The Unsung Hero of our Connected World
Part 2: Approaches, Types & Tools
By Tudor Blaga, QC Engineer, Cognizant Softvision
As more organizations are moving towards a micro-service and service-oriented architecture, the need for effective API testing is becoming more and more critical.
Part one of this series covered API basics, REST API, endpoints, web services, and methods. In this second half, we will explore API testing approaches and testing types. We will also reveal some commonly used API testing tools that can help ensure software applications’ smooth functionalities.
How to approach API testing
All API tests should begin with a clearly defined scope of the program as well as a full understanding of how the API is supposed to work. Start with gathering the following information:
- Information about what endpoints are available for testing
- Information about what response codes are expected for successful requests
- Information about what response codes are expected for unsuccessful requests
- Information about what error messages are expected to appear in the body of an unsuccessful request
- Information about the defined input parameters
Once factors like the above are understood, testers can perform the test and compare the expected results to the actual results. Tests should include information on responses like:
- The value of the response/reply time
- Data quality, which is a measure of the condition of data based on factors such as accuracy, completeness and consistency
- Confirmation of authorization
- Error codes
- Status codes
You can find a complete list for API response status codes here.
Types of API testing
Functional testing ensures the API performs exactly as it is supposed to. This test analyzes specific functions within the codebase to guarantee that the API functions within its expected parameters and can handle errors when the results are outside the designated parameters.
Load testing
The point of load testing is to measure where the limit of system performance under high load lies. That’s why we measure response times, throughput, server conditions, etc., while increasing the number of calls.
Soak testing
Load tests that run over a long period of time can reveal system instabilities like API memory leaks. So when you have a weekend ahead, leave automated soak tests running. On Monday, it will show you whether any unwanted behavior has emerged.
Stress testing
The idea is to gradually increase the count of virtual users to find the point at which the API starts throwing errors, slows down, or stops responding.
Spike testing
Contrary to stress testing, here an API undergoes a sudden spike of users. Spike testing checks whether the API is able to stabilize and return to normal functioning after that.
Scalability testing
You want to be sure that your system performance scales according to the changing load. To do so, increase the number of incoming requests and monitor whether it causes a proportional increase in response time.
Peak testing
Similar to soak testing, here you subject your API to the heaviest load while reducing the time of the attack.
Validation testing
Validation testing includes a few simple questions that address the whole project. The first set of questions concerns the product: Was the correct product built? Is the designed API the correct product for the issue it attempts to resolve? Was there any major code bloat — production of code that is unnecessarily long, slow and wasteful — throughout development that would push the API in an unsustainable direction?
Penetration testing
Penetration testing builds upon security testing. In this test, the API is attacked by a person with limited knowledge of the API. This enables testers to analyze the attack vector from an outside perspective. The attacks used in penetration testing can be limited to specific elements of the API or they can target the API in its entirety.
Reliability testing
Reliability testing ensures the API can produce consistent results and the connection between platforms is constant.
Where do you need API testing?
API testing is needed when an application’s functionality is dependent on the integration of multiple APIs. It is needed to ensure that the APIs are working properly and returning the expected results. At points it is also needed:
- During the development process to identify and fix bugs and errors in an early state
- Before deployment to ensure that the APIs are ready for production and will function correctly in the live environment
- After deployment to monitor the APIs for any issues and ensure that they continue to function properly
- Whenever there are changes to services to ensure that no new issues have been introduced
- When integration with third-party APIs is developed to ensure that the integration is successful and that third-party APIs are working properly
- For performance testing, to identify bottlenecks and measure the scalability of the APIs
API testing must be an ongoing process throughout the development cycle and maintenance of the API.
Choosing the right tools
One of the most common struggles of API testing is choosing the right tool. There is no general proper tool for testing. The term “right tool” for API testing is not determined by a particular tool, but rather determined by some key considerations, such as:
- Basic API Requirements: Does it support the majority of the HTTP requests? Can settings and artifacts be imported from one project/test to another to save time?
- Complexity: Make sure the skillsets in your team are able to learn and use the software in the shortest time possible.
- CI/CD Integration: Check its list of integrations to see if the tool works with CI systems your team is using like Jenkins or Bitbucket, and also if it’s native to avoid extra time trying to configure everything.
- Interoperability: Can the tool be connected to communication platforms like Slack; project management systems like Jira; Git for version control or your team’s toolchain?
- Non-technical Friendly: Read the tools’ documentation to see if they support BDD conventions and are able to export easy-to-understand reports.
Recommended Resources
Here is a list of API testing tools that are the most commonly used:
Postman
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs — faster. For more details visit the Postman website.
Jmeter
Jmeter is easy to use, with a rich interface, able to run on Mac and Windows and has integration with Swagger and RAML formats
Rest-assured
Initially created for performance testing, Rest-assured transformed to an easy to use functional testing tool. Cache and offline replay of test results. Automation works with CSV files of other types of files to create unique parameters values for the API tests at Speed.
Soap UI
A java domain specific language test tool that enables REST services in a simple manner. It is most commonly used to validate responses from requests. Soap UI supports all the REST requests (POST, GET, PUT, DELETE, OPTIONS, PATCH, and HEAD).
Karate
A headless functional testing tool dedicated to API testing, Karate allows users to test REST and SOAP APIs and Web Services with no hassles.
Talend API tester — Free edition
Talend API tester is an API testing tool that assists users in creating scenarios for API-based BDD tests simply without writing definition steps. Formerly known as Restlet, it interacts with REST or simple HTTP APIs through a visual and easy to use GUI. This extension is excellent to use while testing a platform without needing authorization keys in most of the executed calls.
Airborne
Airborne is an API automation testing framework with a Ruby-based RSpec-driven framework. Since Airborne is a programming framework, it has no user interface apart from the text file to create code. In addition, to use Airborne, testers need to remember a few critical methods in the toolset and some Ruby and RSpec fundamentals.
Insomnia
Insomnia is a free cross-platform desktop application that takes the pain out of interacting with and designing HTTP-based APIs. Insomnia combines an easy-to-use interface with advanced functionality like authentication helpers, code generation, and environment variables.
API Fortress
Testers and developers can create and automate functional tests since API Fortress is a continuous platform for API testing. It has an easy-to-use UI for any skill level and supports Test REST, SOAP, GraphQL, and microservices.
Advantages of API Testing
Let’s highlight a few of the major advantages that API testing brings:
API testing plays a crucial role in ensuring the functionality and reliability of APIs. This approach allows for faster and more efficient testing of the application as the API can be tested independently from the user interface.
API testing can also be used to test performance by simulating various loads and stress testing, making repetitive testing easier for changes and updates. It facilitates compatibility testing across different platforms and devices and helps ensure compliance with industry standards and regulations.
API testing is a cost-effective and efficient method, enabling early detection of bugs and errors and reducing the cost of fixing them later in the development process. It also enables testing of the integration between different systems to ensure they work together seamlessly, as well as the security of the code to protect against unauthorized access.
API Appreciation
APIs are an essential part of modern software development, helping easy integration and communication between different applications and systems. As the demand for interoperability and data exchange is continuously growing, APIs will continue to play a critical role in enabling innovation in businesses and applications development, thus making API testing an absolutely crucial process to ensure that the applications are working as expected.
While APIs may not wear capes, they are the true heroes of our connected world. So next time you place a food order through your favorite app or search for cats of the ‘gram’, take a moment to thank the little API that made it possible.
