thus, API testing offers several advantages, including the following.
To Test Error Handling
API testing is essential to focus solely on testing the interface without any UI influence. Although UI may help ensure data input is correct and valid, testing invalid data inputs at the API level is necessary to observe how the API, sending and receiving components handle them.
For instance, consider a website that uses an API to access a currency conversion service, as shown in Figure 2. When a customer makes a purchase in a particular currency, the website detects if a different currency value is required. In such cases, the purchase amount is sent via API to a currency conversion service, along with the desired currency code. The service then sends back the converted amount, which the website uses to complete the transaction.
While UI edits prevent invalid data input, it is crucial to validate if the currency conversion service returns accurate values. Additionally, we need to determine if the website has any validation for values that are clearly in error, the expected level of error tolerance, and how the application handles such errors.
APIs return specific completion codes, such as 200 for a successful completion or 404 when an endpoint is not found. API testing helps simulate error codes that may not be visible in a black-box test, allowing us to observe how the application handles the completion code, whether it is an error code or a successful code.
To Test When There is No User Interface
When there is no user interface data input field available for testing, it is known as “headless testing.” In such cases, the API becomes the primary means to test data input provided to an interfacing service or application.
To Test When the User Interface Changes Frequently
One of the common problems in test automation is UI changes, which can cause automated tests to fail even though the functionality is still working correctly. The cause of failure can be invalid locators, among other things.
To mitigate the impact of UI changes, one strategy is to conduct testing at the API level. However, API testing should not completely replace UI testing, whether it is manual or automated. UI testing ensures the user’s perspective of functionality is verified and validated, something that API testing does not accomplish.
To Test Large Volumes of Data Quickly
API testing tools can facilitate the testing of a large amount of data, either by providing it or by receiving it rapidly through an API. Conversely, trying to test the same data volume via the user interface could be extremely time-consuming and subject to other errors unrelated to API testing.
One crucial objective of API testing is to validate whether the application or service receiving and/or sending the data can handle the anticipated volumes within the required timeframes.
Consider, for example, a travel website that processes millions of requests daily to reserve rental cars, hotel rooms, and other travel accommodations. While it might be impractical or impossible to conduct a test of such a significant amount of data, testing a considerable subset of data via the API can disclose performance and integration issues.
Understanding API Protocols
To ensure successful communication with an API, it’s essential to understand and adhere to the proper protocol and formatting guidelines. This information is typically provided in the API documentation, which is made available by the API owner.
However, it’s important to note that the API itself may change without any corresponding updates to the documentation, or the documentation may not be updated until some time after the API has changed. Therefore, it’s important to stay vigilant and adapt to any changes in the API behavior or documentation as needed.
The most common API protocols
REST – Representational State Transfer
REST is a lightweight protocol that leverages the fundamental architecture of the web, including HTTP/HTTPS. RESTful API calls utilize methods such as GET, POST, and PUT to fulfill requests. GET is utilized for data retrieval, POST is used for submitting new data to an application or database, and PUT is used to modify existing data.
SOAP – Simple Object Access Protocol
SOAP is one of the earliest protocols used in Service-Oriented Architecture. It uses an envelope structure consisting of a header and a body, and XML is the self-describing markup language used for exchanging data.
API Testing Tools
API testing can be efficiently and effectively conducted using specialized tools such as Postman and SoapUI. These tools allow for the creation of API call bodies in different formats such as JSON and XML. Additionally, they enable handling of security keys and tokens which are required in most cases for private APIs. While public APIs may be available without a key, messaging and payload security may be compromised.
After each API call, the test tools display return codes and returned values in formats like JSON and XML. A real-world API testing scenario could include many APIs, each requiring multiple tests, and managing such a test set demands a dedicated tool (as shown in Figure 3). For example, to try the API in the documentation, which is an open API that does not require a security key, visit the provided link.
SOAP, which is the earliest protocol for Service-Oriented Architectures, uses an envelope structure comprising header and body, and XML serves as the self-describing markup language for exchanged data.
In contrast, REST, a lightweight protocol that utilizes the basic web architecture (HTTP/HTTPS), employs methods like GET, POST, and PUT to complete requests. While GET retrieves data, POST sends new data to a receiving application or database, and PUT updates existing data.
Regarding the figure above on current weather conditions, note the parameters passed to the API, the 200 return code that denotes a successful response, and the response time and payload size. Notably, the example’s output body is graphical, but typically APIs output data, as in XML or JSON format that the invoking application consumes (as shown in Figure 4). To get XML formatting of data, specify “output=XML” in the GET request.
JSON uses JavaScript’s syntax, making it easy to convert JSON data into native JavaScript objects. As a result, JSON is a popular choice when compatibility with JavaScript is necessary.
Dealing with Responses
API testing, like API usage itself, is based on a request with a corresponding response.
In the response, a return code is received, along with any data.
Normal return codes:
100 – Informational – The request was received.
200 – Success – The request was received and the response was completed success
Error codes can include:
300 level – Redirection – The request is pending, client action needed
400 level – Client error – The request is invalid. This includes the common 404 error – Resource not found.
500 – Server error – Such as an internal server failure occurring during a request
When analyzing the API response, error codes are clear indicators that something went wrong. For instance, a 404 return code may signify that the endpoint was specified incorrectly, while a 500 return code could indicate a server configuration problem.
However, simply accepting a return code of 200 as a “pass” for the test is not enough. Even if the response is successful, the data returned may still be incorrect due to functional defects on the other side of the interface. This is where much of the functional testing of APIs takes place.
API Test Automation
Automating API tests should be the goal of API testing. To achieve this, an API test tool is required. Both Postman and SoapUI offer the ability to run sets of API tests. However, it is important to consider the robustness of the reporting of the tests, as well as the ability to access all your tests in one test management tool.
API Test Management
When considering test management, it is important to organize tests in a centralized and measurable way. While API testing can be managed in an API test tool, it can also be beneficial to store API tests in a test management tool like PractiTest along with other tests.
In this way, all tests can be viewed in one place, as shown in Figure 6, with their respective run statuses. If any issues are observed with an API test or any other test, they can be filed and linked in PractiTest.
Furthermore, API tests can be traced to specific requirements to establish levels of test coverage.
By managing API tests with other tests, it is also possible to report test completion as part of a larger test set, rather than having multiple sources for test reporting, as illustrated in Figure 7.
Challenges of API Testing
Unexpected changes
APIs can change unexpectedly and without prior notice to API users, which is a common occurrence in the Internet of Things (IoT) domain. IoT heavily relies on APIs for seamless functioning.
For instance, a user may give a voice command to their digital assistant to turn on the lights, but due to an unanticipated API change, the IoT developer may not be able to deliver the expected outcome.
Such failures are undesirable but not uncommon, leaving IoT firmware developers and testers to work quickly to address API changes.
The ripple effect of API changes
API changes can have significant impacts on the applications that use them. This impact can be far-reaching and difficult to test, making it necessary to perform true end-to-end tests.
This need is especially crucial when dealing with a variety of APIs and associated test tools. In such cases, having a centralized repository of API tests, such as PractiTest, becomes even more important.
Uncertain ownership of the API
Assuming the ownership of an API can lead to significant problems when defects arise in its functionality and the responsible party must address the issue.
Keeping track of the APIs to be tested
Maintaining an inventory of API tests may appear to be a simple task, but in reality, it can be quite daunting. Just imagine how difficult it can be to manage all the functional tests, automation scripts, test data, and the code that supports them.
These challenges are not unique to APIs alone. It is crucial to keep track of the APIs that require testing, as well as their corresponding tests, requirements, and test results. These are all essential reasons why it is crucial to utilize a comprehensive test management tool like PractiTest.
Dealing with the diversity in APIs
The diversity in testing APIs can be observed in various aspects such as protocols, formatting, endpoints, and levels of security, which include encryption. To manage this diversity, a centralized repository of API tests can be beneficial.
The need for continual testing
Different APIs may require testing in a live environment to identify issues related to incorrectness and performance that may arise due to unexpected API changes.
However, it is crucial to ensure that test data is not exposed in production environments. Moreover, performance testing should be meticulously planned to prevent disruption to regular production operations.
Conclusion
An API, or Application Programming Interface, facilitates communication and data sharing between various components, enabling a range of functionalities. APIs are critical in modern web applications for achieving integration and interoperability.
Given the importance of APIs in achieving these functions, it is crucial to test their correctness, performance, security, and reliability.
API testing is just one type of testing, and while storing API tests in a separate toolset is an option, there is significant value in storing and managing API tests alongside other tests in a centralized test management tool like PractiTest.