API is utilized to facilitate interactions in between applications by different means of communication. When APIs are used over web networks, we term them as "Web Services." Writing APIs to communicate with a database or with another module has become a common practice now.
Hence the test analyst should roll his sleeves up to validate the APIs to for maximum test coverage. During system integration testing, API tests could help accelerate testing and increase efficiency. As most of the companies use RESTful microservices/APIs at business layer, API testing has become a critical component of the test plan for any release.
API is a service that helps two different applications to communicate with each other. APIs are used to abstract the business logic and direct database access to any application.
Software architecture is composed of at least three "tiers" or "layers" of logical computing
Presentation Layer This is the user interface (GUI) which is open to end users. QA performs functional testing at this layer. Business Layer This is the application user interface where the logic is written. In technical terms, this is where code/algorithm resides. APIs come into the picture at this layer. Database Layer Where application data is present.
API is the brain of our connected world. It is the set of tools, protocols, standards, and code that glues our digital world together. Because of their dynamic nature and proficiencies, they provide, APIs allow companies to become more Agile, things to go mobile, and everything to work together in a streamlined, integrated way. Therefore, API testing is testing APIs at the service level and the at the integration level.
Testing Strategy for APIs While testing APIs, a tester should concentrate on using software to make API calls in order to receive an output before observing and logging the system's response. Most importantly, tests that the API returns a correct response or output under varying conditions. This output is typically one of these three:
A Pass or Fail status, Data or information, A call to another API
In testing the API directly, specifying pass/fail scenarios is slightly more challenging. However, in comparing the API data in the response or in comparing the behaviour after the API call in another API would help you set up definitive validation scenarios. API testing is one of the most challenging parts of the whole chain of software testing and QA testing because it works to ensure that our digital lives run in an increasingly seamless and efficient manner.
While developers tend to test only the functionalities they are working on, testers are in charge of testing both individual functionalities and a series or chain of functionalities, discovering how they work together from end to end.
Types of API Testing First, identify what type of tests you need to perform on API. Like testers do a different type of testing for features of their product, the same goes for APIs. Common testing of APIs includes:
Unit Testing: To test the functionality of individual operations. For example, Google provides geocoding API to get the longitude and latitude of any location. This usually takes the address as input and returns lat-longs. Now for unit testing of this API, the tester may pass different locations and verify the result.
Functional Testing: This type of testing mainly focuses on the functionality of API. This would include test cases to verify HTTP response codes, validation of response, error codes in case API return any error, etc.
Load Testing: This type of test is necessary in cases where API is dealing with huge data and chances of application to be used by no. of users at the same time. This increases the API hits at the same time, and it may crash and not be able to take that load.
Security Testing: Security testing is particularly critical as APIs are used to create a link between two different applications. The core purpose of using an API is to abstract or hide the application's database from others. This may include test cases like authorization checks, session management, etc.
Interoperability Testing: This is to test that API is accessible to the applications where it should be. This applies to SOAP APIs.
WS compliance Testing: API is tested to ensure standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust are properly implemented and utilized
Penetration Testing: This is to find the vulnerability of API from external sources.
Web Services/API Protocols There are two types of services or protocols-
REST – REST stands for Representational State Transfer which is new on the block as compared to SOAP which means it must overcome all the problems with SOAP. REST is a lightweight protocol which uses URLs for all the needed information.
It uses four HTTP methods to perform the task-
Get - To get the information. For example, getting longitude and latitude in case of location mapping API.
Post - To insert some data in the resource.
Put - To update the resource.
Delete - To delete from a resource.
REST is more used now due to its simple and lightweight architecture.
SOAP stands for Simple Object Access Protocol. It uses XML for message exchange. All the information which is required to perform this task is given in its WSDL, which is Web Service Description Language. SOAP is heavyweight due to its extensively used standards and XML. The main advantages of SOAP over Rest are that it has built-in error handling and it can be used with other protocols like SMTP.
Tools for API Testing and Automation There are several tools to test the APIs. When a tester gets to test an API, they must ask for its document. Whether it is a REST or SOAP API or a not-web-based API, there should always be a document where the details should be written.
API testing approach
Understand the API doc: An API document has all information about the request format, response, error codes, resource, mandatory parameters, optional parameters, headers, etc. The API document could be maintained in open-source tools like swagger.
Design the service-level test cases for the API. For example, if an API takes n parameters to get the response in which m are mandatory parameters and others are optional, then one test case should be to try different combinations of parameters and verify the response. Another test case might verify the headers and try to run API without passing authentication and verify the error code.
System integration testing, where you need to test the API and all its dependent APIs or functions. This also includes testing API response, the data it should return to another API or method and what happens if this API fails.
When the functional testing is done, and API is stable, the test analyst could perform load, security and performance testing.
API Automation We often need to automate the test cases which are repeatedly executed, like regression cases. Similarly, in the case of API testing, there might be some cases in which we need to execute before every release, and those cases can be automated.
Few of the popular API tools:
SOUP UI: It's a very popular tool for API testing. You can do functional, load, security and compliance tests on your API using SoapUI.
Katalon Studio: Built on top of Selenium and Appium, Katalon Studio is a free and powerful automated testing tool for Web testing, API testing, and Mobile testing.
Postman: Postman is free and helps you be more efficient while working with APIs. It has all the capabilities to develop and test APIs.
JMeter: Though JMeter is mostly used for performance and load testing, it can also be used for API functional testing to a good extent.
Rest Assured: Rest-Assured is a Java-based library that is used to test RESTful Web Services. The library can be included in the existing framework and call its methods directly for fetching responses in JSON format and then performing required actions.
Thank you so much for putting in the time to come visit the all-things-testing blog.
Best regards
all-things-testing
PS: Please write back to me if you need assistance, so I can help you with more information on API testing, including the request-response structure.
Comments