API testing checks APIs for functional correctness, reliability, security, etc. It helps developers identify and fix potential problems before deploying code to production environments, thereby improving the overall availability and reliability of the system. Compared to UI testing, API testing can start earlier and enable the system to respond to business needs more quickly.
What is API?
API stands for Application Programming Interface. It’s a connection between different systems or applications that enables them to communicate with each other.
Just like ordering food at a restaurant. You only need to tell the waiter what you want, then the waiter will report it to chef and delivers the meal from kitchen. In this process, the waiter plays the role of an API. Similarly, when you use an API, you only need to call the required functions and services, without needing to know the underlying code implementation. Therefore, an API acts as a “middleman” between different applications, allowing them to communicate and interact with each other.
In contrast to monolithic architectures, microservice is favored by more developers due to the highly flexibility. It promote the decompositon of the application into smaller, isolated services, which allows for each core function within an application to exist independently.
The emergence of microservice architecture has also led to a surge in the number of APIs.
Why API Testing?
With the explosion growth of APIs, the quality of APIs becomes increasingly important. Once an API breaks down, the complete application and user experience are put at risk. Only proper API testing can secure the system from such downtime possibilities.
API testing involves testing the collection of APIs and checking if they meet expectations for functionality, reliability, performance, and security and returns the correct response. It helps developers detect and fix potential problems before deploying code to the production environment, thereby improving the availability and reliability of the entire system. Especially in microservice architecture, the applications always undergo frequent changes and updates.
HTTP/HTTPS Protocol
The most common Web Service APIs include SOAP, REST, and RPC. RESTful API is an API that conforms to the REST architecture style. It uses HTTP request methods to access resources and uses URIs (Uniform Resource Identifiers) to identify resources.
The Hypertext Transfer Protocol (HTTP) is an application-layer protocol mostly used in RESTful APIs for communication between web browsers and servers. Each HTTP request message contains the host information, the HTTP protocol version (HTTP/1.1, HTTP/2), the HTTP methods (GET/POST), the HTTP headers (content type, content length), the actual message that is being transferred to the server, and the body, which contains that message.
HTTP Requests
A correctly composed HTTP request contains three elements: the request line, header and message body.
Request line: It consists of the request method, the request URI (which specifies the URI of the resource that the client is requesting, including the path, query parameters, etc.), and the HTTP protocol version number.
Header: It contains information that a server can use to decide how to respond to the request.
Message body: It contains the specific content of the request, such as form data, JSON data, etc.
For example, the following is an example of an HTTP request message:
POST /api/v1/login HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 44
{"username": "user123", "password": "password123"}
URL
A URL(Uniform Resource Locator) is an address used to locate resources on the Internet. It usually consists of a protocol type, hostname, port number, path, and query string. For example:
https://www.example.com:8080/api/login?param1=value1¶m2=value2
In which:
https
is the protocol typewww.example.com
is the server address8080
is the port number that the server is listening on/api/login
is the path to the resource being accessedparam1=value1¶m2=value2
is the query string
By requesting a URL, the client can send a request to the server and obtain the corresponding messages.
Request Method
The standard RESTful API only has four types of operations: GET, POST, PUT, and DELETE.
Method | Description |
---|---|
GET | Retrieve data from an API. |
POST | Requests the server to update resource or create the resource. |
PUT | Requests the server to create a resource in the database. |
DELETE | Requests the server to delete the resources. |
Request Headers
An HTTP request header is a component of a network packet sent by client to the server to request for a specific page or data on the Web server.
In the example above, the Request Header includes:
- Host: The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening.
- User-Agent: The user agent string of the user agent, i.e. Firefox 58.0 browser on Windows 10 operating system.
- Accept: Media type(s) that is/are acceptable for the response.
- Content-Type: Type of data the browser will accept in return
- Content-Length: The length of the request body in octets
Message body
A message body is data sent by the client to your API, mostly used in POST, PUT and PATCH methods.
The format and content of the message body are usually specified by the Content-Type field in the request header
These are three common types:
- Raw. This can technically hold any kind of string, but generally includes XML or JSON, e.g.
{"firstName":"Pied","lastName":"Piper"}
. - x-www-form-urlencoded. This is used for sending simple text values in a query string, e.g.
key1=value1&key2=value2
. All characters are url encoded, e.g. spaces are replaced by%20
. - Binary. This is used for attaching images, videos, audio, and other non-text files.
Response Message
HTTP responses, the answer from the server, consist of three parts: status line, header, and response body.
Status line
The start line of an HTTP response, called the status line, contains protocol version, status code and a status text for one to better understand the responses.
eg: HTTP/1.1 404 Not Found
.
Headers
The response header allow the server to pass additional information about the response.
Message body
The message body of a response contains the requested information requested by the client in the format specified by the Accept field in the request header.
Types of API Testing
The aim of API testing is to test every interface in the system to verify that the interface meets the requirements and specifications in terms of functionality, performance, security, etc.
1. Functional Testing
Checks if the API works as inteded.
API functional testing mainly focuses on the functionality of an API. It primarily evaluates specific functions inside the codebase. API testing guarantees that the API returns the intended result for a given input and handles issues when the output is outside the acceptable parameters. Negative or positive tests are the sub-types of functional tests, where negative tests examine how an API responds to each sort of incorrect input.
2. Performance Testing
Verify the performance of the interface under high concurrency, large data volume, etc., including response time, throughput, number of concurrency, etc.
- Stress testing: Simulate multi-user concurrent access to the interface and observe the performance of the interface, such as response time, throughput, error rate, etc. Some tools can be used for stress testing, such as JMeter, LoadRunner, etc.
- Load testing: Test the performance of the interface under different loads. Load testing can be divided into two ways: static load and dynamic load. Static load refers to testing the performance of the interface under a predetermined number of concurrency, while dynamic load is to dynamically adjust the number of concurrency according to the actual load to test the performance of the interface under different loads.
- Spike testing: Determine how an API responds to sudden, unexpected spikes in traffic.
- Soak testing: Soak testing can be achieved by running for a long period of time to observe the stability and reliability of the interface over an extended period of time
3. Security Testing
Testing the security of the API, including its protection capability, authentication and authorization, data encryption, etc.
For security testing, different testing methods and techniques need to be used for different security risks and threats. It is also necessary to consider the security of the testing environment, such as the protection of test data and security management during the testing process. In order to improve testing efficiency and coverage, security testing tools can be used to assist testing, such as vulnerability scanning tools, code static analysis tools, etc.
How to Do API Testing
Reviewing the specifications of the API: Reviewing the specifications of the API implies studying its functioning, exploring its objectives, and what one can expect from it.
Determining the requirements of API testing: you must identify the API’s testing needs as this will necessitate an understanding of the API’s target consumer, its features and functionalities, the application’s workflow, as well as the aspects, priorities, and problems you’re testing for.
Defining the input parameters: You must define input parameters before executing an API. These parameters provide important information to the API for it to fulfill its job and are thus required for establishing if the API functions as planned.
Writing test cases for API testing: Positive tests are intended to verify the API’s fundamental functionality using mandatory parameters as well as additional capabilities utilizing optional options. Negative tests are used to see how the API reacts to disallowed actions with valid and invalid user input.
Selecting an API testing tool: Postman can be a great tool for monitoring API, creating automatic tests, identifying and removing bugs and running specific requests.
Send request to verify response
AREX is an open-source testing tool(https://github.com/arextest), a great Postman alternative for API testing. Here is a quick demonstration of testing an API with AREX.
First create a new request:
Add request URL
Enter the URL of the API you want to send the request to in the address field.
Select request method
Once the request is created, the request method is selected as GET by default, which means retrieve data from an API.
Or you can select other method from the dropdown.
Query parameters
A query string is a string of characters added to the end of a URL after ? and separated by & to pass additional information to the API.
A typical example like https://www.example.com/search?q=apple&category=fruits
, with two pairs of key and value.
- Set the query string parameter name in the KEY column.
- Set the query string parameter value in the VALUE column.
Request headers
If you need to send specific request header information with your request, you can add a request header key-value pair.
Request Body
If you want to send data from the client to an API, you need to send the request body data with the request, commonly used in PUT, POST, and PATCH requests.
Writing Scripts
There are two types of scripts, Pre-request Script and Tests, which correspond to the two phases of API before request and after return response respectively.
Pre-request Script are JavaScript codes executed before the API request, which can be used to add authentication information, set request timeout, check the format of request parameters, etc. AREX provides commonly used predecessor scripts, which can be used directly by clicking on them.
Tests are JavaScript codes that are executed after the API request returns data. It is mainly used to test (assert) the correctness of the results returned by the request.
Once you have configured the request parameters, click Send to get the response.
Return Response
The response code, response time(the time in milliseconds it took for the response to arrive from the server) and response size can be seen at the top of the response.
Response Body is the body of the response, i.e. the content of the response returned from the server, and the data format of the content is JSON by default.
The Raw view allows you to see the raw response body content.
Headers shows the response header information.
If a Test script is set, you can view the results of executing the script in Results.