a guide to API testing for QA engineers

An application programming interface (API), allows two applications to interact. It can be named as a function or method, allowing the user to interact with an application.

During API testing, we need to test the core business logic of the application to reduce the number of defects that could be found during functional testing.

API testing is done to ensure that an API is working as it should without any deviations or errors. As the API is considered the engine which drives the application, API testing is a critical part of development.

API testing has several benefits:

•  API testing allows you to detect defects early.

API testing can be done before integration with UI, giving you the opportunity to find defects at an earlier stage and helping you reduce the cost and time spent building the application.

•  API test automation helps reduce deployment effort.

There are multiple tools and libraries available to automate API testing. Today we have CI/CD era for deployment, and those automated API tests can be used to ensure that the application works after deployment of new code, saving effort and time.

• You can run one test iteration on multiple platforms.

Whether the application is on a mobile or web platform, the same set of APIs will be used, so you can run the same test iteration on both platforms.

• You can do a security check during API testing.

You can detect security loopholes while performing API testing, reducing the number of attacks on your application.

• You can do a performance check during API testing.

An API is a bridge to extract data from a database after doing some simple or complex operations. So, you should check how the API is working to assess the performance of the application.

It is important to know what to test before doing API testing, so here is a step-by-step guide to follow:

Verify HTTP status code

An HTTP status code defines the server response to the API request, indicating whether the request is completed or not. HTTP status codes are categorized into five groups: informational responses, successful responses, redirection messages, client error responses, and server error responses.

For example, creating a new resource should return 201 CREATED and unpermitted requests should return 403 FORBIDDEN. So, it’s important to know different status codes while doing API testing.

Verify response payload

When working with REST API, verify that the JSON/XML body is valid and field names, types, and values are correct — including in error responses. You can use an assertion to test the attributes if you are using SoapUI or any other automation tool.

Verify response headers

HTTP server headers have implications for both security and performance. In headers, one can validate the content-type, server, and content-encoding.

• Verify the correct application state. This is optional and applies mainly to manual testing, or when a UI or other interface can be easily inspected.
• Verify basic performance sanity. If an operation is completed successfully but takes an unreasonable amount of time, it fails the test. You can also track how much time an API is taking to load and give the response.

Unit testing

Unit testing is performed in the development stage. These tests are written to run automatically with each new build run. Each API is tested separately as an individual entity.

In most companies, the developer writes unit tests, but in some cases, due to time limitations, a tester is also involved. After a developer writes or adds a block of code, they need to run unit test cases to make sure the code is working.

You can write unit tests using these tools:

• NUnit
• JUnit
• TestNG
• Mockito

Integration testing

You can perform integration testing once APIs are integrated. Validate the data flow and whether the API is functioning as expected after integration.

Some APIs are dependent on each other and if one fails to function properly, it can affect the others. So you should test each API independently and then test them again after merging.

After merging the APIs, try to test them after switching one API off and switching another on. Then test them again after switching both on simultaneously. This way you can observe and test the application.

Tools you can use for integration testing include:

• SoapUI
• ReadyAPI
• POSTMAN
• Rest-ASSURED
• Karate DSL

Functional testing

Functional testing is performed to validate the functional aspects of each API. You validate whether the payload, status codes, and header content are working as expected.

To perform this test, you should have a solid understanding of the acceptance and functionality of the API. Prepare test data and test cases in advance so you don’t miss any functional use cases . You can use the following tools for functional testing:

• SoapUI
• ReadyAPI
• POSTMAN
• Karate DSL

Performance testing

You should do performance testing as early as possible. It covers the non-functional aspects of the API, like:

• How much time is it taking to load?
• How many users can it handle at a time?
• How long can it handle a certain load for?

You can use the following tools for performance testing:

• JMeter
• LoadRunner

Security testing

Security testing is when you try to detect potential security threats to an API. You should perform this test after the API is developed. Check whether data is leaking and if you need to encrypt it.

You can use these tools for functional testing:

• SoapUI
• ReadyAPI
• Postman

While performing API tests, you may encounter challenges. Here are a few of them:

Lack of end-user experience

Solution: Understand the requirement clearly and have a proper set of test data. Having proper acceptance criteria will help you think about how the end-user will use the application.

Sequencing API calls

Solution: Have a clear idea of the application architecture so that you understand call sequencing. Alternatively, you can make a flowchart to visualize how API calls will happen.

Parameter selection

APIs handle communication between different systems by assigning data values to parameters and passing those parameters through data requests. It is important to test all possible parameter request combinations in the API.

Solution: It is important to have release candidates as per your experience. For example, you should pick one or two applications to utilize the API on and release it to just those applications. Pick applications that are not critical to daily operations so you can see how the API is being utilized.

So, now you know more about the various types of API testing. API testing allows you to test the application early and without GUI. It is an advanced technique to detect defects early and reduce the cost of building an application.