[Part 03] API Testing Basics: Practical Tips

API Testing Basics: Practical Tips

Table of Contents

We previously discussed the theoretical concepts of API testing, and now we are learning about practical API testing with Postman by performing requests such as POST, GET, PUT, and DELETE.

What are API Functional tests?

  • Positive Testing: Using valid data as input
  • Negative Testing: Using invalid data as input

What are API security tests?

  • Security testing: a process that involves inspecting an API to ensure its security.
  • Fuzz testing: an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities
  • Penetration testing: a security assessment carried out by a penetration tester to validate that the APIs in scope are appropriately secured.

What are API performance tests?

  • Load Testing: assess an application programming interface performance under varied load conditions.
  • Soak Testing: how an application handles a growing number of users
  • Stress Testing: Finding the maximum number of users the server can support by imposing a severe request on it
  • Scalability Testing: non-functional testing that evaluates your software, application, or website performance under load
  • Spike Testing: a type of performance testing in which an application receives a sudden and extreme increase or decrease in load

What are API integration and reliability tests?

  • Integration testing: Application programming interfaces are tested directly and as part of integration testing to see if they match expectations regarding functionality, performance, security, and dependability.
  • Reliability testing: software testing that analyses an application program interface (API) to verify that it fulfils its expected functionality, security, performance and reliability.
[Part 03] API Testing Basics: Practical Tips

How to execute testing the API?

Step 1: Create API testing requirements

Step 2: Establish the API test environment

Step 3: Make a trial API call

Step 4: Define the input parameters

Step 5: Create API test cases

API testing tools: top choices

[Part 03] API Testing Basics: Practical Tips

What is REST API?

  • An architectural style for designing web services
  • Uses various formats, such as JSON or XML.
  • Well-suited for modern web applications that require scalability and performance.


Different Types of REST Requests

[Part 03] API Testing Basics: Practical Tips

Here are the details of all requests

MethodDescription
GETFetch status line, Response body, Header etc.
HEADIt is the same as GET but only fetches the status line and header section
POSTPerform requests using request payload mostly in creating a record at the server
PUTUseful in manipulating/updating the resource using Request payload
DELETE
Deletes information relating to the target resource.

What do we test in API?

Layers of API Testing
Three separate layersThe presentation (or user interface), business, and database layers are for modelling and manipulating data.
API Test Actions
Verify the correct HTTP status code.For example, creating a resource should return 201 CREATED, and unpermitted requests should return 403 FORBIDDEN etc.
Verify response payloadCheck the valid JSON body and correct field names, types, and values, including those in error responses.
Verify response headersHTTP serve headers have implications for both security and performance.
Verify the correct application state.This is optional and applies mainly to manual testing or when a UI or another interface can be quickly inspected
Verify basic performance sanityThe test fails if an operation was completed successfully but took an unreasonable time.
API Test Scenario Categories
1Basic positive tests(happy paths)
2Extended positive testing with optional parameters
3Destructive testing
4Security, authorisation and permission tests(which are out of the scope of this post)
5Negative testing with valid input
6Negative testing with invalid input

What are the different HTTP request methods?

There are 9 HTTP request methods:

  1. GET
  2. PUT
  3. POST
  4. HEAD
  5. TRACE
  6. PATCH
  7. DELETE
  8. OPTIONS
  9. CONNECT

HTTP request methods are the actions initiated from the client side to perform specific actions.

These HTTP request methods are sometimes called nouns or HTTP verbs.

01. GET: The GET method is the most common of all these request methods. It is used to get the desired resources from the server.

The GET methods don’t affect the state of the server.

02. POST: The POST method is used to submit the information to the server. When submitting data, the POST method often changes the server’s state.

03. PUT: The PUT method is used whenever you need to change the resource. The resource is already a part of resource collection.

04. PATCH: The PATCH request method is used to modify only the necessary part of the data or response. The PATCH method doesn’t change the entire response.

05. HEAD: The server sends the response without the body. The HEAD method asks for a response identical to a GET request, but it is faster as small data is transferred.

06. DELETE: As the name says, the DELETE request method deletes the specified resource. It requests that the origin server delete the resource identified by the Request-URL.

07. CONNECT: The CONNECT method establishes two-way communication between the client and the requested resource.

The CONNECT request method is used to push your proxy to start an HTTP tunnel.

08. OPTIONS: The OPTIONS method describes the communication options available for the target resource. The client can specify a URL to describe the communication options available for a specific resource or an asterisk (*) if they want to target the server.

09. TRACE: The TRACE method is generally used for debugging. It performs a message loop-back test before reaching the necessary data.

Demo API test using Postman:

Let’s practice a demo API test using Postman.

Base_Url: https://restful-booker.herokuapp.com

Booking – Create Booking

  • Method: POST
  • Request format: Base_Url/booking/

JSON example/Request body

https://restful-booker.herokuapp.com/booking \
  -H 'Content-Type: application/json' \
  -d '{
	"firstname": "Jim",
	"lastname" : "Brown",
	"totalprice" : 111,
	"depositpaid" : true,
	"bookingdates" : {
    	"checkin" : "2018-01-01",
    	"checkout" : "2019-01-01"
	},
	"additionalneeds" : "Breakfast"}'

I. POST request without a body.

Here, it receives a POST request without a body. The server expects a specific data format/Many API endpoints require a body with data to be sent.

[Part 03] API Testing Basics: Practical Tips


500 Internal Server Error

  • Server overload: The web server is receiving too many requests and cannot handle them all
  • Coding errors: There is an error in the web server’s code.
  • Database errors: The web server cannot connect or communicate with the database.
  • Configuration errors: The web server is not configured correctly. 

II. POST request with a body

JSON Response

HTTP/1.1 200 OK
{
"bookingid": 1,
	"booking": {
    	"firstname": "Jim",
    	"lastname": "Brown",
    	"totalprice": 111,
    	"depositpaid": true,
    	"bookingdates": {
        	"checkin": "2018-01-01",
        	"checkout": "2019-01-01"	},
    	"additionalneeds": "Breakfast"
	}}

Request Url: https://reqres.in/api/users

[Part 03] API Testing Basics: Practical Tips

201 Created status code indicates that the request has been fulfilled and has created a new resource even though there was nobody in the request.

Booking – Get Booking

  • Method: GET
  • Request Format: Base_Url/booking/id
[Part 03] API Testing Basics: Practical Tips

Auth – Create Token

  • Method: POST
  • Request format: Base_Url/auth

Example:

{

"username": "admin",

"password": "password123"

}

Response:

HTTP/1.1 200 OK
{"token": "abc123"}

Booking – Update Booking

  • Method: PUT
  • Request Format: Base_Url/booking/id

JSON example usage

 -H 'Cookie: token=abc123' \
  -d '{
	"firstname" : "James",
	"lastname" : "Brown",
	"totalprice" : 111,
	"depositpaid" : true,
	"bookingdates" : {
    	"checkin" : "2018-01-01",
    	"checkout" : "2019-01-01"},
	"additionalneeds" : "Breakfast"
}'


[Part 03] API Testing Basics: Practical Tips

Send a PUT request without including an authentication token in the header and receive 403 Forbidden status code.

If you attempt to update a resource using an incorrect ID while providing a valid authorisation token in the header, you will receive a 405 Method Not Allowed status code.

[Part 03] API Testing Basics: Practical Tips

An authentication token must be included in the request header to update or delete any data.  Otherwise, you will receive a 403 Forbidden status code.

Booking – DeleteBooking

  • METHOD: DELETE
  • Request format: Base_Url/booking/id

Execute Some Negative responses:

1.404 – Not found (Invalid User Id)
2.400 – Bad Request (Invalid Characters)

3.405 – Method Not Allowed (Invalid resource ID for update or delete operation)

Please visit this link to learn more about status codes and responses in Postman:
https://blog.postman.com/what-are-http-status-codes/

API testing ensures the proper, secure, and efficient operation of APIs. It involves utilising specialised tools and knowledge of HTTP methods to conduct various tests to verify functionality, security, and performance. This procedure helps to identify and solve problems, ensuring dependable API operations.

Previous Parts:

Share this Article To your friends

Leave a Reply

Your email address will not be published. Required fields are marked *

Our Blog

Our tips and solutions in SQA services

Future-Proof Your Software

QA Harbor's Gift To You A Free QA Consultation!

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Who are going to assist you!

Masudur Rahaman

Managing Director

Farzam Aidelkhani

Biz & Sales Lead

Zabir Ibne Mizan

Business Analyst