We are living in the world where everything is connected. Wearing fitness watch, your fitness app can access workout routines, listen to music or podcast and get reminders for your doctor's appointments. If you have ever explored your banking app you can see lots of other information than just your account balance. You can see all previous transactions, investment suggestions, deals, rewards etc. Your home security app can show you live telecast of your front door, send you notifications, throws alarm for unexpected events or even call cops if it sense real trouble. If you are wondering how one application is communicating with so many application services - Application Program Interface - API is your answer !
In this article we will learn-
Today's modern applications like Amazon, Twitter, Facebook, WhatsApp, Spotify, Home automation apps etc. uses multiple API's in their back end. These applications use several internal API's as well as third party applications API's.
So for testing specific functionality of such applications testing of API's is imperative. If you're on a journey to explore the world of API testing, you are in the right place. Now let's see what is happening at back end on technical level.
What is an API?
An API (Application Programming Interface) is a software intermediary that enables two applications to communicate with each other. APIs are beneficial because they allow developers to add specific functionality to an application, without having to write all of the code themselves.
What is Web Service?
In simple words, Web service is an API which is live on internet. All Web services are APIs but not all APIs are Web services. If developer is creating API's or any API's which are not pushed to production yet are not Web Services. There are several types of API - Http API, GraphQL API, Falcor API, gRPC APIs , REST API etc.
The most popular web service API's are - REST API and SOAP API
REST is popular in application developers due to how simply it communicates with other machines over complex operations like COBRA, RPC, or Simple Object Access Protocol (SOAP).
What is Rest API?
REST API stands for Representational State Transfer and is an architectural pattern for creating web services. REST is a ruleset that defines best practices for sharing data between clients and the server.
REST applications use HTTP methods like GET, POST, DELETE, and PUT but not all HTTP APIs are REST APIs. The API needs to meet the following architectural requirements to be considered a REST API:
Client-server: There is clear separation of the client server communication. Server manages application data and state. Client handles user interactions.
Stateless: Servers don’t maintain client state, clients manage their own application state. The client’s requests to the server contain all the information required to process them.
Cacheable: Servers must mark their responses as cacheable or not. Systems and clients can cache responses when convenient to improve performance. They also dispose of non-cacheable information, so no client uses stale data.
Uniform interface: This is REST’s most well-known feature or rule. REST services provide data as resources, with a consistent namespace.
Layered system: Components in the system cannot see beyond their layer. This confined scope allows you to easily add load-balancers and proxies to improve authentication security or performance.
What is SOAP?
This is a protocol that uses XML as a format to transfer data. Its main function is to define the structure of the messages and methods of communication. It also uses WSDL, or Web Services Definition Language, in a machine-readable document to publish a definition of its interface.
Difference between SOAP and REST API
SOAP API | REST API |
Uses SOAP(Simple Object Access Protocol) protocol. | Uses REST(Representational State Transfer) architecture using http protocall. |
It has strict rules and advanced security to follow. | There are loose guidelines to follow allowing developers to implement REST architecture |
Transports data in standard XML format. | Generally data is in Jason format. REST does not enforces message format. |
Works over HTTP, HTTPS, SMTP, XMPP. | Works over HTTP and HTTPS |
Requires more bandwidth | Requires less bandwidth |
SOAP is like envelope- Everything is secured | REST is like Post Card - Less privacy |
Used for large scale applications like banking and financial applications. | Used for fast paced cloud applications like Facebook, YouTube, Twitter, and Google etc. |
What is API Testing?
API testing is a kind of software testing that determines if the developed APIs meet expectations regarding the functionality, reliability, performance, and security of the application.
How to determine API's expectations?
Finally, we came to the most important point. For that we need to understand API requests and responses.
API Requests:
We can perform CRUD (Create Read Update Delete) operations with API requests. Following standard methods are used for API request-
POST : Create new data
GET: Fetch existing data
PUT: Update existing data
DELETE: Removes existing data
API Responses:
When we send one of the above request to API it sends response in JSON format. The most basic API validation is done by checking "Status Code". Status code determines whether request was successful or not. Every response has specific meaning.
Common HTTP Status Codes in the REST API
Response Status Code | Response Meaning | Example |
100-199 | Information responce | 100 Continue 102 Processing |
200-299 | Request Succeeded | 200 OK 201 Created 202 Accepted |
300-399 | Redirection Messages | 301 Moved permanently 307 Temporary redirect |
400-499 | Client Error | 400 Bad Request 404 Not found |
500-599 | Server error | 500 Internal server Error 501 Not implemented |
There are several other validations are done while testing API's - like API Header validations are required when we are dealing with Authentication request. JASON schema validation, JASON body validations are done for sanity testing.
Rest API Authentication Methods:
Bearer authentication
The term bearer authentication refers to the process of giving access control to the token bearer. The bearer token is typically an encrypted string of characters that the server generates in response to a login request. The client sends the token in the request headers to access resources.
API keys
API keys are another option for REST API authentication. In this approach, the server assigns a unique generated value to a first-time client. Whenever the client tries to access resources, it uses the unique API key to verify itself. API keys are less secure because the client has to transmit the key, which makes it vulnerable to network theft.
OAuth
It has two layers of security. OAuth combines passwords and tokens for highly secure login access to any system. The server first requests a password and then asks for an additional token to complete the authorization process. It can check the token at any time and also over time with a specific scope and longevity.
Why API testing is important?
With API testing we can start testing in early stage of SDLC and narrow down defects in later stage.
As more and more services that we use every day rely on hundreds of different interconnected APIs, API testing is expected to increase in order to assure that these APIs and the software they connect work as intended.
Multiple Automation tools and techniques are available.
Cross platform testing becomes more streamlined.
API response time can be accessed easily which helps in performance testing as well as improvement.
API testing saves time and lot of manual efforts in complex applications.
As a conclusion, we can say that API testing is very important and useful technique for providing Quality Assurance. We'll explore more about API's in next blogs. Happy Learning!