Introduction to API Testing
APIs have become the centre of software development, connecting and transferring data and across systems and applications. Testing them can greatly improve the efficiency of your testing strategy as a whole, helping you deliver software faster than ever.
API testing is a software testing practice that tests the APIs directly from their functionality, reliability, performance, to security. Part of integration testing, API testing effectively validates the logic of the build architecture within a short amount of time.
Common Tests performed on API’s:
- Return Value based on input condition – The return value from the API’s are checked based on the input condition.
- Verify if the API’s does not return anything.
- Verify if the API triggers some other event or calls another API. The Events output should be tracked and verified.
- Verify if the API is updating any data structure.
Benefits of API Testing:
- Earlier validation of correctness in response and data.
- Earlier test maintenance.
- Better speed and coverage of testing.
- GUI independent testing.
- Reduced testing cost.
- Language independent test.
- Helpful in testing core functionality.
Types of API testing:
QA engineers approach API testing from different angles. They test whether it returns correct outputs in the expected format, whether it delivers responses within an acceptable timeframe, and how well it integrates with presentation layer software.
Testers check an API’s reactions to edge cases (e.g. failures, unexpected or extreme inputs) and potential security attacks.
Functional API tests
Functional testing is the assessment of specific functions within the codebase. It makes sure the API actually works within the expected parameters, namely:
- returns the desired output for a given input; and
- handles errors when the results are outside of the expected parameters.
One of the functional testing types is Positive / Negative testing. Negative testing checks how an API responds to every possible kind of wrong input, while positive testing verifies the correct functioning of the API when the input conforms to the norm. If positive test cases fail, it’s a bad sign, as it means the application can’t perform even under ideal conditions.
API performance tests
Load testing. The point of load testing is to measure where the limit of system performance under high load lies. That’s why we measure response times, throughput, server conditions, etc., while increasing the number of calls.
Soak testing: Load tests that run over a long period of time can reveal system instabilities like API memory leaks. So when you have a weekend ahead, leave automated soak tests running. On Monday, it will show you whether any unwanted behavior has emerged.
Stress testing: The idea is to gradually increase the count of virtual users to find the point at which the API starts throwing errors, slows down, or stops responding.
Spike testing: Unlike stress testing, here an API undergoes a sudden and extreme increase or decrease in the number of users over a short period of time. Spike testing checks whether the API is able to stabilize and return to normal functioning after that.
Scalability testing: You want to be sure that your system performance scales according to the changing load. To do so, increase the number of incoming requests and monitor whether it causes a proportional increase in response time.
API security tests
Security, penetration, and fuzz testing are the components of the security auditing process aimed at testing an API for vulnerabilities from external threats.
Security testing. It validates whether security requirements are met. This includes authentication, permissions, and access controls, namely:
- what type of authentication is required to use the API;
- how well sensitive data is encrypted; and
- what authorization checks are set for resource access, etc.
Penetration testing: Taking security testing a step further, in penetration testing, certain API functions, resources, processes, or the entire API is under attack from the outside. This determines whether the threat vector can be reached.
Fuzz testing: The last step in the security audit tests the API at its absolute limits. Forcibly inputting massive amounts of random data, it tests whether the API will stand it or end up with negative behaviour like a forced crash or overflow.
API Testing Tools
- Postman
- Katalon Studio
- Soap UI
- Parasoft
- REST assured
- Tricentis Tosca
- Ping API
- Assertible
