Behind Your App: The API

Behind Your App: The API

blog post publisher

Andi Nicolescu

CTO

Reading time: 5 min

Published: Dec 12, 2022

Key takeaways

  • An API (application programming interface) lets two or more software programs communicate, connecting what runs behind an app to the user interface in front of the user.
  • API testing is software testing that verifies an API fulfils its expected functionality, security, performance and reliability.
  • Key questions to scope API testing include which endpoints are available and what responses are expected for both successful and unsuccessful requests.
  • Main types of API testing include validation, functional, load, reliability, penetration and fuzz testing.
  • High-performing APIs return responses in roughly 0.1 to one second, and APIs should be secured with measures like SSL certificates, a web application firewall, throttling and VPC-only access.

An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, that offers a service to other pieces of software.

WHAT IS API TESTING, YOU MAY ASK?

API testing is a type of software testing that analyzes an application program interface (API) to verify it fulfills its expected functionality, security, performance, and reliability.

Think of API testing as something like a truck full of supplies that need to be delivered to your local store so you can access them.

What the API does is that it allows the communication between what's behind an application/web page (in the truck) and what’s in front of you, the user interface (the supplies).

Flat illustration of an API linking backend cloud and servers to a phone and desktop user interface, with code and a security shield

In order to do API testing, we need to know the scope of the program and we can obtain the information by asking the following questions:

    • What endpoints are available for testing?
    • What responses are expected for successful requests?
    • What responses are expected for unsuccessful requests?
    • Which error message is expected to appear in the body of an unsuccessful request?

Answering those questions should give you a great understanding of what needs to be tested.

API testing can analyze multiple endpoints, such as web services, databases, or web user interfaces. You should watch for failures or unexpected inputs.

For example, making a request calls as a normal user, but the request you are supposed to check is purposely created for admins only. This will always display error 403 forbidden.

Response time should be within an acceptable agreed-upon limit, for example; APIs that are considered high-performing have an average response time between 0.1 and one second. At this speed, end users will likely not experience any interruption, but at around one to two seconds, users begin to notice some delay.

Also very important, the API should be secured against potential attacks. You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).

TYPES OF API TESTING

    • Validation testing - includes a few simple questions that address the whole project.
    • Functional testing - ensures the API performs exactly as it is supposed to.
    • Load testing - is used to see how many calls an API can handle.
    • Reliability testing - ensures the API can produce consistent results and the connection between platforms is constant.
    • Penetration testing - builds upon security testing.
    • Fuzz testing - forcibly inputs huge amounts of random data, also called noise or fuzz, into the system, attempting to create negative behavior, such as a forced crash or overflow.

Flat illustration of API testing: a laptop with charts and dashboards surrounded by chat, document, user and gear icons

One of the tools I prefer using is Postman; it's simple to use, and it gets the job done.

Postman is an API client that makes it easy for developers, QA specialists, and everyone using it to create, share, test, and document APIs. With this open-source solution, users can create and save simple and complex HTTP/s requests, as well as read their responses.

Example of API testing:

Let's say you need to test the login functionality and booking flow of different types of users who will have access to different parts of a booking webpage.

For this example, multiple types of access/users will be required for a better understanding:

    • Normal users will only have access to basic information and a simple booking flow;
    • Admin, which will be able to edit and create new events on the page as well as see the number of users that have an account on the page.

API testing verifies that the travel booking system is successfully communicating with the other companies and presenting the correct results to users in an appropriate time frame. Furthermore, it checks that the information is displayed according to the user permissions on the page.

So, the normal user can only see the necessary information for the booking flow, while the Admin will be able to not only see but to edit, delete and overwrite data made by other users. Also, accept or decline bookings made.

The most commonly used calls in Postman are:

    • POST — add new data to the DB (database);
    • PUT — replace existing data from the DB;
    • PATCH — update some existing data fields from the DB;
    • DELETE — delete existing data from the DB;
    • GET — gets data from the DB and only displays it.

IN CONCLUSION

API testing plays an important role in any application. If it is not tested properly, it can create problems when performing requests from the BE (back end) and displaying them to FE (front end). It is a crucial and mandatory test in the software lifecycle. As QA specialists, we need to make sure that data is stored and shown properly on every call made by the app.

Frequently asked questions

API testing is a type of software testing that analyses an application programming interface (API) to verify it fulfils its expected functionality, security, performance and reliability. As part of our QA and app testing services, we use it to make sure data is stored and shown correctly on every call the app makes.
The main types are validation testing, functional testing, load testing, reliability testing, penetration testing and fuzz testing. Each targets a different aspect, from confirming the API works as intended to seeing how many calls it can handle and how it copes with large amounts of random input.
APIs considered high-performing have an average response time between 0.1 and one second. At that speed users are unlikely to notice any interruption, but from around one to two seconds they begin to perceive some delay.
You can protect an API by generating SSL certificates, configuring a web application firewall, setting throttling targets and only allowing access from a Virtual Private Cloud (VPC). Securing the API against potential attacks is a critical part of any testing process.
Postman is a popular API client that makes it easy for developers and QA specialists to create, share, test and document APIs, letting you build and save simple or complex HTTP/S requests and read their responses. To learn how business logic shapes strong testing, read our guide on business logic for QA analysts.
Andi Nicolescu

Written by

Andi Nicolescu

CTO

Andi is the Chief Technology Officer at Wolfpack Digital, where he leads technology strategy and oversees the delivery of award-winning web and mobile applications across diverse industries. With a background in Computer Science from the Technical University of Cluj-Napoca and a career path spanning Android development, web development, Scrum Master, and Product Manager roles, he brings a uniquely comprehensive perspective to technology leadership.


Starting as a self-taught Android developer, Andi has progressed through development, agile leadership, and product management roles—giving him deep understanding of different disciplines and the ability to bridge technical, product, and business perspectives. This cross-functional foundation enables him to make technology decisions that balance engineering excellence with user needs and business objectives.


Andi's technical expertise spans mobile and web development, cloud architecture, AI integration, DevOps practices, and modern development frameworks. He has been instrumental in establishing Wolfpack Digital's technical standards, architectural patterns, and development processes that enable the team to consistently deliver products earning millions of users and high satisfaction ratings.


Through his blog contributions, Andi shares insights on technology leadership, building effective engineering teams, technical decision-making under constraints, balancing innovation with stability, and navigating the CTO role in a fast-growing agency. His writing reflects hands-on experience leading technical teams through the full spectrum of product development challenges.


Areas of expertise: Technology strategy, software architecture, mobile development (Android), web development, product management, agile methodologies, team leadership, DevOps, cloud infrastructure, AI integration, cross-functional collaboration, technical decision-making.



View profile