What is API testing and the best way to test APIs?

Tram Ho

1. What is an API?

Application Programming Interface (API) The API is an intermediate layer in the software system that is responsible for transmitting data between the data source and the Graphical User Interface (GUI) that the user sees. In other words, API is a business class of software that creates a connection between the presentation layer and the data layer.

API testing focuses on what is called the application’s business layer, meaning that testing methods will be completely different from standard GUI testing. So, instead of using the keyboard and clicking as the standard input, in API testing, we may need to use some other prototypes, use some testing tools or their own code I check these APIs are testing. You need to validate the responses (outputs) from these APIs to verify that they work. To know what to look for, you will need to know the response that the API generates.

An API response will be:

  • Status message / Boolean value (eg success / error or true / false, etc.) will display the status of the API call. It will also act as a flag (true / false) on which the Presentation or Database layer will be updated.
  • A data set will be passed on to the next API or GUI or Database.

2. Check what’s in the API

  • Function: This is where you search for API feedback based on the input provided. Check if the actual response matches the expected response.
  • Performance: Here, you need to be aware of API response time. Sometimes, it takes a long time to receive feedback from the API. This may be due to performance issues related to API design.
  • Security: Check whether any sensitive data passed into the API has been encrypted, which is part of this test.

For example, you might want to check the API responsible for creating a dashboard report on the home page. To access the Dashboard API, you may need a token that was created as a response from the previously logged login API. This token must be in an encrypted format. You can also check for HTTPS encryption.

  • Reliability: You can check if the API provides you with quick feedback every time you check for different configurations (eg different environments, different user login, etc.) You can check to see if the output returns any exception handling errors, time out errors, etc. to API reliability. Part of the reliability test, you can also check if the feedback data is structured properly. Usually the API response will be structured in JSON or XML format.
  • Negative test: Here the goal is to provide invalid input data for the API and check how the output data works. The API should handle errors correctly. It will provide valid error messages, which are meaningful for all negative input conditions. You can also check API behavior if blank input data is used for some arguments. You can also view any unused flags, missing / duplicate output values ​​for different input data.

3. In which case should the API be checked?

Test steps

API URL

This is an HTTP request to call a specific API. For example, an API for login function. If its URL structure is Mobile / User / Login and your domain URL is http://domain.com , then the API URL to call the API from the browser / tool will be http://domain.com/Mobile / User / Login

HTTP method

In the case of RESTful APIs, they use HTTP methods to classify APIs based on the type of calls made to the server. For example: POST, GET, … POST method sends data to the server while GET method takes data from the server.

Payload

This determines the input data structure or model that will be provided to the API. For example, if we use the login API above, we may use the data structure below:

{

username: string

password: string

device_id: string

object_id: string

device_token: string

mobile_os: string

app_language: string}

Request sample data

The request form contains the actual input data passed to the API as a payload. You can have as many test cases as you want based on this sample data. For the above login scenario, the sample data might look like this:

{

“Device_id”: “F3649737-B25D-43BA-A212-71192 ″,

“Object_id”: “”,

“Device_token”: “f4icqBpC04k: APA91bFFYp8MKaetZKiAJ,

“Mobile_os”: “iOS”,

“App_language”: “en”

}

Desired results

Feedback code

This represents the response code of the API request. 200 OK must be the Response Code of the successful API request. There are other Feedback codes like 400 Poor Requests (Bad request), Not allowed 401, Forbidden 403, No 404 found, Internal Server Error 500, etc. … It will be useful if you can record API response code from the output panel of the API test tool.

Feedback message results

For each input, there may be different API output success messages. You need to find the corresponding feedback messages and record them in your test cases. Some common notifications for login API will be: SUCCESS, INACTIVE_ACCOUNT, INVALID_PASSWORD, USER_NOT_FOUND, INVALID_DEVICE_ID, ERROR

Sample result answer

This is the output data for each combination of input data. You will need this data to be able to authenticate based on actual output from the API results. A sample for successful Login operation is given below: {

“Result”: “SUCCESS”,

“Data”: {

“Id”: 7093,

“Company_id”: 0,

“Customer_id”: “181055033”,

“User_type”: 0,

“Username”: ” [email protected] “,

“First_name”: “Test”,

“Last_name”: “User”,

“App_language”: “en”,

“Mobile_os”: “iOS”,

“Email”: ” [email protected] “,

“Phone”: “917837322”,

“Secondary_phone”: “0”,

“Address”: “”,

“Created_at”: “2018-10-01”,

“Updated_at”: “2018-10-01”,

“Last_login”: “2018-10-01”,

}}

4. Tips to check API

  • Understand what each API is used for in the application. If you don’t understand the use of a specific API, it will be difficult to record enough test cases for it.
  • When writing test cases for different input conditions, use test techniques such as boundary value analysis and equivalence class partitioning.
  • Document the exact input and feedback parameters of the API for each test case so that testing can be done in a structured way. It is also important that you put your test cases in the way that one follows the other. For example, to check for CRUD operations, you need to write test cases in the Create, Update, and Delete order.

Articles are translated from source: https://blog.testlodge.com/api-testing/ ??

Share the news now

Source : Viblo