What is API Testing

What Is API Testing?

What Is API Testing?

API testing reduces the risk of functional, performance, and end-to-end API issues reaching production, allowing developers to shorten production cycles and increase iterations. Although API testing has been around for a while, its importance has increased dramatically as developers and testers embrace new software development processes such as agile development and CI/CD that depend on API testing. Additionally, the emergence of new architectures such as microservices has also led to an inversion of the testing triangle in which API testing now consumes a majority rather than a small fraction of total testing resources.

“Modern applications require a shift of the current 80% UI automation down to 5% to 10% approximately, shifting about 80% of that test automation to be replaced by API test automation.”
-Forrester’s Wave for Modern Application and Functional Testing

Agile development processes and CI/CD pipelines often involve testing a high number of scenarios in a short period of time. Only API testing can check for functional, integration, and load (performance) issues at the API layer where it can detect issues in both the business logic and service layers. That means an API test can effectively act as an end-to-end (E2E) test that holistically checks for any issues that may stem from changes to code repositories and databases as well as any non-technical changes that may have an impact on the contract and user experience (UX).

Check out this free eBook from API Fortress to see real examples of how API testing failed to detect potentially devastating API flaws due to failures to properly check the API flow with end-to-end API testing.

Why Is API Testing Important?

APIs are the backbone of the web services and mobile apps that run the world. In fact, API calls make up 83% of all web traffic according to Akamai’s State of the Internet report. The quality, reliability, performance, and security of API infrastructure should be top of mind at most companies. Yet many business and technical leaders do not treat APIs as business-critical assets that really must be tested with equal or greater rigor as a company’s website and internal systems.

API testing is so important to software development processes that Testing Centers of Excellence are increasingly embracing Test-Driven Development (TDD) in which API tests are written with a high awareness of the problem and solution before development is completed.

Ideally, in the “fail first” or “shift left” approach of TDD, developers work in parallel with API testers early in the API lifecycle. Challenges to smooth collaboration erupt from “mission creep” in API testing. This is when there are failures to effectively manage testing scope and scale with the right API and velocity metrics. Consequently, sprints get delayed or worse, shippable products go to market with insufficient quality. The problem of API testing “mission creep” is growing harder to solve as API flows become increasingly complex due to rising complexity in API call arrays across distributed systems and applications. Further, API testing “mission creep” is becoming harder to solve: more API flows are becoming incredibly complex due to increasingly complex arrays of API calls across distributed systems and applications.

Patrick Poulin, CEO and co-founder of API Fortress, remarks: 

We see developers and leaders in Testing Centers of Excellence face growing pressure to ship products faster. But testing scope and scale problems can outpace even the most intelligent QA automation solutions. The worst thing that can come out of the frustration to accelerate releases is to trust API testing tools that do not check full API flows. Too many companies ‘solve’ their API testing bottlenecks by using tools with insufficient coverage. You erase the benefits of TDD by lowering the bar on API testing. Forensics on the largest breaches in recent history often reveal that proper API testing of full API flows would have very likely detected the bugs and vulnerabilities that allowed the breaches to happen. It didn’t take a hacker – it took simple human error and bad API testing to make the breach happen.

95% of breaches likely could have been avoided:
95% of breaches likely could have been avoided: Read this blog post from API Fortress

Types of API Testing

  • Functional Testing: API testing starts off as a functional test to check whether an API is up and fulfilling its contract. Good functional API tests may include high numbers of assertions that should be managed efficiently when conducting functional tests across multiple versions. Distributed teams with individual team goals may inadvertently test versions of an API differently, resulting in a higher degree of false-positives and negatives. This phenomenon is a type of “confirmation bias” for API testing. Learn more about confirmation bias in API testing among siloed teams.
  • Integration Testing: The typical business transaction now requires 30 or many more API calls across disparate systems, databases, and services. API testing checks on whether an integration is up/down and working as expected. However, unless integration testing is part of the API testing process, there are a wide range of API issues that it will miss that may negatively impact API reliability and performance.
  • Load Testing and Performance Testing: APIs may fail under certain levels of load or stress, resulting in 4XX client failure codes. API testing of REST or HTTP APIs involve checking the HTTP methods: GET, POST, PUT or DELETE and then diagnosing the issue with detailed reporting. However, only end-to-end load testing can help “find the needle in the haystack” with insights about what is causing a performance issue. 
  • Data-Driven Testing: API testing must be able to stay “anti-fragile” and maintain accuracy and integrity throughout those constant database changes. Testing must use dynamically changing data to truly emulate normal user behavior at scale. 
  • End-to-End API Testing: Software testing formerly checked whether code was properly supporting a user story primarily via manual UI testing. However, due to the paradigm shift in how modern web services and apps depend on APIs, the user experience is now much more visible at the API layer. API testing is the new end-to-end API testing, checking whether an API is working as expected. By integrating end-to-end API testing with data-driven API testing, you can avoid the “flakiness” of traditional end-to-end API testing when it was sometimes difficult or impossible to capture real world scenarios. With proper data-driven and end-to-end API testing, it is no longer necessary to burn time and resources on virtualizing entire production environments simply to run an accurate API test.
  • API Mocking: Proper API testing is fast, dynamic, and easy to launch. With API mocking, API testing can start as early as design, making mock APIs available prior to production or making 3rd-party APIs that are rate-limited and/or costly available for shift-left testing.

API Testing University Tutorials

The best way to know what is API testing is to try API testing yourself! The API Testing University from API Fortress offers 5 easy courses to begin API testing right away – regardless of your level of coding (or no coding) background. Remember: good API testing demands seamless collaboration between technical and non-technical stakeholders that own the success of a web service or mobile app.

Course 1: Get started with a high level understanding of what an API is exactly and why API testing is needed for most modern software development processes.

Know why API testing must check everything in the Object and Assertion. And learn the differences between testing for the different types of APIs: 

  • GraphQL API
  • XML
  • JSON

After becoming familiarized with what makes an API work, you can learn How to Create Your First API Test in an easy API testing tutorial (Course 3). See how to write a test and learn special techniques to create API tests that actually capture real life scenarios.

After creating your first API tests, you may be ready to begin building advanced API tests with advanced techniques. Download this free API Testing Best Practices white paper from API Fortress as a helpful guide.

Choose the Right API Testing Tools

If you feel confident about writing an API functional test with best practices – it’s time to choose the right API testing tool for your unique needs. Read this article from Nordic APIs about the Top 25 API Testing Tools for insight into available tools vs. building your own suite of API testing tools.

What Is Data-Driven and End-to-End API Testing?

The most effective method of testing an API program involves creating multi-step integration tests that validate common API consumer flows. API endpoints are meant to work together, so it follows that test data coming from one API that feeds another API should not be fixed or pre-built. This is very important because the less you rely on fixed data, the more unpredictable and therefore thorough the testing path will be.

Dynamic Data-Driven Testing (DDT) is one of the most important techniques to ensure that you validate the full API consumer flow with data integrity throughout the API lifecycle. 

You don’t have to build your own API testing suite to automate API testing for APIs connected to databases behind a firewall – even if 3-legged OAuth 2.0 seems to stand in the way of automated testing. 

Read this DZone article from API Fortress about Turning Databases into APIs for Data-Driven Testing to learn the techniques leveraged by Testing Centers of Excellence to ensure data integrity and testing accuracy in agile, DevOps and/or CI/CD workflows.

Did you know: API testing typically refers to early or “shift-left” testing in a continuous testing workflow. Formerly, API monitoring was separate from shift-left API testing. However, API testing must also be able to shift right. Learn why API Fortress uniquely allows developers and testing teams to run end-to-end API tests in production environments with or without a CI/CD pipeline in this new presentation from API World.

Listen to a PRO Workshop from API Fortress about End-to-End API Testing and Monitoring at API World.