Introduction
An API (Application Programming Interface) is a computing interface that allows you to communicate with other applications (software intermediaries). It defines the kind of calls or requests that can be made, how you make them, the data formats that should be used, and the conventions to follow, to name but just a few. The purpose of an API is to simplify programming by abstracting underlying implementation details and only exposing objects or actions the developer needs.
API testing is a type of software testing done as a part of integration testing to determine if they meet expectations for functionality, reliability, performance, and security. In the past, developers used to automate GUI-based testing for their applications that interacted directly with their browsers. But recently, API testing has been considered critical to the process of development as they are faster and more reliable than GUI-based tests. API testing allows the tester to find bugs earlier in the development process, often before the UI has been created. And API testing allows the tester to make requests that might not be allowed through the UI. Since APIs lack GUI, API testing is done at the message layer.
In this post, you will learn about basic steps/tips to perform API testing. You will also learn how RapidAPI (the world’s largest API marketplace) helps you perform most of these functions with ease.
Understanding API requirements
Understanding the flow of your chosen API is very important before you start to test it, and moreover, you need to understand a few important technical requirements of your API.
API Endpoints
Basically, an API endpoint is the point of entry in a communication channel where two software intermediaries interact. The endpoint can be seen as the means from which the APIs can access the resources they need from a server to perform their tasks. An API endpoint is basically a fancy word for the URL of a server or service. For example: https://api.sendgrid.com/v3/mail/send is the endpoint for SendGrid’s Send Mail API.
Supported methods
You need to understand which method (POST, GET, PUT, DELETE, PATCH) is supported by the API.
Input-Output
It is essential to understand the type of input required and the response body content for the API (JSON, plain text, an XML document).
Answer Codes
The answer code/response status code is the most important API output that needs to be verified. All API response status codes are separated into five classes or categories. The first digit of the status-code defines the class of response, while the last two digits do not have any classifying or categorization roles. There are five classes defined by the standard:
- 1xx informational response – the request was received, continuing process
- 2xx successful – the request was successfully received, understood, and accepted
- 3xx redirection – further action needs to be taken in order to complete the request
- 4xx client error – the request contains bad syntax or cannot be fulfilled
- 5xx server error – the server failed to fulfill an apparently valid request
More information on response status codes can be found on its Wiki Page.
Headers and Auth Requirements
API calls require a variety of header fields. Headers contain a wealth of information that can help track down issues when they occur. Typically, headers contain information regarding request and response body and request authorization. Authentication is essential to verify the credentials of a connection attempt. Most commercial APIs require API Key-based authentication for their services.
When you use RapidAPI, it is quite easy to understand the API’s structure. In the image below (inside the red box), we can see that RapidAPI shows the required headers and schema of the request body on its user interface.
RapidAPI also provides basic code snippets to test each endpoint of a chosen Web API/service. Above, in the blue box, is a code snippet for SendGrid’s send mail API on RapidAPI in NodeJS. RapidAPI’s UI provides a tester with the API structure, endpoints, and references in one place. In this way, the tester can get familiar with the API and start testing their chosen API.
Automating API testing with the right tool
API automation can help accelerate testing and increase efficiency. In all sorts of software testing, it is required to automate the test cases which are repeatedly executed, like regression cases. Similarly, in the case of API testing, there might be some cases in which you need to execute before every release and those cases can be automated. The test data and execution history can also be saved with API endpoints, which makes it easier to rerun tests.
An important step toward leveraging the automation capability of API testing is choosing the most suitable tool or a set of suitable tools in the market. There are many tools that are popular in the market, including:
- SoapUI
- Katalan Studio
- Postman
- Jmeter
RapidAPI Testing is one such tool that was recently introduced.
Browse more Top API Testing Tools.
How to automate API testing with RapidAPI Testing
RapidAPI Testing is a new RapidAPI product made specifically to streamline the testing of an API.
You do not need an additional account to use this product, it is already connected to your RapidAPI account so you can use the same credentials.
To start using this service, you need to log into your RapidAPI account and go to https://rapidapi.com/testing/. You’ll see the list of APIs you work within your account. You can add tests to any of them or create a new API.
Below are some simple examples of using RapidAPI Testing. For more information on the service check out the official documentation.
Criteria of acceptability and verification methods
In response to a request, the sending application receives a status code and response body content. The status code tells us about the status of the request whereas the body content is what the API returns with a given input. As mentioned earlier, the response body content can either be a JSON, plain text, or XML file, depending on the API. Hence, it is very important to verify the content effectively. Here are some basic methods to verify an API’s response:
- Validate HTTP Headers: Examining the HTTP headers that are returned as a response to an API is a way to validate whether the API is functioning properly or not. One might say that checking the body content is all that matters. And it is true that body content validation gives us the most information about the data, but the body of an API response can have any structure whereas HTTP headers are defined. The structure of HTTP header segments is documented by the creators and can easily be validated whereas validating the body content requires more complex programming.
- Comparing attributes of the body content: For responses such as JSON or XML, it is easy to get a given attribute’s value and compare it with the expected value. Usually, these will have a list of keys, followed by a semicolon, followed by a value.
- Using RegEx to validate body: RegEx is a sequence of characters that define a search pattern, mainly for use in pattern matching with strings, or string matching. Specific patterns can be created and used to validate complex dynamic data in an API’s response along with the expected attribute values.
Inside the RapidAPI Testing product, you can connect to the API by opening the request generator at the bottom of the screen and filling in the required details.
After you make your request, click the “Add to Test” button. You will see different options of what you are going to assert. Here you can check for the presence, type, and value of the status code or various parts of the response body as illustrated in this gif:
Focus on small functional APIs
In any type of software testing, it is crucial to do incremental testing. Similarly, for API testing, you should start testing the lowest functionality level first. These include login APIs and tokenization APIs. Focusing on these APIs first ensures that the API servers, environment, and authentication work properly. Chances are that if the components work properly individually, then they will work properly in a combination too. After this lower-level functionality testing, the tester can do end-to-end flow testing and identify performance bottlenecks.
If you’ve implemented the elementary tests in the RapidAPI Testing environment, you may want to proceed to more complex requests with the data returned from previous ones. This may be helpful for confirming that the data has an appropriate type and also verify if the values are consistent.
To do this, you need to add a new HTTP request step and specify the data from the original request in the form of a template, such as: {{a.data.id}}.
Grouping tests together
In a typical testing project, there are usually a large number of API endpoints that perform different tasks. This number may range from the low 20s to 100s depending on the project. It is highly recommended that you organize/group these APIs into categories. This helps to create test scenarios more effectively with high coverage. Below is an example of the grouping of SendGrid’s API done by RapidAPI.
In the above image, we can see that the APIs have been divided into categories such as: Mail, Blocks, Bounces, etc. And each of these categories have multiple endpoints as can be seen in the Spam Reports category. These groupings are found in the left column of the endpoints tab for a chosen service on RapidAPI.
Creating positive and negative tests
API testing is a type of black-box testing which is driven by input and output data. It is important to do tests for cases that have positive responses as well as negative responses. This way you can be sure that the API works as expected in both cases and you can build your application based on the results. Some common scenarios include:
Positive tests
- Provide the API with correct auth and input and validate its response.
- Check the API with minimum required HTTP headers and with extra HTTP headers that are correct.
- Check the API again with the minimum required and maximum required input data.
Negative tests
- Provide false auth and check the response code.
- Verify the API response against incorrect input data.
- Verify the API with incorrect HTTP headers.
For example: The following code snippet shows a negative test with false auth on the Send Mail API of SendGrid’s WEB API services. You can see in the headers field (highlighted in red) that the authorization attribute is set as an empty string which should result in unauthorized access.
Request Code:
var http = require("https"); var options = { "method": "POST", "hostname": "api.sendgrid.com", "port": null, "path": "/v3/mail/send", "headers": { "authorization": "", "content-type": "application/json" } }; var req = http.request(options, function (res) { var chunks = []; res.on("data", function (chunk) { chunks.push(chunk); }); res.on("end", function () { var body = Buffer.concat(chunks); console.log(body.toString()); }); }); req.write(JSON.stringify({ personalizations: [ { to: [ { email: 'john.doe@example.com', name: 'John Doe' } ], subject: 'Hello, World!' } ], from: { email: 'noreply@johndoe.com', name: 'John Doe' }, reply_to: { email: 'noreply@johndoe.com', name: 'John Doe' } })); req.end();
The response code received for the above request was as expected: 401 (Unauthorized) and the body content was:
{ "errors": [ { "message": "The provided authorization grant is invalid, expired, or revoked", "field": null, "help": null } ]}
Similarly, you can provide a valid auth in the request header and get a valid response. To explore more APIs from SendGrid you can have a look at SendGrid API references.
Conclusion
API testing is a process that involves three steps: sending the request with necessary input data, getting the response’s output data, and validating the response against the expected outcome. These steps seem very easy and quick to follow for any tester and are in fact truly easy for low functionality levels, but tests get more and more complex as you start testing APIs on a deeper level.
The tips/steps we covered in this article provide a good roadmap for testers to follow and automate their API testing. Consider all the automation tools and verification methods before you commit to any specific tool or method. It will become increasingly difficult to alter your tests and validation methods once you start testing more complex flows for your project. It is strongly advised to consider API testing as a core requirement of your project development process and make it as extendable, reusable, and maintainable as possible.
Leave a Reply