In recent years, the technological needs of consumers have exponentially increased, forcing companies to build applications that are more scalable, secure, multi-threaded and faster to respond than ever before. To ensure all these attributes are present in consumer applications, APIs were created, providing developers with the ability to tap into external programs instead of creating a new one from scratch.
APIs, or application programming interfaces, provide a level of abstraction by exposing only the data needed to communicate with another system. For example, Google’s Maps API is used by many organizations to provide Google Maps functionality, rather than companies building their own map applications. The same holds true for Mint, the finance application that connects to different banks via APIs to fetch required customer data.
The growth of new software development techniques such as microservices has served as a catalyst in the API movement by removing dependencies and establishing easier data exchange between different software components.
More often than not, organizations overlook testing APIs because they opt to focus on other aspects of the system, such as the UI, databases, application code, security and performance. API testing is also bypassed because it is time-consuming and requires certain specialized skill sets, tools and approaches.
But like the ugly duckling from Hans Christian Andersen’s timeless tale, API testing shouldn’t be overlooked. Organizations often fail to realize the critical importance of APIs and the impact of their failure in production.
Here are some different aspects of testing APIs and what to specifically look for when performing this kind of testing.
Develop an API Testing Strategy
Before testing APIs, the following questions should be discussed by teams to get a better understanding of what needs to be tested:
- Is the API public-facing or internal?
- Who is the target audience of the API?
- Is it necessary to integrate with components outside the system or application?
- What are the endpoints and value types?
- Where is the data coming from? Can the data be accessed freely, or is a particular key or authentication required?
- How can the expected result be verified? How will it be determined if the API has performed as intended under the specified circumstances or scenarios?
- Is the API logic simple, or is it more sophisticated, with dependency-based decisioning?
- Under what conditions is a site, application or function most likely to fail?
- The answers to these questions will help you to plan the API testing effort more effectively.
Cover 3 Aspects of API Testing
There are three major aspects to cover when performing API testing.
To test API connectivity, make a call to the API using its URL. If a 200 response is returned, the API is connected. If no response is returned, or a connection failure error is returned, then connectivity failed, meaning the request was not received by the server.
All API calls return different status codes indicating what happened during the interaction. This serves as a reference to see whether the APIs are working as intended.
These are the main different status codes to pay attention to while doing API testing:
- 400 BAD REQUEST: Generic error that is returned when no other 4xx status code is appropriate, such as for domain validation errors, missing data or improper API requests
- 401 UNAUTHORIZED: Missing or invalid authentication token
- 403 FORBIDDEN: The user is not authorized to perform the operation
- 404 NOT FOUND: The requested resource is not found—it may not exist, or there may have been a 401 or 403 error and, for security reasons, the service masks it as a 404 error
- 409 CONFLICT: Resource conflicts, such as duplicate entries are found, or an attempt to delete root objects when cascade-delete is not supported
- 500 INTERNAL SERVER ERROR: General catch-all error when the server side throws an exception and the consumer cannot identify the exact error from their end
An API’s performance can be its most valuable feature. Each time an API request is made, the response must be returned in a matter of milliseconds.
Depending on the application, thousands if not millions of API requests can be made at a time, as in the case of Facebook, Google and Twitter. Therefore, APIs should be able to handle large amounts of load without failing. If the API does not have fast response times and is unable to handle large numbers of requests, it is essentially worthless.
Choose Your API Testing Tools
There are various approaches and tools to test APIs. Some can be tested using standalone tools specifically meant for API testing, and there are others that enable performing API testing along with other kinds of testing using additional code.
We are living in a world of APIs. Every second there are thousands of API calls happening in the back end without us even noticing it. Performing API testing is a critical part of the overall testing process, and it is about time we start paying attention to it.