Behind Your App: The API

An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, that offers a service to other pieces of software.

WHAT IS API TESTING, YOU MAY ASK?

API testing is a type of software testing that analyzes an application program interface (API) to verify it fulfills its expected functionality, security, performance, and reliability.

Think of API testing as something like a truck full of supplies that need to be delivered to your local store so you can access them. 
What the API does is that it allows the communication between what's behind an application/web page (in the truck) and what’s in front of you, the user interface (the supplies).

In order to do API testing, we need to know the scope of the program and we can obtain the information by asking the following questions: 

• What endpoints are available for testing?
• What responses are expected for successful requests?
• What responses are expected for unsuccessful requests?
• Which error message is expected to appear in the body of an unsuccessful request?

Answering those questions should give you a great understanding of what needs to be tested.

API testing can analyze multiple endpoints, such as web services, databases, or web user interfaces. You should watch for failures or unexpected inputs. 

For example, making a request calls as a normal user, but the request you are supposed to check is purposely created for admins only. This will always display error 403 forbidden. 

Response time should be within an acceptable agreed-upon limit, for example; APIs that are considered high-performing have an average response time between 0.1 and one second. At this speed, end users will likely not experience any interruption, but at around one to two seconds, users begin to notice some delay.

Also very important, the API should be secured against potential attacks. You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).

TYPES OF API TESTING

• Validation testing - includes a few simple questions that address the whole project.
• Functional testing - ensures the API performs exactly as it is supposed to.
• Load testing - is used to see how many calls an API can handle.
• Reliability testing - ensures the API can produce consistent results and the connection between platforms is constant.
• Penetration testing - builds upon security testing.
• Fuzz testing - forcibly inputs huge amounts of random data, also called noise or fuzz, into the system, attempting to create negative behavior, such as a forced crash or overflow.

One of the tools  I prefer using is Postman; it's simple to use, and it gets the job done.

Postman is an API client that makes it easy for developers, QA specialists, and everyone using it to create, share, test, and document APIs. With this open-source solution, users can create and save simple and complex HTTP/s requests, as well as read their responses.

Example of API testing:

Let's say you need to test the login functionality and booking flow of different types of users who will have access to different parts of a booking webpage.

For this example, multiple types of access/users will be required for a better understanding:

• Normal users will only have access to basic information and a simple booking flow;
• Admin, which will be able to edit and create new events on the page as well as see the number of users that have an account on the page.

API testing verifies that the travel booking system is successfully communicating with the other companies and presenting the correct results to users in an appropriate time frame. Furthermore, it checks that the information is displayed according to the user permissions on the page. 

So, the normal user can only see the necessary information for the booking flow, while the Admin will be able to not only see but to edit, delete and overwrite data made by other users. Also, accept or decline bookings made.

The most commonly used calls in Postman are:

• POST — add new data to the DB (database);
• PUT — replace existing data from the DB;
• PATCH — update some existing data fields from the DB;
• DELETE — delete existing data from the DB;
• GET — gets data from the DB and only displays it.

IN CONCLUSION

API testing plays an important role in any application. If it is not tested properly, it can create problems when performing requests from the BE (back end) and displaying them to FE (front end). It is a crucial and mandatory test in the software lifecycle. As QA specialists, we need to make sure that data is stored and shown properly on every call made by the app.