A great number of software products today rely on third-party APIs for some of their functionality – from signing in with Facebook to sharing important data between enterprise systems.
More APIs imply more testing to ensure that they fulfill functionality, reliability, performance, and security criteria. Without proper testing, an API may fail to work as planned, which can have a negative impact on a variety of products and services.
Here at MindK, we use third-party APIs or develop new ones on almost every project we deliver. From our experience, we know how important the role of API testing is in the quality of the end product. We’ve previously talked extensively about what an API is. We’ve also gone through the fundamentals of software quality management. So, today we’ll mesh this data together into a coherent whole and review exactly what API testing is, how it is done, and what its value is. So, first things first.
What is API testing?
API testing is a type of software testing that checks whether an application program interface (API) provides the functionality, security, performance, and reliability that are necessary.
Taking into account that the API works by transferring calls from the client application to the server and sending the response back to the client application, API testing implies sending API calls and checking their response. More specifically, API testing involves different QA operations that are focused on making API requests, receiving output, and checking whether the response has the right input parameters (including data correctness and format, HTTP status codes, error codes, and much more).
API operating principle
To have a clear picture of the API testing scope, it’s important to know that the architecture of the typical app has three main layers: the presentation layer (User Interface or UI), the business logic layer, and the database layer. The API testing is carried out at the most crucial one—the business layer—where business logic processing and all interactions between the user interface and database levels occur.
Based on this three-tier architecture, there are three different layers of testing, called the test pyramid. Despite its oversimplification, it provides a general rule of thumb: it indicates which testing we should focus on at each level:
- UI tests involve testing the functionality of any software with which a user would interact. This normally entails testing the visual components to ensure they satisfy the specifications, both in terms of functionality and performance.
- Functional tests focus on testing the business logic and rules. The tests are intended to be used in conjunction with user stories to confirm that all implemented functionalities work as expected. As data shown in the user interface is frequently supplied from servers via API, API testing is carried out to assure the correctness of the API.
- Unit tests are the lowest level of testing that provides the highest value and ROI. Unit tests can achieve between 70% and 80% code coverage with the same amount of work.
What benefits does API testing bring to the table?
The API is considered the engine of the application, and should therefore function without deviation or failures. To achieve this, API testing is paramount. Apart from this fundamental reason, there are a few more reasons that might help you understand the significance of API testing:
- Earlier bug detection: API testing involves the start of testing activities prior to connecting with UI components. As a result, at a very early stage of the development, we are able to detect any defects in the application’s basic code. By ensuring that the API is running well and without errors, we also ensure that the same piece of data will not cause any problems further when paired with the application UI.
- Reduced costs: This advantage is directly related to the previous one. Automated API tests produce substantially faster test results and speed up the development process. First, API testing may begin as soon as the business logic is determined and before any UI testing. Second, the earlier an error is discovered, the less expensive it is to correct it. This means more efficient resource use and lower overall testing expenses.
- Improved test coverage: Unlike unit tests, API testing is often larger in scope. While unit tests focus on the limited functionality inside a single application, API-level tests are designed to ensure that all system components perform as intended. API testing helps to discover issues in interfaces, servers, and databases, thus enhancing overall software quality and leading to improved user experiences.
However, in order to reap all of these benefits and determine whether the API is functioning properly, there is a need to run several types of API tests.
What are the different types of API testing?
Depending on the scope of API tests, you might want to run different kinds of tests. Let’s review them in more detail:
API functional tests: API functional testing mainly focuses on the functionality of an API. It primarily evaluates specific functions inside the codebase. API testing guarantees that the API returns the intended result for a given input and handles issues when the output is outside the acceptable parameters. Negative or positive tests are the sub-types of functional tests, where negative tests examine how an API responds to each sort of incorrect input.
API performance tests: Performance testing is one of the non-functional things most often overlooked that will cause trouble most often. Performance testing should take everything into account, including spikes in traffic and multiple heavy processes running at the same time and interfering with one another. Here are a few types of API performance tests:
- Load test: The goal of load testing is to determine where the system’s performance limits are under heavy load. That is, as the number of calls increases, the team evaluates response times, throughput, server conditions, and so on.
- Stress test: Focused on slowly raising the number of virtual users to discover the point at which the API stops responding or slows down.
- Soak test: Soak tests run over an extended period can disclose system instabilities such as API memory leaks.
- Scalability test: Are done to ensure that the system’s performance scales as the load changes.
- Spike test: This test determines if the API can stabilize after a sudden spike of users and then resume regular operation.
API integration and reliability tests: In cases when you connect an API to more than one solution, it’s better to check for any potential disconnections. This is what reliability testing does—it determines whether the API can operate well in any given environment and provide consistent results. Integration testing is more focused on communication between APIs, ensuring they are well-connected and don’t cause bugs in another API’s module.
API security tests: These tests are well-designed to ensure that the API execution is secure from external threats. These tests can be divided into security tests that validate whether security requirements are met (including authentication, permissions, and access controls), penetration tests that check the API behavior under attack from the outside, and fuzz tests that cause unexpected behavior and errors in the API backend to discover bugs and potential security issues.
With so many types of API testing, it becomes obvious that manual testing here will take up a ton of time and effort. So now it’s time to talk about the role of automated testing for API tests.
API testing is one of the areas where automation is most valuable
One of the reasons so few teams run through API tests is that they simply lack the necessary time. With Agile development, there’s always pressure to deliver your product faster. The only way you can buy enough time for deep API testing is by investing in automation.
You can write test scripts once and have them run automatically every time developers change the API code. Automation testing processes eliminate repeated tasks, speed up testing, and increase coverage.
Moreover, testing your API on a continuous basis is essential for maintaining the security of your app. Automated tests make it easier to cover the full spectrum of API tests: functional, security, positive, negative, and so on.
However, there are some limits to automated API testing. It means that 100% API test automation isn’t cost-effective. Not all parts of your system have an equal priority when it comes to testing automation. It’s important to develop a test automation strategy that maximizes the development speed and ROI. In this light, you still need manual testers to account for the multitude of use cases, security vulnerabilities, and possible integrations.
Top testing tools we use for API testing
There are many tools that help test APIs. At MindK, we prefer Postman for manual testing and integration tests and SoapUI for automated end-to-end testing.
Source: postman.com
Postman is one of the most popular tools for ad-hoc and exploratory testing with more than 5 million testers using it regularly. It’s a simple REST client that comes in the form of a Chrome extension and desktop apps for Windows, Linux, or Mac.
Unlike most similar tools, Postman has an excellent (if somewhat slow) UI. This makes it an excellent choice for testers who don’t want to get bogged down in coding.
Postman allows API tests to run in isolation using Postman’s request builder or create collections of multiple tests. Moreover, Postman supports easy knowledge sharing and collaboration. You can, for example, upload the test cases to your knowledge base or package API calls and the expected responses into a collection and send it to your colleagues.
The tool also allows you to create Boolean tests, extract data from most modern web APIs and even automate your tests. Among its neat features are support for multiple environments (like development, staging, and so on) and REST requests.
To sum up, among the key advantages of Postman we can single out:
- User-friendliness. QA engineers may easily develop test suites by filling out templates using a simple interface. Postman also provides code snippets to help with script building, including examples of validations for response time, response code, and so forth.
- Accessibility. Users may easily access their files by authenticating into their account on a device that has the Postman application or the Postman browser extension installed.
- Capabilities for tracking requests. Postman supports different status codes for HTTP response to allow users to validate the response.
- Rich functionality. Postman supports all HTTP methods, including storing progress, converting APIs to code, and changing the API development environment, among many more. It is extendable and may be coupled with other tools, such as a CI/CD engine, to execute test suites.
However, it should be noted that Postman’s testing area is limited. While it is good for testing RESTful APIs, it is not well suited for testing SOAP and other APIs. Additionally, the reusability of scripts is also limited. Users are unable to reuse their pre-written scripts or add new requests. This means QA engineers must write new test scripts for each project.
Source: soapui.org
If you need advanced automation or complex test scenarios, nothing beats SoapUI. It’s the most popular tool on the market that supports both RESTful and SOAP API testing.
It comes in two formats: a free open-source version with full access to the source code and a Pro version with some extra features (like an SQL query builder, a form editor, and XPath assertion wizard).
SoapUI is easy to learn, you can get up to speed in just three days. It has a convenient drag-and-drop interface that allows you to quickly create complex asynchronous tests and simplifies working with XML/JSON.
It allows loading of data from databases, files, or Excel, and simulates the API interactions in data-driven tests. SoapUI allows repurposing performance and security tests into functional test cases with just a couple of clicks. The benefits of SoapUI for API testing are:
- It’s a really comprehensive tool with numerous functions, although it might be a little confusing for what’s required at times.
- It offers greater interaction with the SOAP protocol than Postman (since it was initially intended for that).
- It’s a tool that’s more oriented to testing and not simply to invoking an API, documenting it, and publishing it. It allows structuring the tests into test suites, test cases, and test steps.
Now that we’ve reviewed the role of API testing, its types, and tools, let’s discuss how you can approach API testing.
How to get started with API testing?
1.Define the API requirements.
Before planning API tests, it’s important to establish the testing requirements first. Prior to testing your APIs, you should know what kinds of requests they can make as well as their limitations.
You can find this information in the API documentation or get it directly from the developer and other stakeholders. Find more information about the API’s goal and target consumer, other APIs with which this the API interacts, the available endpoints, HTTP verbs that you can use and authorization limits, the required fields and their validation limits, response codes that come with Failed/Passed requests, and the error messages displayed with failed requests.
Open communication is essential for defining the needs since every stakeholder may provide helpful input. This is why collaboration on this step is critical.
2. Set up an API test environment.
After determining the scope and requirements of your API, the following step is to build up an API test environment. Quite often, this step presupposes the involvement of the DevOps engineers, as setting up a test environment may include the configuration of servers, databases, and every resource with which the API interacts.
3. Define input parameters.
Before calling an API, it’s important to define input parameters because input parameters provide important information to the API so it can operate properly. Thus, they are necessary to define whether the API works as needed. A REST API, for example, can receive header, query, and rest body parameters, among other sorts of input parameters. It is critical to map out all potential input combinations before conducting API testing.
4. Determine the test plan.
The test plan will differ depending on the product type and API. A robust test plan, on the other hand, should thoroughly cover all situations and explicitly indicate the importance of scenarios that must be verified. It should also comprise unit, integration, security, performance, and third-party API tests, among others.
5. Decide on an API testing tool.
The next step is to choose an API testing solution to assist in automating or simplifying the API testing process. When comparing API testing solutions, it’s critical to understand the type of API you’ll be testing, the types of tests you’ll be performing, and your budget.
Wrapping up
And that is pretty much it for API testing. It’s time for you to consider the benefits API testing can provide specifically to your organization against its costs. Can the potential savings from fixing bugs early make up for the larger QA budget? Can the increased test coverage and accuracy add enough value to your product? Can you risk releasing an insecure app? Whatever your answers are, we hope you’ve found everything you need to make an informed decision.
If you need qualified professionals to help you with API testing or if you need a consultation, the MindK team is happy to help. We are a team of professional software developers and QA engineers with knowledge of QA automation and CI/CD tooling, scripting languages, and cloud-based technologies. Check our API development and QA automation services to find more of what we provide.