API stands for Application Programming Interface. Typically API is used to facilitate the interaction between two different applications by using any means of communication. When APIs are used over web networks, we term them as ‘Web Services’. In recent times APIs have become the backbone of programming. As in an application, writing APIs to communicate with database, or with another module has become a common practice now and that is why as a tester we must test the APIs to for maximum test coverage.
As a part of integration testing, API automation can help to accelerate the testing and increase efficiency. As most of the companies are using RESTful microservices/APIs at business layer, API testing has become critical component of test plan for any release.
In simplest terms, API is a service which helps two different applications to communicate with each other. Mostly APIs are used to abstract the business logic and direct database access to any application.
Logically we can segregate the entire system into three layers-
- Presentation Layer – This is user interface(GUI) which is open to end users. QA performs functional testing at this layer.
- Business Layer- This is Application user interface where the logic is written. In technical terms this is where code/algorithm resides. APIs come into picture at this layer.
- DataBase Layer- Where application data is present.
In other words the API is the brain of our connected world. It is the set of tools, protocols, standards and code that glues our digital world together. Because of their dynamic nature and capabilities they provide, APIs allow companies to become more agile, things to go mobile, and everything to work together in a streamlined, integrated way.Therefore, API testing is testing APIs at service level and the at the integration level.
Testing Strategy for APIs-
While testing APIs, tester should concentrate on using software to make API calls in order to receive an output before observing and logging the system’s response. Most importantly, tests that the API returns a correct response or output under varying conditions. This output is typically one of these three:
- A Pass or Fail status
- Data or information
- A call to another API
However there also could be no output at all or something completely unpredicted occurs. This makes the tester’s role crucial to the application development process.And because APIs are the central hub of data for many applications, data-driven testing for APIs can help increase test coverage and accuracy.
In testing the API directly, specifying pass/fail scenarios is slightly more challenging. However in comparing the API data in the response or in comparing the behavior after the API call in another API would help you setup definitive validation scenarios.
API testing is one of the most challenging parts of the whole chain of software testing and QA testing because it works to assure that our digital lives run in an increasingly seamless and efficient manner. While developers tend to test only the functionalities they are working on, testers are in charge of testing both individual functionalities and a series or chain of functionalities, discovering how they work together from end to end.
Types of API Testing-
First identify what type of tests you need to perform on API. Like testers do different type of testing for features of their product, same goes with APIs. Commonly testing of APIs include-
Unit Testing– To test the functionality of individual operation. For eg- Google provides geocoding API, to get the longitude and latitude of any location. This usually takes address as input and returns lat longs. Now for unit testing of this API, tester may pass different location and verify result.
Functional Testing- This type of testing mainly focuses on functionality of API. This would include test cases to verify HTTP response codes, validation of response, error codes in case API return any error etc.
Load Testing- This type of test is necessary in cases where API is dealing with huge data and chances of application to be used by no.of users at the same time. This increases the API hits at the same time and it may crash and not able to take that load.
Security Testing- Security testing is particularly critical as API are used to create a link between two different applications. The core purpose of using an API is to abstract or hide the application’s database from other. This may include the testcases like authorization checks, session management etc.
Interoperability Testing- This is to test that API is accessible to the applications where it should be. This applies to SOAP APIs.
WS compliance Testing- API is tested to ensure standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust are properly implemented and utilized
Penetration Testing- This is to find the vulnerability of API from external sources.
Web services/ API Protocols-
If we talk about web services there are mainly two type of services or we can say protocols-
REST – REST stands for REpresentational State Transfer which is new on the block as compared to SOAP which means it must overcome all the problems with SOAP. REST is a lightweight protocol which uses URL for all the needed information. It uses four HTTP methods to perform task-
- Get- To get the information. For example getting longitude and latitude in case of location mapping API.
- Post- To insert some data in resource.
- Put- To update the resource.
- Delete- To delete from resource.
REST is more used now a days due to its simple and light-weight architecture.
SOAP API- Stands for Simple Object Access Protocol. It uses XML for message exchanging. All the information which is required to perform this task is given in its WSDL which is Web Service Description Language. SOAP is heavy weight due to its extensive used standards and XML. The main advantages of SOAP over Rest is that it has built in error handling and it can be used with other protocols like SMTP.
Tools for API testing and Automation
There are several tools to test the APIs. When a tester get to test API, they must ask for its document, whether it is a REST or SOAP API or its not-web based API there should always be a document where the details should be written. To approach API testing-
- Ask for Doc
- Write functional or service level cases first
- Write integration tests
- When API is stable enough and passes most of the above tests, perform security, performance and load testing.
- A typical API doc has all the information related to the API like its request format, response, error codes, resource, mandatory parameters, optional parameters, headers etc. The doc can be maintained in various tools like swagger which is open source, Dapperdox, ReDoc etc.
- After that try to write service level cases for API. For example if an API takes n parameters to get the response in which m are mandatory params and others are optional, then one test case should be to try different combinations of parameters and verify the response. Another testcase might verify the headers and try to run API without passing authentication and verify the error code.
- Next comes the step of integration test, where you need to test the API and all its dependent APIs or functions. This also includes testing API response, the data it should return to another API or method and what happens if this API fails.
- Once the API is stable and functional testing is almost done, tester can perform load, security and performance testing.
We often need to automate the testcases which are repeatedly executed. For eg- Regression cases. Similarly in case of API testing, there might be some cases which we need to execute before every release and those cases can be automated.
There are many tools for API automation which are quite popular-
- SOUP UI
- Katalon studio
- CloudQA TruAPI
SOUP UI- It’s very popular tool for API testing.You can do functional, load, security and compliance tests on your API using SoapUI.
Katalon Studio- Built on the top of Selenium and Appium, Katalon Studio is a free and powerful automated testing tool for Web testing, API testing, and Mobile testing.
Postman- Postman is free and helps you be more efficient while working with APIs. It has all the capabilities to develop and test APIs.
Jmeter- Though Jmeter is mostly used for performance and load testing, it can also be used for API functional testing to a good extent.
RestAssured- Rest-Assured is a Java based library that is used to test RESTful Web Services.The library can be included in the existing framework and call its methods directly for fetching response in json format and then perform required actions.
I am taking an example to explain the steps followed for basic API functional testing, here I am using TruAPI tool provided by CloudQA which is new and gaining popularity-
Step1-To run API request you need to first select the Method Type and paste URL of the API. Press Send button to send the request to API or press Add API Test button to save the request-
Try this sample Method Type and API URL
- Method Type: GET
- APIURL: https://um5fdww2pj.execute-api.us-east-1.amazonaws.com/dev/todos
Step2-Information for API request:
- Most of the API require additional inputs to perform the request such as parameters, Headers, Body(JSON), and so on.
- To add parameters of the request you can select the respective Parameters tab and press the Add Parameter buttons to add the required information.
Step3-Sending an API request with authentication:
- In case your hosted API needs an authentication, you can go to the Authorization tab and select the BasicAuth from the dropdown list (Default it is set as Noauth) and then input the Username and Password. You are now ready to send authenticated requests.
- Every API response consists of different values like status code, body, headers, and the time to complete the API request. Below image shows how API response received is portrayed.
- In automation process, it is important that you verify your output using an assertion. To add an assertion in the API Runner, go to the Assertions tab. You can add one or more assertions here.
- Follow these steps to add assertions:
- Choose the response type
- Choose the assertion’s condition
- Input the value to be checked
- You are done adding the assertion
- Variables tab is useful to store the values that are received as a response from an API request sent. To save responses go to the Variables tab and follow these steps:
- Add Variable
- Give a name to the variable for better understanding of the team
- Input the JSON Path of the value to be stored from the response body
- To use the stored value in the variable as expected assertion you can use __name of the variable__ in any other API request.
View or execute a saved API request:
- When you are in API Runner page use View Saved Tests button to view the saved tests
- Select one or more API saved tests and run the selected tests by default the tests shows the last executed run status information
- Results will show up the API execution history
This is a single API execution and automation. For real world scenarios, we often need to create API suit consisting all the regression test cases and run this as a part of regression testing. In agile, it’s crucial to have a suit ready so that it can be integrated with CI and CD.
CloudQA comes with a very rich documentation about the tool, all the tools provided by CloudQA are aligned with the idea of “Codeless automation” and very easy to use for manual testers.
Link for documentation- https://doc.cloudqa.io/TruAPI.html