The Ultimate API Guide for Quality Assurance Testers

The Ultimate API Guide for Quality Assurance Testers

Posted in
J.Simpson

J Simpson
X Icon

APIs have become an integral part of quality assurance as a conduit for data and constant connectivity. APIs can be truly transformative for quality assurance testers but are not without complications. There’s a bit of a learning curve to learn how to use APIs effectively — and safely — in your QA testing. That’s why we’ve compiled this guide to APIs for QA testers and site reliability engineers. We’re going to take you through the basics and then share some best practices for API testing.

What are APIs?

APIs stand for application programming interfaces. APIs allow different software, applications, or resources to interact with one another. Anytime an app sends a request or receives a query, an API is most likely responsible. APIs typically adhere to a standardized format known as an API specification. This standardization plays an important part in automated processes, which is where APIs come into play for QA engineers.

What is API Testing?

API testing is the process of testing an API to make sure it fulfills its expected functionality. API testing assesses security, performance, and reliability. API testing can also check the API integration, verifying that an API can interact with a particular resource or software properly.

API testing generally simulates a series of requests to an API’s endpoints to ensure it behaves how it’s supposed to. API testing is common in DevOps, allowing developers to test different components before the UI is finalized. Many bad API requests that don’t return relevant results won’t show up on the UI layer, as well. API testing lets QA testers detect flaws they might otherwise miss if relying on a UI. It also allows them to make requests that might not be possible using a UI, which is vital for API security.

API testing is especially important for enterprises using a microservices environment, as APIs are the infrastructure that connects one service to another. Perhaps most importantly, API testing is essential for agile development. When practicing agile development, many developers and engineers prefer API testing over GUI testing as it’s faster and easier to maintain and implement.

What to Look for in an API Test

Like any good test, API testing requires clearly defined goals to work properly. Ideally, the quality assurance engineer should also understand how an API is supposed to behave so they can detect when anomalies occur. Here are some questions a QA tester should consider before API testing:

  • What does this API do?
  • How should this API behave?
  • What API endpoints can be tested?
  • What error codes are expected for anticipated errors?
  • What error message should be delivered in the body of an unsuccessful request?
  • What API testing tools should be used?

Once they know what they’re looking for, QA engineers can start writing code to apply various testing techniques. Once the tests are written, they can be assessed for:

  • Reply time
  • Data quality
  • Authorization verification
  • HTTP status codes
  • Error codes

API testing can be performed on endpoints, UI, and databases. Quality assurance engineers should establish a baseline of expected behavior before beginning the API testing process in earnest, as this gives something to compare the actual results against.

Examples of API Testing

API testing comes in many different shapes and sizes. These can largely be broken down into three main categories: functional testing, performance testing, and security testing.

API Functional Testing

Some examples of functional API testing could include testing an endpoint that’s known to be working and making sure that a 200 OK HTTP status is returned. For example, when you query the OpenLibrary Author Search API for Stephen King with the following request:

https://openlibrary.org/search/authors.json?q=Stephen%20King

You get a 200 OK response, as the request is formatted correctly, and the OpenLibrary API doesn’t require authorization.

Another functional test could be attempting to access an API with unverified credentials to ensure unauthorized access isn’t possible. This API test also reveals what is returned, so QA testers can verify that no sensitive information is leaked. For example, the Rijksmuseum in the Netherlands allows users to search their online collection, but an API key is required to complete a query. When you make the following request to see all of the works of Rembrandt van Rijn using the proper credentials, you should get a 200 OK HTTP response. Alternatively, when you input an unauthorized API key, you should receive a 401 Unauthorized error.

https://www.rijksmuseum.nl/api/nl/collection?key=[api-key]&involvedMaker=Rembrandt+van+Rijn

Functional testing can also assess if pagination and rate-limiting are behaving the way they should or how an API behaves when improperly formatted data is submitted. Quality assurance engineers can also test to see if an API can support various CRUD commands. For example, an API test for pagination could check to ensure limits are being adhered to and that it’s not exceeding the scope of the query.

To use the Rijksmuseum API as an example again, we know that the Dutch art museum has nearly 12000 objects by Rembrandt van Rijn in their collection. A functional request could test to ensure that objects are showing up when they should. A functional API test for pagination might specify a page number and how many results are returned per page. If you intentionally go outside the scope of a resource, like this query, you should get an empty JSON object in response.

https://www.rijksmuseum.nl/api/nl/collection?[API-Key]&involvedMaker=Rembrandt+van+Rijn&p=600&ps=20

Receiving this response indicates API pagination is working as it should.

{"elapsedMilliseconds":0,"count":0,"countFacets":{},"artObjects":[],"facets":[]}

API Performance Testing

Performance testing measures how an API behaves. API testing can check performance time, response time, or stress testing to see how an API will behave when hit with an unexpected surge of traffic. It also lets QA testers measure latency time, error response time, and even how long it takes to return a database query. Performance testing is one of the most important types of API tests for verifying a quality user experience (UX).

An example of a performance test that measures how an API behaves when given a large load might look like this. Here’s an API call to retrieve every object from the Metropolitan Museum of Art collection that involves sunflowers:

https://collectionapi.metmuseum.org/public/collection/v1/search?q=sunflowers

A QA tester measuring performance might run this query to get a baseline assessment of how the API behaves and all of the objects that are returned. Then, they might modify the API call to include many filters to see how the API responds, like so.

https://collectionapi.metmuseum.org/public/collection/v1/search?q=sunflowers?foo1=bar1&foo2=bar2&foo2=bar2&foo3=bar3&foo4=bar4&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10&foo5=bar5&foo6=bar6&foo7=bar7&foo8=bar8&foo9=bar9&foo10=bar10

Security testing is every bit as important, however, as it determines if an API is safe to use. Some common API security tests include authorization verification, authentication verification, and token security to ensure that unauthorized users aren’t able to access the API. It also lets QA testers emulate common attacks like SQL injection or to make sure that no sensitive data is being exposed or any cross-origin resource sharing (CORS) is possible.

API Security Testing

API security testing can be more complicated, as it often involves running a suite of tests. To get a feel for running your own security tests, you might start with this Common API Vulnerabilities template from Postman, which can give you some ideas to model your own API tests after.

When we assessed Icons8, a public API that searches for icons for web design, for vulnerabilities, five of the tests passed, returning the following codes:

PASS checks vulnerability with basic origin reflection
PASS checks vulnerability with trusted null origin
PASS checks vulnerability with trusted insecure protocols
PASS checks for response with valid access token

Eight vulnerabilities were unearthed, however, as indicated by the following error codes:

FAIL checks for Content-Security-Policy header | AssertionError: expected undefined to not equal undefined
FAIL checks for X-Frame-Options header | AssertionError: expected '' to equal 'DENY'
FAIL checks for Strict-Transport-Security header | AssertionError: expected '' to include 'max-age'
FAIL checks for X-XSS-Protection header | AssertionError: expected undefined to not equal undefined
FAIL checks for response with expired access token | AssertionError: expected 200 to be one of [ 401, 403 ]
FAIL checks for response without access token | AssertionError: expected 200 to be one of [ 401, 403 ]

Tools for API Testing

QA testers can either write their own code to test an API or use an existing API testing tool. Postman is a popular choice for API testing, as so many API developers make their APIs available for the platform. It’s easy to use, too, thanks to a slick GUI that makes it more accessible to users with less of a technical background. It then configures all of a user’s HTTP requests with the variables input by the user, which can get quite unwieldy at times.

Postman’s ability to create collections is also useful for API testing, as bundling related services is considered a best practice for API testing. Finally, Postman can be used in automated API testing, which is incredibly useful for maximizing productivity. Postman can even be configured to deliver an email when the API testing is complete, allowing QA testers to simply set their tests and then move on to other more pressing tasks.

Apigee is a good pick for QA testers wanting to measure API performance, as it has a detailed dashboard that’s able to be customized. It can also create customized reports, allowing quality assurance testers to create detailed reports of what they’re measuring.

Apache’s JMeter has become popular for functional testing. It features native support for CSV files, letting QA engineers work as quickly and efficiently as possible. It also integrates easily with third-party applications, making it easy to incorporate into CI pipelines.

API Best Practices for Quality Assurance Testers

Let’s finish up by sharing some best practices for API testing so quality assurance testers can get the most out of their efforts. To start, QA testers should do their best to thoroughly understand the API documentation before they begin API testing in earnest. As we mentioned earlier, it helps to understand how an API should behave to know if it’s performing how it should.

Next, run API tests for as many scenarios you can think of. You should run tests that are configured correctly to make sure the API is behaving the way it should. Then, create tests with intentional errors to see how the API responds. Try to come up with edge cases as well, and prepare for as many scenarios as possible.

QA testers should also try to automate API testing whenever possible, as it frees them up to do more meaningful work. APIs should be tested during different stages of the development process, as well, to make sure that they remain secure and perform properly across all phases of the API lifecycle.

Final Thoughts on APIs for Quality Assurance Testers

APIs aren’t going anywhere. API adoption has been trending upward for years. Microservices, API-first, and cloud-native are all popular development trends in 2024, as well. Considering the importance of APIs in DevOps and agile development, it’s a safe bet that they will be a part of the development landscape for the foreseeable future.

Quality assurance testers who are serious about mastering their craft and delivering their best work as efficiently as possible should make every effort to master API testing. Hopefully, our API guide for QA testers will help you do just that!

J.

J Simpson

J. Simpson lives at the crossroads of logic and creativity. He writes and researches tech-related topics extensively for a wide variety of publications, including Forbes Finds. He is also a graphic designer, journalist, and academic writer, writing on the ways that technology is shaping our society while using the most cutting-edge tools and techniques to aid his path. He lives in Portland, Or.