API Testing Basics: Concepts and Challenges
In today’s world of software, API usage has reached unprecedented levels. One reason for this is the wide use of service-oriented architectures (SOAs), which rely on APIs. Another reason is the ever-increasing interconnectedness of the digital world and the need to support these connections. All of this makes API testing as important as ever.
Types of API tests
APIs may have different architectures and may use various protocols. People who build and use APIs distinguish between REST, JSON-RPC, XML-RPC, and SOAP APIs, depending on their architectural style and protocol. By far the most widely-used type are REST APIs built for accessing web apps over the HTTP protocol.
When it comes to testing REST APIs, it’s customary to run the following types of tests:
- Contract testing
- Performance testing
- Integration testing
- Security testing
- Exploratory testing
Now let’s look at them in greater detail.
API contract testing
Any API is a set of rules, according to which the service receives requests and generates responses. Such a set of rules is called a “contract” or “pact”. Contract testing means ensuring that both the API producer and the API consumer follow the rules stated in the contract.
API performance testing
Performance testing measures API’s performance under normal as well as extreme conditions. It includes speed/latency testing, standard load testing as well as stress, spike, peak, and soak testing, which are different ways of dialing up and down the flow of traffic to an API. Particular attention should be paid to apps hosted in the cloud: you should check that the app scales up and down automatically without issues.
API integration testing
In the traditional sense, integration testing is assessing how all modules of an application perform “as a team”. In terms of APIs, this type of testing helps determine whether different APIs work as expected when used together in a system. These tests are very important and hard to perform, since you need mock services that mimic all existing API integrations.
API security testing
An API is “a backdoor” into your application, so it’s important that it’s safe from being misused by bad actors for hacking purposes. During security testing, the tester should also ensure the API has adequate error handling and doesn’t break down when sent faulty/unacceptable requests.
API exploratory testing
Exploratory testing is testing an application through the user interface. In regards to APIs, exploratory tests are run from the programming interface (since “the user” is the programmer in this case) or through tools like Postman to inform the tester of any defects in the API.
Some of these tests may be automated, and some may be performed manually. At the same time, since an API is not your typical application meant for humans, API testing presents unique challenges.
API testing challenges
API testing is a world in and out of itself. Not every QA team can do it successfully – unless they are ObjectStyle’s QA squad 😉 That’s because testing APIs is associated with a number of difficulties. Here they are:
1. Maintaining API inventory
You need to maintain an inventory of all APIs used in the system and keep track of changes introduced to them. This involves careful versioning of APIs and ensuring backward compatibility. Maintaining API inventory is easier said than done, since these changes are often not described in user stories or other generic backlog items.
2. Call sequencing
Sometimes, API calls need to appear in a certain order for the app to work correctly. For example, the user signs up for an account by following a sequence of steps. If API calls are made in the wrong order (say, a call for sending a confirmation link is made before the call for submitting the signup form), the entire process may fail. The tester should confirm that API calls occur in the right sequence and that, if the process has changed, the APIs have been updated accordingly.
3. Testing parameters & validating data
API calls include various parameters that need to be tested alone and in different combinations. With each new parameter, the number of parameter combinations goes up. And you have to test them all. Another time-consuming task is making sure that API calls return valid data, that is, that the returned values are within the acceptable range, length limits, and other criteria.
4. Automating API testing
Test automation is no trivial task, but it’s even harder when it’s the APIs you are dealing with. The main challenge is setting up the necessary infrastructure with all the mock data, clients, and inputs. Sometimes it’s hard to find enough mock API data and include all possible services/dependencies.
5. Understanding business logic
APIs often come with terms and conditions that govern their usage. Business stakeholders who decide which APIs should be developed or used may be aware of these guidelines, but the testing team may not. As a result, testers may overlook important test criteria when designing their test cases.
API testing is a bit of an art and is quite different from testing a user-facing application. There are also unique challenges associated with testing the APIs: managing the API inventory, validating parameters, setting up test environments, among others. At the same time, being aware of potential issues ensures that the team can test the APIs effectively and deliver a working application.
with ObjectStyleSee our work