I hope you enjoyed the previous articles related to APIs and understood what an API is, the life cycle of an API, and where API testing fits in the development process. This section will focus on the detailed validations performed for API testing.
When performing GUI testing, we are aware of the scenarios we’re testing. However, the test scenarios and test cases for APIs can vary. Also, API Testing ensures the validation of functional and non-functional requirements of the system. Today, we will review the types of API testing and how the validation performed on APIs ensures scalability, reliability, and efficiency.
These are the different types of API tests:
- Validation Testing
- Functional Testing
- Integration Testing
- Security Testing
- Performance Testing
- Reliability Testing
- API Documentation Testing
- Regression Testing
Validation testing is performed following the completion of API development. This ensures that the API is fulfilling its purpose. Validation testing starts with the schema validation, checking if the correct product is built and if the developed API behaves as expected and produces desired results.
At this point, the core capabilities of the API are validated. We can proceed to the next level of API tests when the validations pass.
These tests ensure that the API is performing the intended job. This splits the behavior of the API into small chunks and verifies if the system is working as expected. Generally, all the happy path testing is covered as part of the functional tests. However, the central focus is on the correct behavior. Once we ensure that the APIs are working as expected with the right test data set, we will start with the negative test cases: providing the incorrect parameters, request types, out-of-bound values, etc. Functional tests are categorized as:
A contract is a definition that explains the API functionality. There are two significant actors involved: a provider and a consumer, meaning the contract testing could be provider-driven or consumer-driven. These tests ensure that the contract is appropriately defined.
This is the detailed level of validation for each HTTP request. First, every request is tested with both positive and negative test data. Then, response status, code, message, and response time are evaluated. Finally, we add assertions based on the expected behavior.
Similar to UI tests, we ensure the API’s behavior in specific scenarios. Scenario testing combines a few requests, creates appropriate chaining, and validates the inter-request communication and the flow. For instance, when the user authentication is successful/unsuccessful, how should the API behave with other requests?
Multiple API calls are involved in the end-to-end flow of a single application. Therefore, we need to check if the intra-API communication and data exchange is working as expected during the integration testing. Furthermore, we can ensure that all the related APIs are connected and communicating with each other by performing these tests.
Security runs are critical to the entire API test process since the vulnerability to malicious attacks will lead to data theft. Similarly, once the API is developed, we should test the user authorization, accessible resources to the intended audience, and data encryption (wherever possible). Make sure to inform the stakeholders before performing the security tests. Also, certain approvals are needed to proceed with these tests. Two significant types of Security tests performed for APIs are:
Penetration testing or pen testing simulates an attack to monitor the API response. This is an authorized attack on the APIs and a common security exercise.
Fuzz testing helps discover security vulnerabilities or bugs in the API by injecting invalid or unexpected inputs to the API. This creates noise in the application and tries to crash the API.
Performance tests will evaluate the API performance under a specific set of instructions. We need to run different tests or assertions to assess the APIs’ performance. For instance, if there was a big sale on your site, you might expect a high volume to your APIs, which should be capable of handling the traffic.
Major categories of performance testing are:
Loads tests evaluate the capacity of the API and how many calls this API could handle.
After getting a certain level of API calls, the system will reach the stress point. From there, we can see if the API is able to respond normally to high loads.
These tests will induce a sudden increase in API calls. In production, this might happen due to some expected and unexpected situations. Imitating this scenario can ensure that the API is scalable.
Soaks tests are nothing but extended load tests, where the higher requests are sent to the API for a well-defined period of time to evaluate the behavior.
Discuss with the developer if the API could handle the load or stress before doing your performance tests.
How reliable are the APIs? These tests will ensure that the API is consistent and working the way it’s designed. In addition, they exist to verify if the test results are the same even after the integration with multiple systems/devices.
API Documentation Testing
API documentation is similar to the functional specification in the UI testing. Any change in the requirements should be updated in the API documentation since this is a single source of truth. Any deviation of the API behavior from the documentation should be reported as bugs, and relevant documents should be updated.
This is similar to the UI regression testing. API bug fixes or negative testing shouldn’t affect the existing behavior of the API. So, try to have minimal regression cases to ensure the impeccable conduct of the APIs.
There are different aspects of APIs to be tested. The API test should be specific to the needs of the client. Still, most of the API tests mentioned above are meant to deliver high-quality APIs through exhaustive testing. Make sure to prepare a well-documented API testing strategy to denote the API testing types to be covered during the testing process.
I hope you enjoyed reading this and are clear about the API testing process!