API testing is a necessity for many apps today. Web servers, messaging queues, calls between different apps—all of these functions can make up the “logic tier” of testing, where multiple technologies pull on data from various databases to ultimately present it to the end user.

Placing special attention on API testing can result in a product that works more reliably and thus enforces the professionalism of the company. Testers must verify functionality in both internal and external APIs that affect the product and they can also help maintain the quality of published APIs.

1. Test early and test often

While unit testing is conducted on the lowest level of code, API testing is done to verify how the software is functioning as a whole. So it can be all too easy to initially focus on unit testing and put off API tests until the end.

As agile development becomes more and more widely adopted, API testing needs to “shift left” alongside other approaches.

Changes in APIs are generally known in advance and thus test case changes can be made earlier. Test changes can be made as soon as changes are known and published and do not need to wait for the release of a GUI.

Michael Sonshine

Rather than wait for the GUI elements that will call on the API like a user—or focus only on unit tests—testers must write API test cases in advance as much as is possible to get feedback to development quickly.

2. Automate API testing directly and consistently

In order to continuously verify that all APIs are functioning properly, some automation is a must. While GUI testing is simpler to automate because playback tools and black-box testing methods can be used, the test cases need to act on the APIs directly and not on the graphical elements.

Unlike GUI, which is subject to constant change, API changes occur less frequently and as a result any automation tests are less rigid and have greater longevity. However, API testing requires a far greater level of comfort with code and a more technically capable tester.

To make setting up API test automation suites worth the effort, testers should standardize the inputs and outputs and even automate the comparisons of results.

APIs are more and more consumed by the public, by other applications, by mobile devices. When they are made public it’s easy to forget security.

Ole Lensmar

3. Couple automation with exploratory testing

While API testing is typically thought of in terms of automation, it’s not strictly an automated technique. It simply refers to testing all APIs using whatever methods are chosen. External functions can change without the developers’ knowledge and there must be continuous validation of all exchanges, so of course automation plays a big role.

But don’t rule exploratory testing out completely. API testing expert Ole Lensmar notes:

I think automation is great and it gives you a safety net. You can be sure that your app doesn’t break or stop working in any way but also having an experienced tester doing exploratory testing can really find those issues and bugs that make the user experience bad. It’s not a good way of saving money in the short run but in the long run you’re going to have happier customers. – Ole Lensmar

4. Shorten the feedback loop

The true benefit of API testing is that testers are able to give valuable information to developers when something isn’t working right. We’re all familiar with the frustration of not being able to reproduce a customer issue. API testing makes that less likely to occur and helps pinpoint the exact area of weakness for faster resolutions.

If the test fails you can discover why and see at what step in the interaction. Thus the feedback loop shortens drastically and the monitoring is more realistic. Of course, the quicker in the cycle tests take place, the shorter the feedback loop in general. For API testing to be the most valuable, very detailed issue logs need to make it back to development as quickly as possible.

5. Pay special attention to security concerns

With API testing, security should never be an afterthought. Most APIs give other companies access to very sensitive user data and all sorts of assets.

API testing gives you another quality checkpoint that everything is working okay. You’re getting continuous validation that things are working as they should and not breaking.

Ole Lensmar

Data leaks are most likely to occur when internal APIs are transitioning to public use, as most APIs start off as an internal resource and are only later shared with the public. In prioritizing risk, more thorough testing must be allotted when initially publishing a new API.

All authentication and authorization methods also require attentive testing to ensure protecting of user data.

6. Maintain consistent documentation and terminology

Dependent on the tester’s role in the organization, a tester can be an important resource in the documentation of an API. In addition to conducting white box testing on the APIs themselves, testers can help act like editors of both internal and external documentation to minimize ambiguities. Here are some ways testers can help provide an outside eye:

  • Avoiding the use of abbreviations and jargon
  • Choosing only one name for any one element (i.e. refer to users as ‘users’ not ‘users’ and ‘customers interchangeably)
  • Finding and minimizing variations of common field names
  • Migrating documentation from PDFs to live HTML files (updating and maintaining so documentation is more usable)

Since external developers typically won’t have access to the source code—but will still need to fully understand how to interact with the API—testers can act as a first checkpoint and help give feedback on the understandability and experience of the API.

Ultimately, API testing is one of many critical methods that forms a wholistic test strategy. As agile development grows and integrations between a multitude of web and mobile apps increase, the importance of API testing continues to gain momentum.

Jumbotron image

Testlio is the QA partner you can trust. For test strategy and execution, contact us for a demo.

Dayana is a QA engineer turned technology writer living in Milan, Italy. She's always down for a smoothie.