ASTQ Summit is available on demand! Hear industry leaders share how they're delivering continuous quality. Watch Now >>
API stands for application programming interface. An API is a software intermediary, or go-between, that enables two apps to communicate with each other. For example, every time you interact on Facebook, purchase a product on Amazon, or check the news on your phone, APIs are at work.
An API operates like this: when you utilize an application on your computer or phone, the app connects to the Internet, sending your data to the server. The server downloads the information, interprets it as needed for the app, then returns a response to the phone or computer in a way that you can understand and use it.
The reason testers test APIs is to find out if the APIs meet expectations for functionality, security, performance, and reliability. API testing is essential because APIs are the primary interface in application logic and because testers have found that GUI tests (graphic user interface tests) are challenging to maintain and provide limited coverage, taking into consideration the recurrent changes in DevOps and Agile software and abbreviated release cycles. Companies have found that adding API testing significantly expands their application test coverage.
Testers test APIs directly, in other words, in isolation, as a component of end-to-end testing in integration testing. Outside of RESTful APIs, transactions include various endpoints, for example:
Testers test APIs that a development team produces. In addition, they test the APIs the team uses in the application, including any third-party APIs. The tests determine if the APIs return the appropriate responses in the correct format for a wide range of conceivable requests and if the APIs react appropriately in unusual or extreme inputs and to failures. Testing normally includes SOAP web services or REST APIs with XML or JSON message loads with the system sending over JMS, HTTP, HTTPS, and MQ. Other message formats testers use during tests are EDI, FIX, and SWIFT.
Typical API automated testing involves the following:
For details about the specific tests that developers use to test APIs, see the Types section below.
Machine-to-machine and headless communications are standard in modern software architectures, as are associated application programming interfaces. This means practically every industry that runs on software benefits from using API software testing to ensure functionality to verify correct operation.
In order to cover all the bases, testers employ a range of tests to test APIs. Here are the main ones.
For APIs to perform reliably including addressing security concerns, we present five top test practices.
A high level of automation provides an array of functional test scenarios which you can replicate systematically.
Use an intuitive interface to automate complicated cases over databases, microservices, the messaging layer, etc. This includes:
Therefore, it’s essential to recognize when API changes occur and easily, quickly, and accurately update test assets to align.
The key is to develop a system that assesses changes needed for current tests and then updates them or even creates new tests. This can substantially reduce the time and effort it takes to be sure that your tests do not fail as a result of unexpected changes and that they don’t ignore new functionalities.
This allows you to create simulated test cases, which in turn allows you to view behaviors of dependent resources that you may have a hard time accessing, that you may have difficulty configuring for testing, or that are not yet available.
These resources might be web services, databases, mainframes, or third-party applications, among others. You can use service virtualization together with OS and hardware virtualization to gain access to the required environments. Combined, this allows you to test faster, earlier, and more thoroughly.
You can apply service virtualization in two ways with regard to API testing:
APIs are highly exposed. Thus, a great potential for volatile and unpredictable traffic exists. It’s wise to use broad performance testing to determine if your API meets expectations when it encounters surging demand or erratic behavior. Here are some examples.
Service virtualization allows you to create simulated test scenarios that assist you in testing various performance environments that are normally problematic to create in a test situation. You can test conditions like timing, delay, and latency to replicate typical, peak, and slow performance in an effort to plan for a cloud burst or someone accessing the API from a remote location on another continent.
In addition, you can create various failure and error situations that testers often find hard to reproduce in the actual program – like if your APIs use Amazon Web Services, you can create a scenario that simulates a situation where AWS is offline.
You can also configure a wide range of situations in dependent systems in order to discover if your APIs deliver proper responses under non-ordinary conditions and also if they fail reasonably well.
You may replicate links to third-party applications, which can negate any risk your tests may have on services that you are not normally allowed to attack with test data or for which you are not budgeted.
APIs unfortunately offer a large surface attack area. To help stop attackers and major security problems, use a multi-faceted test approach. This ensures that you have written the necessary measure of security into the application. The approach includes:
As a money saver, service virtualization allows non-security experts to perform tests because they are not writing code but simply executing proven tests in a wide variety of scenarios. And service virtualization enables you to target your API’s responses to a variety of dependency security behaviors and in numerous attack situations.
Here are two examples of situations in which you would want to perform API tests.
When a person opens an app like Instagram or Twitter, the app asks her to sign in. She can do this on the app itself or via Facebook or Google.
When the user employs either of these two web sources, it’s understood that the app has an agreement with Facebook and Google, so the app can access some of the information about the user that she has previously supplied to the sources.
Testers can test the APIs that give the app the ability to access the information it needs. The tester can also test to make sure the social media app works with Facebook and Google successfully to give the user access to the app.
When a person uses a web service like Kayak or Expedia to book airline tickets, he anticipates that he’ll see cheap flights for the date he needs to fly.
The travel app has to communicate with the participating airline companies to show the traveler the best flight times and prices. APIs make this happen.
Testers can test to make sure the APIs that give the travel app the ability to communicate with the airline companies are working correctly and that the app is supplying the proper information to the user.
The testers can test to make sure the APIs that help book the flight are working as expected and verify the payment component – the tester can test the APIs that allow the app to communicate with credit card companies and properly process payments, and those APIs that keep the user’s personal and financial data safe.
Testing APIs focuses on ensuring that a development and QA team does what it is supposed to do, guaranteeing that applications perform and function properly, and are reliable and secure.
Automated API testing avoids human error and drudgery and is therefore far superior to manual testing. To prevent bugs early in the software development lifecycle, we recommend incorporating automated API testing into your continuous integration testing pipelines.
Get details and guidance on choosing the best API testing platform for your organization in the whitepaper, How to Choose the Right API Testing Solution.
Parasoft’s API testing platform is widely recognized as best-in-class, with innovative tooling and broad support for over 120 message formats and protocols. With visual drag-and-drop tooling, users can create the most complex test scenarios without having to write a single line of code. Things like test flow logic, complex assertions, looping, data driving, and keyword association, such as BDD with Cucumber, can all be easily built with minimal technical experience.
Additionally, API test suites can be reused for nonfunctional validation, including load, performance, and API security testing. This increases application coverage and quality with minimal rework and effort.
Partner with Parasoft to improve your API testing.
Testers perform API testing almost entirely on an app’s business layer, between UI and data sources. Ideally, they test all of these layers.
No major limitations exist but you need to have a good API testing skillset to be a tester.
API testing consists of three main steps.