Author: Samarth

Samarth G Vasist is a passionate Software Engineer. He is involved in building data-science products at MoEngage where he is responsible for developing, maintaining and testing end-to-end data engineering pipelines and related infrastructure. Samarth blogs about a wide range of topics, including data engineering, distributed systems, cloud computing, agile methodologies, and test automation. Samarth is an avid cinephile and doesn’t miss first-day first-show screenings of his favourite films. He is also an avid biker and engages himself in regular rides.
Master API Testing: A Comprehensive Guide for 2023

With a large majority of companies now focusing on building SaaS applications, the number of APIs has significantly increased over the years. As software systems are becoming more complex, monolithic applications that powered businesses for long periods of time are getting replaced by independent, reusable microservices.

In order to build cost-effective, flexible and self-scalable software systems, a majority of companies have moved from traditional physical servers to self-managed cloud platforms. The increasing popularity of cloud computing has also contributed to the rise of microservices and APIs. Microservices offer a modular approach for engineers to build large applications that are agile, flexible, and highly scalable. APIs serve as the backbone for microservice architecture as they facilitate data communication between various independent components.

sB5P3wIdscd55aM7XTNkWEnL 21ahG2MCzNyvr8nu8Yrc68Ornf2w0wqNsTELUH3rJy M3TbBLwUcVCD 2ZEvoNRTYF9uhlsMxb6JS

Source: ProgrammableWeb

According to a recent survey by ProgrammableWeb, there are around 24,000+ public APIs listed in their directory. As per the 2022 State of API Report given by Postman, most of the respondents said that more than half of their organization’s development effort is spent on APIs.  The key findings of the report also suggested that around 1.13 billion API requests were created in a year. 

APIs are the central component of companies that mainly focus on B2B transactions. For example, the cloud services of Amazon, namely AWS, are primarily B2B based and they expose all their services to their clients through APIs. Hence, developers are able to rely on third-party APIs and integrate them with their products and services. As a result of this, it is highly important to manage APIs and continuously test them in various ways to ensure the desired data flow. As per the State of Testing Report 2022, 65% weightage has been given to API testing as a very important testing skill. APIs being the most fundamental means of communication between software components, it is very essential to validate and verify that they render correct data in the right format, which in turn can be used properly by other services.


What is an API? 

An API is an interface that connects two services. It is a mechanism that enables two software components to communicate with each other using a set of definitions and protocols. It involves 2 main entities – the service making the API call is called the client, and the one responding to it is called the server. 

What is API Testing?

API testing is a type of software testing that tests the functional and non-functional aspects of Application Programming Interfaces (APIs).

Functional testing mainly involves testing the core functionality of the API where one provides a specific set of inputs and validates the response against the functional requirements. Non-functional testing includes performance testing, where the API is tested under specific loads of concurrent requests to verify its response time and infer the amount of traffic the API can handle before the system overloads.

Security testing being another non-functional testing helps to identify any security vulnerability present in the API.

Learn API Testing today on Thrive EdSchool by The Test Tribe.

Importance of API testing

API testing is an important aspect of software testing that ensures the functionality, reliability, and security of an application’s API. It is important for the following reasons:

  • Widespread Use: In recent times, besides people from technical backgrounds, marketers, product managers, and many others from non-technical backgrounds use APIs. Hence, API testing is critical for ensuring that the APIs work as expected.
  • Functional: API testing involves testing the core functionality or the business logic. It ensures that the API functions as expected and delivers the desired results.
  • Reliability and Performance: API testing ensures the API is reliable and performs consistently under varying load and stress conditions. This helps to identify and fix issues before they affect the end-users. It also helps to measure the performance of the API including its response time and scalability.
  • Security: API testing helps to identify security vulnerabilities in the API and ensure that it is protected against malicious attacks such as injection attacks and cross-site scripting.
  • Early Defect Detection: According to the Test Automation Pyramid, we can see that API testing comes above the Unit test layer. API testing doesn’t require a GUI to be ready, and it can be performed way early in the development cycle. It is comparatively less expensive than UI testing and exploratory testing, as any bugs detected in this phase require less time and effort to fix and thus ensure a better return on investment (ROI).
  • Lesser Time: API testing is faster than end-to-end or UI testing as it generally involves changing the required input parameters of the request whereas UI testing involves filling in details through browser interaction.
  • Automation: API testing is one of the potential places where test automation can be achieved by automating the widely used sanity or regression test cases.

Steps to Follow During API Testing

  • Get the API contracts from the Development team.
  • Review the API specification that includes the request formats and response formats.
  • Identify the necessary pre-conditions for each of the requests (if they need to be authorized etc)
  • Identify the various possible values for requests and develop positive cases.
  • Identify the potential negative cases where the API will fail.
  • Note down the expected result for the tests, valid outcomes for positive tests and error codes with proper valid messages for negative tests. 
  • Once the development build is complete, start executing the tests via a testing tool. 

Importance of the API Contract

The API contract has a set of instructions on how to use the listed APIs. It clearly mentions the API specifications, such as :

• API endpoint

• API Request methods

• API Response

• Status codes and Error Messages

As documentation is very important, it is highly suggested to document our APIs in a clear standard format as it ensures consistency and reusability. API contracts provide a clear understanding of the API’s functionality, which can help developers test and debug the API more effectively. It helps the testing team to prepare their test cases effectively and raise potential bugs. Most of the stakeholders, including product managers, developers, and testing teams, can conveniently refer to API contracts as they serve as a guide for all.

For B2B organizations that provide services to downstream companies, API documentation is crucial, as companies refer to it in order to facilitate the exchange of information via APIs. One such standardized approach to documenting APIs is using the Swagger documentation, which can be followed or suggested to teams.

Potential Test Cases for API Functional Testing

STATUS CODE VALIDATION – The Basic Case for Sanity/Regression

An HTTP status code indicates whether the API call has been performed successfully or not. It is the first basic case to validate upon getting the API response. Adding a status code and message validation helps to understand if a particular API execution was successful or failed. If the API call has been successful, we can further execute the remaining cases that test its core functionality.

In the case of a failure, it helps to know the reason for failure in a broader sense through the HTTP error codes, where 4xx errors stand for a client-side error and a 5xx error signifies an error at the server. It saves time due to earlier detection and reduces the cost of resources used to validate an invalid response.  

RESPONSE TIME CHECKS

Response time is an important metric for API performance and user experience. When an application sends a request to an API, it expects to receive a response within a reasonable amount of time. If a particular API takes a longer time to respond, it directly impacts the end-user experience and also causes additional load on the server on which the API is running. Validating the API response times helps determine the performance of the API. It also helps in setting appropriate time-outs when integrating microservices that internally call external APIs from other services. Many organizations have SLAs that define the response time requirements for an API. Measuring response times can help ensure that the API meets these SLAs.

JSON SCHEMA VALIDATION

JSON schema validation checks for the proper, definite structure of the API by adding hard checks to the API response. It helps to identify any response structure deviating from the defined schema. This helps with strict response validation, as it becomes very tedious for us to test each field of the API response. Thus, JSON schema validation helps to avoid data inconsistencies that could affect the functionality of the application. 

NEGATIVE TESTING AND ERROR HANDLING

Negative API testing is a type of testing that focuses on validating how an API handles unexpected or incorrect input or actions. It involves intentionally sending invalid, incomplete, or unexpected input to the API to verify that it responds correctly and provides appropriate error messages. The goal of negative API testing is to identify and fix potential issues in the API and ensure that it can handle edge cases and error conditions gracefully.

Some examples of negative test cases :

  • Testing with invalid end-points and verifying for 404 Not Found errors
  • Testing with an invalid request body should give 400 Bad request errors
  • Test with invalid request headers should give 400 Bad request errors

An API can fail for various reasons, and it is essential to correctly communicate the reason for failure with an appropriate error message. Human readable messages should summarize the context, cause, and general solution for the error at hand.

It is important that error messages are specific and convey the reason for failure. 

Ex: A 4xx Bad Request Error should correctly convey the appropriate reason instead of showing a generic message saying Invalid Request/Field

  • Bad Request Error – Generic Message

{ “message”: “Invalid input” }

  • Bad Request Error – Conveying Specific Message

{“message”: “id – Field is required but value is None”}

Here, the second message conveys that the id field is missing in the API call giving the actual reason for failure. However, the first error message gave a generic 400 Bad Request error without specifying the reason for failure.

Non Funtional API Testing

Other than functional API tests, some of the important non-functional tests that can be conducted on APIs are:

Performance Testing: The goal of performance API testing is to ensure that the API can handle the expected volume of requests and provide timely responses without impacting the user experience. Load testing involves sending a high volume of requests to the API to evaluate its performance under heavy load. This can help identify bottlenecks and potential performance issues that may impact the user experience. Stress testing involves sending a high volume of requests to the API beyond its capacity to evaluate how it responds under extreme load conditions. This can help identify the breaking point of the API and how it behaves in failure scenarios.

Security Testing: Security API testing is a type of testing that focuses on identifying potential security vulnerabilities in an API. This mainly involves authentication and authorization testing, where we verify that the API correctly implements authentication and authorization mechanisms to prevent unauthorized access.  

Conclusion 

API testing is very important and it also serves as a potential scope where one can achieve test automation. Sequencing or chaining of API calls which involves the response of one API to be sent as part of another API’s request is increasingly used to design end-to-end API flows for testing. This helps in creating end-to-end automation suites which can be run whenever sanity or regression testing is required as and when new features are added.

Automating these sanity and regression test cases as a part of the CI/CD pipeline ensures that new features or fixes don’t impact the existing APIs. This ensures that the team is given faster feedback thus reducing manual efforts and time. Overall API testing is an essential part of software testing ensuring that APIs are reliable, secure and performant. As the importance of APIs continues to grow in the years ahead, the need for robust and efficient API testing will always increase, making it a critical area of focus in software testing.

This blog is submitted by Samarth G Vasist as a contributing autor for The Test Tribe. We would like to thank him for this contribution. You can connect with Samarth on LinkedIn.