Hopefully, you’ve enjoyed the previous articles on everything related to APIs: what they are, their life cycle, and where this kind of testing fits in the development process. This blog post will focus on the different types of API testing, along with detailed validations that need to be performed.
Table of Contents
When performing GUI testing, we’re aware of the scenarios we’re testing. However, the test scenarios and test cases for APIs can vary. Also, API Testing ensures the validation of functional and non-functional requirements of the system. Today, we will review the types of API testing and how the validation performed on APIs ensures scalability, reliability, and efficiency.
Types of API Testing
There are 8 different types of API testing:
- Validation Testing: This type is done once the development of the API is completed. It starts with schema validation, checking if the correct product is built and if the developed API behaves as expected and produces desired results.
- Functional Testing: This kind of testing sections the API into smaller parts in order to verify that the system is working as expected.
- Integration Testing: These tests ensure that all the related APIs are connected and communicating with each other.
- Security Testing: This testing protects against malicious attacks that can result in data theft.
- Performance Testing: Tests how the API performs under certain conditions and instructions.
- Reliability Testing: Ensure consistency despite multiple and different integrations.
- Documentation Testing: Verifies whether any changes to requirements are updated and documented.
- Regression Testing: Ensures the overall behavior of the API.
Now that we’ve briefly defined them, let’s get more into detail.
Validation testing is performed following the completion of API development. This ensures that the API is fulfilling its purpose. Validation testing starts with schema validation, checking if the correct product is built and if the developed API behaves as expected and produces desired results.
At this point, the core capabilities of the API are validated. We can proceed to the next level of API tests when the validations pass.
These tests ensure that the API is performing the intended job. This splits the behavior of the API into small chunks and verifies if the system is working as expected. Generally, all the happy path testing is covered as part of the functional tests. However, the central focus is on the correct behavior. Once we ensure that the APIs are working as expected with the right test data set, we will start with the negative test cases: providing the incorrect parameters, request types, out-of-bound values, etc. Functional tests are categorized as:
A contract is a definition that explains the API functionality. There are two significant actors involved: a provider and a consumer, meaning the contract testing could be provider-driven or consumer-driven. These tests ensure that the contract is appropriately defined.
This is the detailed level of validation for each HTTP request. First, every request is tested with both positive and negative test data. Then, response status, code, message, and response time are evaluated. Finally, we add assertions based on the expected behavior.
Similar to UI tests, we ensure the API’s behavior in specific scenarios. Scenario testing combines a few requests, creates appropriate chaining, and validates the inter-request communication and the flow. For instance, when the user authentication is successful/unsuccessful, how should the API behave with other requests?
Multiple API calls are involved in the end-to-end flow of a single application. Therefore, we need to check if the intra-API communication and data exchange is working as expected during the integration testing. Furthermore, we can ensure that all the related APIs are connected and communicating with each other by performing these tests.
Security runs are critical to the entire API test process since the vulnerability to malicious attacks will lead to data theft. Similarly, once the API is developed, we should test the user authorization, accessible resources to the intended audience, and data encryption (wherever possible). Make sure to inform the stakeholders before performing the security tests. Also, certain approvals are needed to proceed with these tests. Two significant types of Security tests performed for APIs are:
Penetration testing or pen testing simulates an attack to monitor the API response. This is an authorized attack on the APIs and a common security exercise.
Fuzz testing helps discover security vulnerabilities or bugs in the API by injecting invalid or unexpected inputs to the API. This creates noise in the application and tries to crash the API.
Performance tests will evaluate the API performance under a specific set of instructions. We need to run different tests or assertions to assess the APIs’ performance. For instance, if there was a big sale on your site, you might expect a high volume to your APIs, which should be capable of handling the traffic.
Major categories of performance testing are:
Loads tests evaluate the capacity of the API and how many calls this API can handle.
After getting a certain level of API calls, the system will reach the stress point. From there, we can see if the API is able to respond normally to high loads.
These tests will induce a sudden increase in API calls. In production, this might happen due to some expected and unexpected situations. Imitating this scenario can ensure that the API is scalable.
Soak tests are nothing but extended load tests, where the higher requests are sent to the API for a well-defined period of time to evaluate the behavior.
Discuss with the developer if the API could handle the load or stress before doing your performance tests.
How reliable are the APIs? These tests will ensure that the API is consistent and working the way it’s designed. In addition, they exist to verify if the test results are the same even after the integration with multiple systems/devices.
API Documentation Testing
API documentation is similar to the functional specification in the UI testing. Any change in the requirements should be updated in the API documentation since this is a single source of truth. Any deviation of the API behavior from the documentation should be reported as bugs, and relevant documents should be updated.
This is similar to the UI regression testing. API bug fixes or negative testing shouldn’t affect the existing behavior of the API. So, try to have minimal regression cases to ensure the impeccable conduct of the APIs.
There are different aspects of APIs to be tested. The types of API testing deployed for a particular case should be specific to the needs of the client. Still, most of the API tests mentioned above are meant to deliver high-quality APIs through exhaustive testing. Make sure to prepare a well-documented API testing strategy to denote the API testing types to be covered during the testing process.
Frequently Asked Questions
What are the different types of API?
There are four different types of APIs commonly used in web services: public, partner, private and composite.
How many methods are there in API testing?
There are 7 methods used in API testing:
GET – For retrieving data from a resource.
POST – For creating a new resource.
PUT – For updating an existing resource.
PATCH – To partially update an existing resource.
DELETE – To delete a resource.
HEAD – To retrieve the headers of a resource without the body.
OPTIONS – To retrieve the supported methods for a resource.
What is the difference between SOAP and REST API testing?
SOAP and REST are two different approaches to API design. The SOAP approach is highly structured and uses XML data format. REST is more flexible and allows applications to exchange data in multiple formats.