API automation made easier for a QA engineer

Why API Testing?

API Testing is the best way to test back-end endpoints and integrations. Having a solid API Testing framework in place can reduce some front-end testing needs and creates a solid cross platform testing strategy with mobile applications.

Your software’s API is actually the most important part of the application that you can test because it has the highest security risks, The bottom line is, the stakes when using an API are much higher than if there is just a bug in the UI of your application — your data could be at risk and, by proxy, all of your users’ data.

What Types of API Testing One Can Do?

The best way to approach with API testing is to build a solid testing practice from the bottom up. The API automation tests allow you to test application logic at a level that unit tests cannot.

  • Usability testing: This testing verifies whether the API is functional and user-friendly whether API integrates well with another platform as well.
  • Integration level testing — Integration level will focus on service interfaces and will make sure interface behavior and information sharing working as specified
  • Process Testing — This level covers Business logic, Sequencing, Exception handling.
  • Functionality testing — the API works and does exactly what it’s supposed to do.
  • Security testing — the API has defined security requirements including authentication, permissions and access controls.
  • Load testing — the API can handle a large amount of calls and react properly to edge cases such as failures and unexpected/extreme inputs.
  • Negative Testing — Checking for every kind of wrong input the user can possibly supply.
  • Discovery testing: The test group should manually execute the set of calls documented in the API like verifying that a specific resource exposed by the API can be listed, created and deleted as appropriate
  • Validation Testing — Validation testing is typically done at the very end of the basic development process, specifically after verification of the API’s constituent parts and functions is completed.
  1. Schema validation: To test the entire nested response body to ensure every field is correct.
  2. Data type validation. Confirming the data connected with the payload’s objects are accurate (Ex : If a URL is properly formatted).
  • Contract Based Testing — Contract-based testing are combined to cover each interaction scenario that takes place between the customer and provider endpoints. You’re creating suites of unit tests that validate that your API endpoint connections are functioning properly as expected.
  • Component Testing — Component tests are like unit tests for the API — you have to take the individual methods available in the API and test each one of them in isolation. You create these tests by making a test step for each method or resource that is available in the service contract.
  • Scenario Testing — (My most liked one ;) ) Scenario testing tends to be what most people think about when they think about API testing. In this testing technique, you assemble the individual component tests into a sequence.

Two great techniques for obtaining scenario testing:

  1. Review the user story to identify the individual API calls that are being made.
  2. Exercise the UI and capture the traffic being made to the underlying APIs.

Scenario tests allow you to understand if defects might be introduced by combining different data points together.

Why should one Automate API Testing and Integrate them into CICD pipeline?

With an extensive API test suite (and trust me, having one will help you sleep much better at night). With an API test suite in place with your Continuous Integration you can easily:

  • Test all of your endpoints no matter where they are hosted, from AWS Lambda to your local machine
  • Quickly ensure all of your services are running as expected
  • Confirm that all of your endpoints are secured from unauthorized AND unauthenticated users

So how do you actually put all of this into action? You’ve come to the right place. Read on for a step-by-step API testing tutorial using php framework called codeception, please follow below steps for set up.

Codeception installation :

Globally install codeception, and you can call codecept anywhere from your system.

  1. sudo wget http://codeception.com/codecept.phar -O /usr/local/bin/codecept
  2. sudo chmod +x /usr/local/bin/codecept

RunCodecept bootstrap which creates configuration files for building and running tests against your application.

Create a new api suit

codecept generate:suite api

Below files are generated under your /tests folder :


Test suite configuration :

# tests/api.suite.yml
class_name: ApiTester
- \Helper\Api
- Asserts
# Add the lines below
# Add your base API URL
url: http://host/api/
# Can also be a framework module name
depends: PhpBrowser
# Limits PhpBrowser to JSON or XML
part: Json

Adding helper Methods :

namespace Helper;
class Api extends \Codeception\Module
public function amAuthencticated($username = 'default_user')

Creating a Cest class :

codecept generate:cest api Authentication
use ApiTester;
@group AuthenticationFlow
class AuthenticationCest {
public function createAuthentication(ApiTester $I) {
$I->wantTo('retrieve a single thing');
$I->haveHttpHeader('Content-Type', 'application/json');
$I->sendPOST('thing', ['name' => 'Foo']);
'id' => 1,
'name' => 'Foo'

How one can run api Tests using different codeception commands ?

# Running All suites
codecept run

# Running Only the api suite
codecept run api
codecept run tests/api/

# Running Only AuthenticationCest class in the api suite
codecept run api AuthenticationCest.php
codecept run tests/api/AuthenticationCest.php

# Only createAuthentication test in the AuthenticationCest class
# in the api suite
codecept run tests/api/AuthenticationCest.php:createAuthentication
#Running api tests in group
codecept run api -g AuthenticationFlow
#To Print step-by-step execution while running test
codecept run api -g AuthenticationFlow --steps
#To Print step-by-step and debugs information while running test
codecept run api -g AuthenticationFlow --debug
#Running api from different environments
codecept run api --env apiV2 -g AuthenticationFlow

Some of the main API Automation Benefits :

  • Super fast Execution compare to UI level.
  • A lot of business logic can be covered in API level.
  • Vastly increases your test coverage.
  • Date is exchanged via XML or JSON, so any core languages can be used for automation.
  • Automated api testing helps not only testers also developers, shared automated tests can be used by developers to catch problems quickly.
  • And Of course faster release.

To have a one to one comparison, I suggest you to automate a test in your API suite and UI suite.


Lastly you can NEVER get a 100% test coverage from UI level. To reach there you would need API level tests to make sure every line of code is tested. it allows QA engineers to work on the message and business logic level to test the functionality of the system being developed separately from its UI. As the result, the stability of the system is regularly verified to ensure its stable operation during production and long afterwards.

In my next article’s will be focusing on each type of API testing, first topic to be discussed would be about API security testing : Why one need API security tests and methods of testing API security.

Like what you read? Give Deepika Giri a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.