We previously discussed the theoretical concepts of API testing, and now we are learning about practical API testing with Postman by performing requests such as POST, GET, PUT, and DELETE.
What are API Functional tests?
- Positive Testing: Using valid data as input
- Negative Testing: Using invalid data as input
What are API security tests?
- Security testing: a process that involves inspecting an API to ensure its security.
- Fuzz testing: an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities
- Penetration testing: a security assessment carried out by a penetration tester to validate that the APIs in scope are appropriately secured.
What are API performance tests?
- Load Testing: assess an application programming interface performance under varied load conditions.
- Soak Testing: how an application handles a growing number of users
- Stress Testing: Finding the maximum number of users the server can support by imposing a severe request on it
- Scalability Testing: non-functional testing that evaluates your software, application, or website performance under load
- Spike Testing: a type of performance testing in which an application receives a sudden and extreme increase or decrease in load
What are API integration and reliability tests?
- Integration testing: Application programming interfaces are tested directly and as part of integration testing to see if they match expectations regarding functionality, performance, security, and dependability.
- Reliability testing: software testing that analyses an application program interface (API) to verify that it fulfils its expected functionality, security, performance and reliability.
How to execute testing the API?
Step 1: Create API testing requirements
Step 2: Establish the API test environment
Step 3: Make a trial API call
Step 4: Define the input parameters
Step 5: Create API test cases
API testing tools: top choices
What is REST API?
- An architectural style for designing web services
- Uses various formats, such as JSON or XML.
- Well-suited for modern web applications that require scalability and performance.
Different Types of REST Requests
Here are the details of all requests
Method | Description |
GET | Fetch status line, Response body, Header etc. |
HEAD | It is the same as GET but only fetches the status line and header section |
POST | Perform requests using request payload mostly in creating a record at the server |
PUT | Useful in manipulating/updating the resource using Request payload |
DELETE | Deletes information relating to the target resource. |
What do we test in API?
Layers of API Testing | |
Three separate layers | The presentation (or user interface), business, and database layers are for modelling and manipulating data. |
API Test Actions | |
Verify the correct HTTP status code. | For example, creating a resource should return 201 CREATED, and unpermitted requests should return 403 FORBIDDEN etc. |
Verify response payload | Check the valid JSON body and correct field names, types, and values, including those in error responses. |
Verify response headers | HTTP serve headers have implications for both security and performance. |
Verify the correct application state. | This is optional and applies mainly to manual testing or when a UI or another interface can be quickly inspected |
Verify basic performance sanity | The test fails if an operation was completed successfully but took an unreasonable time. |
API Test Scenario Categories | |
1 | Basic positive tests(happy paths) |
2 | Extended positive testing with optional parameters |
3 | Destructive testing |
4 | Security, authorisation and permission tests(which are out of the scope of this post) |
5 | Negative testing with valid input |
6 | Negative testing with invalid input |
What are the different HTTP request methods?
There are 9 HTTP request methods:
- GET
- PUT
- POST
- HEAD
- TRACE
- PATCH
- DELETE
- OPTIONS
- CONNECT
HTTP request methods are the actions initiated from the client side to perform specific actions.
These HTTP request methods are sometimes called nouns or HTTP verbs.
01. GET: The GET method is the most common of all these request methods. It is used to get the desired resources from the server.
The GET methods don’t affect the state of the server.
02. POST: The POST method is used to submit the information to the server. When submitting data, the POST method often changes the server’s state.
03. PUT: The PUT method is used whenever you need to change the resource. The resource is already a part of resource collection.
04. PATCH: The PATCH request method is used to modify only the necessary part of the data or response. The PATCH method doesn’t change the entire response.
05. HEAD: The server sends the response without the body. The HEAD method asks for a response identical to a GET request, but it is faster as small data is transferred.
06. DELETE: As the name says, the DELETE request method deletes the specified resource. It requests that the origin server delete the resource identified by the Request-URL.
07. CONNECT: The CONNECT method establishes two-way communication between the client and the requested resource.
The CONNECT request method is used to push your proxy to start an HTTP tunnel.
08. OPTIONS: The OPTIONS method describes the communication options available for the target resource. The client can specify a URL to describe the communication options available for a specific resource or an asterisk (*) if they want to target the server.
09. TRACE: The TRACE method is generally used for debugging. It performs a message loop-back test before reaching the necessary data.
Demo API test using Postman:
Let’s practice a demo API test using Postman.
Base_Url: https://restful-booker.herokuapp.com
Booking – Create Booking
- Method: POST
- Request format: Base_Url/booking/
https://restful-booker.herokuapp.com/booking \
-H 'Content-Type: application/json' \
-d '{
"firstname": "Jim",
"lastname" : "Brown",
"totalprice" : 111,
"depositpaid" : true,
"bookingdates" : {
"checkin" : "2018-01-01",
"checkout" : "2019-01-01"
},
"additionalneeds" : "Breakfast"}'
I. POST request without a body.
Here, it receives a POST request without a body. The server expects a specific data format/Many API endpoints require a body with data to be sent.
500 Internal Server Error
- Server overload: The web server is receiving too many requests and cannot handle them all
- Coding errors: There is an error in the web server’s code.
- Database errors: The web server cannot connect or communicate with the database.
- Configuration errors: The web server is not configured correctly.
II. POST request with a body
HTTP/1.1 200 OK
{
"bookingid": 1,
"booking": {
"firstname": "Jim",
"lastname": "Brown",
"totalprice": 111,
"depositpaid": true,
"bookingdates": {
"checkin": "2018-01-01",
"checkout": "2019-01-01" },
"additionalneeds": "Breakfast"
}}
Request Url: https://reqres.in/api/users
201 Created status code indicates that the request has been fulfilled and has created a new resource even though there was nobody in the request.
Booking – Get Booking
- Method: GET
- Request Format: Base_Url/booking/id
Auth – Create Token
- Method: POST
- Request format: Base_Url/auth
Example:
{
"username": "admin",
"password": "password123"
}
Response:
HTTP/1.1 200 OK
{"token": "abc123"}
Booking – Update Booking
- Method: PUT
- Request Format: Base_Url/booking/id
-H 'Cookie: token=abc123' \
-d '{
"firstname" : "James",
"lastname" : "Brown",
"totalprice" : 111,
"depositpaid" : true,
"bookingdates" : {
"checkin" : "2018-01-01",
"checkout" : "2019-01-01"},
"additionalneeds" : "Breakfast"
}'
Send a PUT request without including an authentication token in the header and receive 403 Forbidden status code.
If you attempt to update a resource using an incorrect ID while providing a valid authorisation token in the header, you will receive a 405 Method Not Allowed status code.
An authentication token must be included in the request header to update or delete any data. Otherwise, you will receive a 403 Forbidden status code.
Booking – DeleteBooking
- METHOD: DELETE
- Request format: Base_Url/booking/id
Execute Some Negative responses:
1.404 – Not found (Invalid User Id)
2.400 – Bad Request (Invalid Characters)
3.405 – Method Not Allowed (Invalid resource ID for update or delete operation)
Please visit this link to learn more about status codes and responses in Postman:
https://blog.postman.com/what-are-http-status-codes/
API testing ensures the proper, secure, and efficient operation of APIs. It involves utilising specialised tools and knowledge of HTTP methods to conduct various tests to verify functionality, security, and performance. This procedure helps to identify and solve problems, ensuring dependable API operations.