API Testing Tools and Best Practises

December 17, 2018 

API Testing Tools and Best Practises

What is API Testing?

An application programming interface, or API, attempts to connect an application to the web and different APIs.

An application made of three primary parts that work and communicates in a segmented to swap out for other -

Data Tier - Where data obtained from the database and file system and after that stored.

Logic Tier - This is the brain of the application. It processes the data between the layers, organizing the application, processing commands, and taking logical decisions. This layer made of the API.

Presentation Tier - The top layer of the app is the UI, translates tasks into something the user gets.

API is the brain of the connected world. It is the set of tools, standards, protocols, and code that attaches digital world.

Subsequently, API testing is testing that APIs and the integrations they enable work in the ideal manner. This form of testing concentrates on utilizing software to make API calls to get output before observing and logging the response. In particular, this tests that the API returns a correct response or output under varying conditions. This output is usually one of these following -

  • A Pass or Fail status
  • A call to another API
  • Data or information

However, there could be no output at all or something entirely unpredicted occurs. It makes the tester’s job essential to the application development process because APIs are the central focal point of data for some applications, data-driven testing for APIs enable increment test coverage and accuracy.

API testing is the most challenging parts of the entire chain of software testing and QA testing because it works to ensure that digital lives run in an increasingly seamless and effective manner. While developers tend to test just the functionalities they are working on; testers are in charge of testing both individual functionalities and an arrangement or chain of functionalities, discovering how they work together from end to end.

Many web-based platforms and Software as a Service (SaaS) organizations have made distinctive APIs to enable customers to cooperate with and consume data from the stage on their terms. APIs typically allow the machine to machine communication utilizing industry standard languages or file formats. APIs free end users from the bounds of using a default interface and allow controls and outputs integrated into their dashboards and custom applications as well as automating common functions and procedures.


Types of API Testing

  • Functionality testing- the API works and what it’s supposed to do.
  • Reliability testing - the API consistently connected to and lead to consistent results
  • Creativity testing - the API handles used in different ways.
  • Load testing - the API handles a large number of the call.
  • Security testing - the API has defined security requirements including authentication, permissions and access controls.
  • Proficiency testing - the API increases what developers can do.
  • API documentation testing - also called discovery testing, the API documentation easily guides the user.
  • Negative Testing - Checking for every kind of wrong input the user can supply.

Some examples of negative tests are -

  • Send a request with the wrong HTTP verb.
  • Send a request with a body that has missing required fields.
  • Send a request with a body that has invalid field values.
  • Send a request without the proper authorization.
  • Send a request with the wrong endpoint.
  • Request data for a record that does not exist.
  • Send a request with missing headers.
  • Send a request with the wrong headers.

How Does API Testing Work?

A REST request composed of the following parts -

  • An HTTP verb that determines what action to take.
  • A Uniform Resource Locator (URL) that specifies the location of the request.
  • HTTP headers that give data to the server about the request.
  • A request body provides further details for the request (sometimes empty).

Here are the most usual HTTP verbs -

  • A POST request adds a new record to a database.
  • A GET request fetches a record from a database.
  • A PUT request replaces a record with a new one.
  • A DELETE request remove a record from a database.
  • A PATCH request replaces part of a record with new information.

The URL used in the request clears up which type of record modified by request. For example, a GET request used utilized with the URL: https://www.example.com/cars/1.

  • Return record number 1 in the table of cars.
  • The end of the URL determines an endpoint—a data object used in the API. In this example, the endpoints would be /cars.

HTTP headers can give information to the server such as -

  • Authorization: credentials of the user making the request.
  • The Host: Includes domain and port number of the user making the request.
  • The Content-Type: the format of the data given in the body of the request.
  • The request body is utilized when making a POST, PUT, or PATCH requests.

The body determines precisely what data added to the database. It is generally in JavaScript Object Notation (JSON) or Extensible Markup Language (XML) format.

Here is a case of what a JSON request body might look like for making a POST request for that adds a customer to a database -


{
“firstName”: “your first name,”

“lastName”: “your last name,”

“emailAddress”: “abc@example.com.”
}

Understanding the parts of a REST request help software testers details requests for testing purposes. Merely understanding that clicking the “Send” button in a form will send a POST request is not sufficient; to truly test an API, a tester should understand how to create and send a request without relying on the UI.

It’s also essential to understand what to expect as a response when a test request is sent; otherwise, the tester will have no idea of knowing if the API is functioning correctly.

The response to REST request is the data that the server sends back after it has received and processed the request. It will include HTTP headers that define the response, a response code that represents the success or failure, and a response body that incorporates requested or relevant information (this can sometimes be empty).

The HTTP headers in the response give information to the requesting party such as -

  • Access-Control headers - Tell the requester what kinds of requests and headers allowed.
  • The Content-Type - Includes format of the information returned in the response.
  • The Server - That responded to the request.

Response codes are three-digit codes used to defines the result of the REST request. The most well-known response codes come in one of these three categories -

  • 200-level responses show that the request received, understood, and processed.
  • 500-level responses indicate some server error.
  • 400-level responses indicate that the request got, but that there was an error from the client.
  • The response body changes by kind of request made and whether there was an error in the request.

A successful GET request will restore a body that has the data requested. An active POST request might return a body that echoes the body sent with the POST, or it may restore an empty body with a 200-level response code. A request that returns an error might have an error message in the body of the result.


Benefits Of API Testing

API testing provides several key advantages to improve the coverage of the test cycle, conserve resources and more efficient releases. Based on project timeline, integration requirements, and desired functionality, API testing is usually a useful approach when testing application in-house or with an offshore QA team.

Test for Core Functionality

The first major benefit of API testing is access to the application without a UI. Testing the core, code-level functionality of the application gives an early estimate of its overall build strength before running GUI tests. This helps uncover the small errors that can faster and become larger issues during GUI testing. This is especially advantageous if performing API testing with an offshore QA team.

Time Effective

API testing is far less time to consume than functional GUI testing. In GUI testing, web page elements must be polled, which slows the testing process down immensely.

API test automation requires less code and thus provides better, faster test coverage than automated GUI tests. The result of more rapid testing is a reduced overall testing cost.

Language-Independent

In an API test, data is exchanged using XML or JSON. These transfer modes are completely language-independent, allowing to select any core language when pursuing automated testing services for the application.

Easy Integration with GUI

With API testing, highly integrable tests are possible. This is especially beneficial if plan to perform functional GUI tests following API testing. For example, easy integration would allow for the creation of new users within the application before the start of a GUI test.

Technology-Independent

In an API test, the data is interchanged using XML or JSON and compromised of HTTP requests and responses. These all are technology independent and used for development. Thus an API test allows selecting any core language when using automated API testing services for the application.

Cost Effective / Reduces Testing Cost

API test automation requires less code than GUI automated tests thus providing faster test results and better test coverage. The end result of faster testing is a reduction in overall testing costs. Testing the API level functionality of the application provides an early evaluation of its overall build strength before running GUI tests. Early detection of errors reduces the manual testing cost. API test automation increases the depth and scope of the tests.


Why API Testing Matters?

API testing matters because of following reasons -

Pushing it To the Limit

What are the breaking points of the API’s tolerances, and what does it do when pushed through breaking points? Test it to discover how it handles illogically large amounts of data (coming or going), including extremely long strings and numbers. How can it handle non-ASCII characters, double-byte fonts, or data of a type that would not expect it to recognize? If it includes Real-Time input or output, how does it handle extremely high (or low) streams of data? What does it do when sending it a request with out-of-bounds, inappropriate, or badly-formed data in the parameters?

Handling Trouble

One of the essential items that should be testing for is how the API handles issues when they do come up. Firstly, does it crash, or does it handle the issue? If it does crash, how bad is the crash? Under ordinary circumstances, never dispatch anything that’s capable of blue-screening the operating system — yet it happens. Likewise with any other kind of software, if an API fails, it should fail easily, closing itself down, showing the appropriate system messages, and letting go of any processes. It shouldn’t just disappear without warning, and it shouldn’t hang any applications.

Fail, or Catch the Problem?

Ideally, the API should take any issues and handle them, rather than failing. It should recognize bad or out-of-bounds input or output and filter it, deny it, or otherwise prevent it from doing damage. An API sends the appropriate error message to the calling program, providing that program to handle the problem correctly. Error messages provide the calling application with enough information to understand and correct the problem, if possible. It manipulates all overflow conditions without providing an actual buffer overflow, particularly since buffer overflows are a popular point for unauthorized entry into a system.


How to Adopt API Testing?

Manual Api testing - Postman

Download Postman. It’s free, and it works on Mac, Windows, and Linux machines.

The API documentation for application handy.

Documentation should include -

  • Method (POST/PUT/GET/DELETE/etc)
  • URI
  • Headers
  • Body

Select header in Postman, and automatically add the appropriate Header. Once selected the option, Postman enters name/value pairs for grant type, username, and password (example for login).

Make the first call to the login endpoint to get token (later pass the token to subsequent calls, API knows login).

Looking at the login documentation, see this is a POST request. If it were a GET, pass username and password through a URL. To assure everything runs smoothly, make sure of the following settings -

  • URL - http://your.URL/xyz/
  • Method - Post

Click on the Body tab. Set the request to x-www-form-urlencoded (these are simply different standard ways to pass data in the body of the HTTP request) – and clicking the radio button sets an HTTP header field.

Content-Type to be application/x-www-form-urlencoded.

Now set 3 names/value in the Body -

  • grant_type - password
  • username - your username
  • password - your password

Save it into a Postman Collection to reuse it later. To make a new Postman Collection, tap the folder symbol the plus(+) in the panel.

Once created the collection, save call by clicking the “Save” button on the top right of the screen (Standard OS shortcut works as well).

Automated API Testing: Robot framework

When a complete suite of positive and negative tests made, automation set up.

RESTinstance library relies on Robot Framework language-agnostic, natural language syntax for API tests. The REST instance library elementary to use. When open RIDE/ Pycharm (IDE that Robot Framework commonly uses) and create a new test suite to import the REST instance library in the settings section.

Use the request library also. To start with, need a product to test via a REST API, and pick one that returns a JSON. For example, a GET on http://your.URL/xyz/ should return -


{"api": "rest",
"framework": "robot-framework"}
Here is how we checked the response of that endpoint in requests library:

*** Settings ***


Library Collections
Library requests

*** Test Cases ***


simpleRequest
${result} = get http://your.URL/xyz/
Should Be Equal ${result.status_code} ${200}
${json} = Set Variable ${result.json()}
${framework} = Get From Dictionary ${json} framework
Should Be Equal ${framework} robot-framework
${api} = Get From Dictionary ${json} api
Should Be Equal ${api} rest

Run - pybot -d Results Tests/main.robot


Best Practises of API Testing

Best practices that make the testing process quicker, smoother, and more collaborative -

Create a client for SUT (System Under Test) before adding tests.

You want to avoid repeating code, but many tests require to address the same components or address similar actions. In these cases, create a common library or resource file to wrap test requests with making the usage shorter and more straightforward in the process.

Clarity

Write clear tests that easily empower debugging.

While tests run effectively, they require no attention or time. At the point when tests start failing, resources need to be allocated to find the cause of failure. This process might be time-consuming during the development and go as far as pushing deadlines or cutting new features from the product.

Why do tests fail?

  • Unstable test (race condition in the test)
  • Environment failure or limitation
  • Flawed automated test
  • Unstable functionality (race condition in the product)
  • Flawed functionality
  • Changes to the product without change to test
  • To save resources and optimize the process, reviewing should be made a priority when creating the test.
  • Each component tested independently for every available configuration.
  • The failure state of the test should appear in the response or report.
  • If possible, the results of the failure saved and available in the system so that data tracked back.
  • All the additional information included in the report.

Mapping and Execution

Design the tests to run under different configuration options. This test should be, so the system does not restrict that. It should be configurable to keep running in any of working environments under different configurations and give a clear picture for each with a split report.

The more adaptable the tests are, the less effort required when version part, based on different customer demands or when there is a significant change in the product behavior under different configurations/conditions.

Prerequisites and Cleanup

To concentrate on the components right now under test, split the test into three sections -

Prepare (Setup)

Setup generates all the conditions and resources required for testing the segment under test. Failures in setup should not show the test as failed but as “Not Executed” because that implies that the failure encountered is in a different component and not the component currently under test.

Execution (Test)

Execute the test that utilizes/relies on the prepared components. Verify/assert the result matches the expected result.

CleanUp (Teardown)

Teardown is the post-test stage in which delete or reset system resources that were made or modified as a component of the test. The exception to the data required for the debugging process in case of a test failure.


API Testing Tools

The open source tools include -

Manual API Testing tool - Postman

A postman is an excellent tool for prototyping APIs, and it furthermore has some great testing features. Postman is a Google Chrome application for interacting with HTTP APIs. It presents a friendly GUI for constructing requests and reading responses. It allows for repeatable, reliable tests automated and used in a variety of environments and includes useful tools for persisting data and simulating how a user might be interacting with the system.

Automated API Testing tool - Robot Framework

Robot Framework is a test automation framework used for acceptance Test-Driven Development (ATDD), and Acceptance testing. It has simple-to-use tabular test data syntax, and it uses the keyword-driven testing approach. Its testing abilities extended or reached out by test libraries executed either with Python or Java, and users make new higher-level keywords from existing ones using the similar syntax used for creating test cases. Robot Framework hosted on GitHub to find further documentation, source code, and issue tracker.