API testing

Last updated November 07, 2023

API testing is a type of software testing that involves testing application programming interfaces (APIs) directly and as part of integration testing to determine if they meet expectations for functionality, reliability, performance, and security.^[1] Since APIs lack a GUI, API testing is performed at the message layer.^[2] API testing is now considered critical for automating testing because APIs now serve as the primary interface to application logic and because GUI tests are difficult to maintain with the short release cycles and frequent changes commonly used with Agile software development and DevOps.^[3]^[4]

API testing overview

API testing involves testing APIs directly (in isolation) and as part of the end-to-end transactions exercised during integration testing.^[1] Beyond RESTful APIs, these transactions include multiple types of endpoints such as web services, ESBs, databases, mainframes, web UIs, and ERPs. API testing is performed on APIs that the development team produces as well as APIs that the team consumes within their application (including third-party APIs).^[5]

API testing is used to determine whether APIs return the correct response (in the expected format) for a broad range of feasible requests, react properly to edge cases such as failures and unexpected/extreme inputs, deliver responses in an acceptable amount of time, and respond securely to potential security attacks.^[1]^[4] Service virtualization is used in conjunction with API testing to isolate the services under test as well as expand test environment access by simulating APIs/services that are not accessible for testing.^[6]

API testing commonly includes testing REST APIs or SOAP web services with JSON or XML message payloads being sent over HTTP, HTTPS, JMS, and MQ.^[2]^[7] It can also include message formats such as SWIFT, FIX, EDI and similar fixed-length formats, CSV, ISO 8583 and Protocol Buffers being sent over transports/protocols such as TCP/IP, ISO 8583, MQTT, FIX, RMI, SMTP, TIBCO Rendezvous, and FIX.^[8]^[9]

API testing, GUI testing, and test automation

API Testing is recognised as being more suitable for [test automation] and [continuous testing] (especially the automation used with [Agile software development] and [DevOps]) than GUI testing.^[3]^[4] Reasons cited include:

System complexity: GUI tests can't sufficiently verify functional paths and back-end APIs/services associated with multitier architectures. APIs are considered the most stable interface to the system under test.
Short release cycles with fast feedback loops: Agile and DevOps teams working with short iterations and fast feedback loops find that GUI tests require considerable rework to keep pace with frequent change. Tests at the API layer are less brittle and easier to maintain.

For these reasons, it is recommended that teams increase their level of API testing while decreasing their reliance on GUI testing. API testing is recommended for the vast majority of test automation efforts and as much edge testing as possible. GUI testing is then reserved for validating typical use cases at the system level, mobile testing, and usability testing.^[3]^[4]^[10]

Types of API testing

There are several types of tests that can be performed on APIs. Some of these include smoke testing, functional testing, security testing, penetration testing, and validation testing.

Artificial intelligence (AI) used in API testing improves the efficiency and accuracy of the testing process. It can automatically generate test cases, identify potential issues, and analyze test results through machine learning to identify patterns and anomalies.^[11]
Smoke test - This is a preliminary test that checks if the most crucial functions of an API are working correctly and identifies any major issues before further testing.
Functional testing - This type of testing validates a software system against its functional requirements by providing input and verifying the output. It mainly involves black box testing and is not concerned with the source code.
Black box testing - This is a type of testing where the tester interacts with the API without knowing its internal workings. The tester provides input and observes the output generated by the API to identify how it responds to expected and unexpected user actions.
Unit testing - This tests the smallest parts of an application, called units, for proper operation. In API testing, this includes testing single endpoints with a single request.
Interoperability testing - This test checks if an API can interact with other software components and systems without compatibility issues. This applies to SOAP APIs.
Reliability testing - This tests APIs to determine if they meet expectations for functionality, reliability, performance, and security. It aims to ensure that the API consistently performs as expected.
Validation testing - This confirms the software matches business requirements and if API tests match expected results. It is closely related to User Acceptance Testing.
Runtime error detection - This evaluates the actual running of an API and focuses on monitoring, execution errors, resource leaks, and error detection. Detected errors are fixed to prevent runtime breakdowns.
Fuzzing - This test transmits random, invalid or unexpected input to an API to find unknown bugs and defects. An API fuzzer generates test inputs and request sequences to the API and records the response to see if any bugs or security vulnerabilities are uncovered.
Load test - This type of testing simulates real-world workloads to see how a system or application performs. The goal is to find bottlenecks and determine the maximum number of users or transactions the system can handle.
Performance testing - This type of testing evaluates how an API performs under certain conditions to assess the API's ability to handle high loads and maintain high-performance levels. There are two main types of API performance testing: functional testing and load testing.
Security Testing - This checks for vulnerabilities in APIs to find and fix security gaps. It involves mimicking hacker actions to find bugs and prevent attackers from accessing or disrupting the API or its data.
Penetration Testing - Ethical hacking is used to assess the security of an API design. An external pentester finds vulnerabilities in API integrations due to incorrect business logic or programming issues to identify security vulnerabilities that attackers could exploit.
WS-* compliance testing - This testing applies to SOAP APIs and ensures proper implementation of standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust.
Web UI testing - Checks if the visual elements of a web application's user interface work correctly and are user-friendly. It is different from API testing, which tests the communication between software components.

Software

Name	Vendor
SoapSonar	Crosscheck Networks
SoapUI	SmartBear Software
Postman API Platform	Postman (software)
SOAtest	Parasoft
Swagger	SmartBear Software
Katalon Studio	Katalon
Step CI	Step CI
Insomnia REST	Kong Inc.

Related Research Articles

Software testing is the act of examining the artifacts and the behavior of the software under test by validation and verification. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software implementation. Test techniques include, but are not necessarily limited to:

In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes. Test automation can automate some repetitive but necessary tasks in a formalized testing process already in place, or perform additional testing that would be difficult to do manually. Test automation is critical for continuous delivery and continuous testing.

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

User interface (UI) design or user interface engineering is the design of user interfaces for machines and software, such as computers, home appliances, mobile devices, and other electronic devices, with the focus on maximizing usability and the user experience. In computer or software design, user interface (UI) design primarily focuses on information architecture. It is the process of building interfaces that clearly communicates to the user what's important. UI design refers to graphical user interfaces and other forms of interface design. The goal of user interface design is to make the user's interaction as simple and efficient as possible, in terms of accomplishing user goals.

In software engineering, graphical user interface testing is the process of testing a product's graphical user interface (GUI) to ensure it meets its specifications. This is normally done through the use of a variety of test cases.

In computer science, fault injection is a testing technique for understanding how computing systems behave when stressed in unusual ways. This can be achieved using physical- or software-based means, or using a hybrid approach. Widely studied physical fault injections include the application of high voltages, extreme temperatures and electromagnetic pulses on electronic components, such as computer memory and central processing units. By exposing components to conditions beyond their intended operating limits, computing systems can be coerced into mis-executing instructions and corrupting critical data.

Ranorex Studio is a GUI test automation framework provided by Ranorex GmbH, a software development company. The framework is used for the testing of desktop, web-based and mobile applications.

In software development, the V-model represents a development process that may be considered an extension of the waterfall model, and is an example of the more general V-model. Instead of moving down in a linear way, the process steps are bent upwards after the coding phase, to form the typical V shape. The V-Model demonstrates the relationships between each phase of the development life cycle and its associated phase of testing. The horizontal and vertical axes represent time or project completeness (left-to-right) and level of abstraction, respectively.

<span class="mw-page-title-main">Micro Focus Unified Functional Testing</span>

Micro Focus Unified Functional Testing (UFT), formerly known as QuickTest Professional (QTP), is software that provides functional and regression test automation for software applications and environments.

Web testing is software testing that focuses on web applications. Complete testing of a web-based system before going live can help address issues before the system is revealed to the public. Issues may include the security of the web application, the basic functionality of the site, its accessibility to disabled and fully able users, its ability to adapt to the multitude of desktops, devices, and operating systems, as well as readiness for expected traffic and number of users and the ability to survive a massive spike in user traffic, both of which are related to load testing.

TestPartner is a GUI software testing tool from Micro Focus that is intended to enable software development project teams to functionally automate and test application Graphical User Interfaces, with the goal of being able to accomplish more application testing in a given amount of time than could be performed manually. On 6 May 2009, Micro Focus announced the purchase of the Quality Solutions part of Compuware which included TestPartner. Borland acquired the rights and support of TestPartner as Silk Test Partner, but the product has been discontinued in favor of Silk Test and will continue to provide support only.

Parasoft SOAtest is a testing and analysis tool suite for testing and validating APIs and API-driven applications. Basic testing functionality include functional unit testing, integration testing, regression testing, system testing, security testing, simulation and mocking, runtime error detection, web UI testing, interoperability testing, WS-* compliance testing, and load testing.

Parasoft is an independent software vendor specializing in automated software testing and application security with headquarters in Monrovia, California. It was founded in 1987 by four graduates of the California Institute of Technology who planned to commercialize the parallel computing software tools they had been working on for the Caltech Cosmic Cube, which was the first working hypercube computer built.

DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.

Continuous testing is the process of executing automated tests as part of the software delivery pipeline to obtain immediate feedback on the business risks associated with a software release candidate. Continuous testing was originally proposed as a way of reducing waiting time for feedback to developers by introducing development environment-triggered tests as well as more traditional developer/tester-triggered tests.

Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applications. It supports software development practices that are part of development testing, including static code analysis, dynamic code analysis, unit test case generation and execution, code coverage analysis, regression testing, runtime error detection, requirements traceability, and code review. It's a commercial tool that supports operation on Linux, Windows, and Solaris platforms as well as support for on-target embedded testing and cross compilers.

<span class="mw-page-title-main">DevOps toolchain</span> DevOps toolchain release package.

A DevOps toolchain is a set or combination of tools that aid in the delivery, development, and management of software applications throughout the systems development life cycle, as coordinated by an organisation that uses DevOps practices.

This article discusses a set of tactics useful in software testing. It is intended as a comprehensive list of tactical approaches to Software Quality Assurance (more widely colloquially known as Quality Assurance and general application of the test method.

Katalon Platform is an automation testing software tool developed by Katalon, Inc. The software is built on top of the open-source automation frameworks Selenium, Appium with a specialized IDE interface for web, API, mobile and desktop application testing. Its initial release for internal use was in January 2015. Its first public release was in September 2016. In 2018, the software acquired 9% of market penetration for UI test automation, according to The State of Testing 2018 Report by SmartBear.

No-code development platforms (NCDPs) allow creating application software through graphical user interfaces and configuration instead of traditional computer programming. No-code development platforms are closely related to low-code development platforms as both are designed to expedite the application development process. However, unlike low-code, no-code development platforms require no code writing at all, generally offering prebuilt templates that businesses can build apps with. These platforms have both increased in popularity as companies deal with the parallel trends of an increasingly mobile workforce and a limited supply of competent software developers.

References

1 2 3 Testing APIs protects applications and reputations, by Amy Reichert, SearchSoftwareQuality March 2015
1 2 All About API Testing: An Interview with Jonathan Cooper, by Cameron Philipp-Edmonds, Stickyminds August 19, 2014
1 2 3 The Forrester Wave Evaluation Of Functional Test Automation (FTA) Is Out And It's All About Going Beyond GUI Testing Archived 2015-05-28 at the Wayback Machine , by Diego Lo Giudice, Forrester April 23, 2015
1 2 3 4 Produce Better Software by Using a Layered Testing Strategy ^{[ dead link ]}, by SEAN Kenefick, Gartner January 7, 2014
↑ Onus for third-party APIs is on enterprise developers Archived 2019-07-31 at the Wayback Machine , by Amy Reichert, SearchSoftwareQuality July 2014
↑ Accelerate Development with Automated Testing ^{[ dead link ]}, by Nathan Wilson, Gartner December 30, 2013
↑ A Guidance Framework for Designing a Great Web API ^{[ dead link ]}, by Eric Knipp and Gary Olliffe , Gartner August 20, 2014
↑ The Fight Against Brittle Scripts and Software Defects, by Adrian Bridgwater, Dr. Dobb's Journal October 26, 2011
↑ How Do We Learn Composite App Testing-Speak?, by Adrian Bridgwater, Dr. Dobb's Journal February 14, 2012
↑ Cohn, Mike (2009). Succeeding with Agile: Software Development Using Scrum . Addison-Wesley Professional. p. 312. ISBN 978-0321579362.
↑ J. Gao, C. Tao, D. Jie ĺ, S. Lu (2019). What is AI Software Testing? and Why. IEEE.{{cite book}}: CS1 maint: multiple names: authors list (link)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[reichart1-1] 1 2 3 Testing APIs protects applications and reputations, by Amy Reichert, SearchSoftwareQuality March 2015

[stickyminds-2] 1 2 All About API Testing: An Interview with Jonathan Cooper, by Cameron Philipp-Edmonds, Stickyminds August 19, 2014

[forrblog-3] 1 2 3 The Forrester Wave Evaluation Of Functional Test Automation (FTA) Is Out And It's All About Going Beyond GUI Testing Archived 2015-05-28 at the Wayback Machine , by Diego Lo Giudice, Forrester April 23, 2015

[layers-4] 1 2 3 4 Produce Better Software by Using a Layered Testing Strategy ^{[ dead link ]}, by SEAN Kenefick, Gartner January 7, 2014

[reichart2-5] Onus for third-party APIs is on enterprise developers Archived 2019-07-31 at the Wayback Machine , by Amy Reichert, SearchSoftwareQuality July 2014

[accelerate-6] Accelerate Development with Automated Testing ^{[ dead link ]}, by Nathan Wilson, Gartner December 30, 2013

[guidance-7] A Guidance Framework for Designing a Great Web API ^{[ dead link ]}, by Eric Knipp and Gary Olliffe , Gartner August 20, 2014

[8] The Fight Against Brittle Scripts and Software Defects, by Adrian Bridgwater, Dr. Dobb's Journal October 26, 2011

[9] How Do We Learn Composite App Testing-Speak?, by Adrian Bridgwater, Dr. Dobb's Journal February 14, 2012

[cohn-10] Cohn, Mike (2009). Succeeding with Agile: Software Development Using Scrum . Addison-Wesley Professional. p. 312. ISBN 978-0321579362.

[11] J. Gao, C. Tao, D. Jie ĺ, S. Lu (2019). What is AI Software Testing? and Why. IEEE.{{cite book}}: CS1 maint: multiple names: authors list (link)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v t e Software testing
The "box" approach	Black-box testing All-pairs testing Exploratory testing Fuzz testing Model-based testing Scenario testing Grey-box testing White-box testing API testing Mutation testing Static testing
Testing levels	Acceptance testing Integration testing System testing Unit testing
Testing types, techniques, and tactics	A/B testing Benchmark Compatibility testing Concolic testing Concurrent testing Conformance testing Continuous testing Destructive testing Development testing Dynamic program analysis Installation testing Random testing Regression testing Security testing Smoke testing (software) Software performance testing Symbolic execution Test automation Usability testing
See also	Graphical user interface testing Manual testing Orthogonal array testing Pair testing Soak testing Software reliability testing Stress testing Web testing