API testing
Instructor: Hafiz Ali
Acknowledgement
Slides/information used in the lecture notes of this course come from or are adapted from the following
sources:
Anna Fitzgerald, Shekhar Kumar, Mike Stowe
Learning goals
• What is an API?
• What is an API testing?
• Software application development – API
• Types of API testing
• API testing using browser
• A quick HTTP overview?
o HTTP verbs/methods?
o HTTP status codes.
What is an API?
What is API testing?
• API testing is the process of sending requests to an API and
monitoring the responses to ensure its behaving as expected
• API testing is designed to assess the:
o functionality,
o reliability,
o performance,
o and security of an API.
• API testing effectively validates the logic of the build
architecture within a short amount of time.
• API is essential part of the API development lifecycle.
Software application development
• Software application development is dominated by
the three-layered architecture approach, which is an
architecture made up of a:
o presentation layer,
o business logic layer,
o and database layer.
Business logic layer
• The business logic layer contains the core functionality/components of the
application and this layer must take information from the user through:
o presentation layer,
o query the database layer,
o transform that data according to the business logic,
o present the results back to the user via the presentation layer.
• However, business logic layer must also communicate with other
applications as well as human users using API
API vs. Non API testing
• API testing is designed to validate the business logic as well as the
performance, security, and other aspects of the application.
• API testing focus on “what the application does?” and does not focus on the
individual components of an application:
o Unit testing, (individual components within a single application)
o The look and feel of the application, (all system components function as intended)
o User interface (UI).
API vs. Non API testing …
• Unit tests are designed to verify the functionality of individual components within
a single application.
• API tests are designed to verify that all system components function as intended.
• Advantage of API unit test: easier to identify any bugs in the unit, database, and
server levels.
• API unit tests are also faster to run and more isolated than UI tests, which makes it
quicker and easier to identify and resolve bugs.
• How quick: According to data from Andersen Lab, a UI test runs for
approximately seven minutes while an API unit test runs for 12 seconds. Meaning,
an API unit test is about 35 times faster than a UI test.
API vs. Non API testing …
• UI testing is costly due to finding scores of locators and
maintenance.
• unit testing is the cheapest cause testing is done a unit/code
level through traditional test cases and bugs are fixed at this
level.
Types of API testing
• Functional testing:
o These API tests are designed to check that an API returns the right response for a given
request.
• Load testing:
o This type of API test gauges how an API handles a large volume of
requests over a short period.
• Runtime and error detection testing:
o These API tests are designed to evaluate the actual running of the API and typically
focus on monitoring, execution errors, resource leaks, or error detection.
• Security testing:
o These tests assess how an API responds to and resists cyberattacks.
Types of API testing …
• Penetration Testing:
o Penetration tests involve users with limited API knowledge trying to attack the API,
which enables testers to assess the threat vector from an outside perspective.
• Fuzz testing:
o This type of API test sends a large number of randomized requests to see if your API
responds with errors, processes any of these inputs incorrectly, or crashes.
• Validation testing:
o Validation tests are run late in the testing stage to verify the behavior and efficiency of
the API.
HTTP - Overview
• Hyper Text Transfer Protocol
• HTTP is connectionless
• HTTP is media independent
• HTTP is stateless
• HTTP has Methods
HTTP Verbs
• GET: This verb is use to read a representation of resource
• POST: This verb is most-often utilized to create new resources
• PUT: This verb is use to update the resource representation
• DELETE: This verb is use to delete the resource
• PATCH: This verb is use to modify a part of resource not a complete resource
HTTP Status Codes
• The status code is a 3 digit integer where the first digit defines the class of
response and the last two digits do not have any categorization role
• There is a wide range of status codes available, few are listed below
• 2xx: Success response codes
• 4xx: Client errors response codes
• 5xx: Server errors response codes
HTTP Status Codes: 2xx
• 200 OK: Standard response for successful HTTP request
• 201 Created: The request has been fulfield, resulting in the creation of a new
resource
• 202 Accepted: The request has been accepted for processing, but the
processing has not been complete.
• 204 No Content: The server successfully processed the request and is to
returning any content
HTTP Status Codes: 4xx
• 400 Bad Request: The server cannot process the request due to an apparent
client error (e.g. invalid data)
• 401 Unauthorized: 401 means unauthenticated
• 403 Forbidden: The request is valid but the user might not have necessary
permissions
• 404 Not Found: The requested resource not found
HTTP Status Codes: 5xx
• 500 Internal Server Error: A generic error message, given when an
unexpected condition was encountered
• 501 Not Implemented: The server either does not recognize the request
method, or it lacks the ability to fulfill the request
• 503 Service Unavailable: The server is currently unavailable
• 505 HTTP Version Not Supported: The server does not support the HTTP
protocol version used in the request
Status codes in emojis
Client Server Architecture
• Client/Server architecture is a computing model in which the server hosts,
delivers and manages most of the resources and services to be consumed by
the client. This type of architecture has one or more client computers
connected to a central server over a network or internet connection.
API testing using browser…
https://www.w3schools.com/js/js_json_syntax.asp HTTP 304, also sometimes known as “304 Not Modified”, is a
code that communicates to your browser that: “The requested
resource has not been modified since the last time you
accessed it.”
API testing using browser
https://gmail.com/
API testing using browser
https://gmail.com/
API testing using browser
https://gmail.com/
API testing using browser
https://reqres.in/api/users/2
References
• https://blog.hubspot.com/website/api-
testing#:~:text=Why%20is%20API%20testing%20important,reliability%2C%20performance%2C%20and%20security.Light-weight communication
• https://blogs.mulesoft.com/dev-guides/api-design/api-best-practices-series-plan/
THANK YOU