How to test rest APIs
What needs to be tested in API and generic test cases for API testing
What is an API?
An API or Application Programming Interface is a set of routines, protocols, and programming instructions for accessing a web-based software application.
What is a REST API?
REST stands for Representational State Transfer. Representational state transfer is a software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the Internet. (Source: Wikipedia)
Why to test API?
According to Mike Cohn’s famous Test Pyramid, API tests lies at the service level (integration), which suggests that around 20% or more of our tests should focus on API testing
Commonly there are mainly 4 methods involve in API testing
- GET- The GET method is used to extract information from the given server using a given URI i.e read-only
- POST- A POST request is used to create a new entity
- PUT- Used to update or replace an existing entity.
- DELETE- Removes the data
But the question arises what exactly needs to be verified in API Testing?
1. API requirements
- Understand the flow of the API endpoints. Why these are being created? For what purpose? Where is the response being used? Is it used in FE?
- Make sure the documentation has enough information about
a) Status code
b) Schema
c) An example (Optional)
Note: This step will be the entry criteria for API testing.
2. HTTP status code
After the requirement analysis, it's time to verify the HTTP status code.
There are five values for the first digit:
- 1xx (Informational): Request received, continuing process.
- 2xx (Successful): This class of status codes indicates the action requested by the client was received, understood, and accepted
- 3xx (Redirection): This class of status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection
- 4xx (Client Error): Error caused by the client The request contains the wrong syntax or cannot be fulfilled
- 5xx (Server Error): The server failed to fulfill a request
Source: Wikipedia
3. Schema
Verify the schema in which the response is returned, is in compliance with the schema mentioned in the API documentation.
4. Response time
The response time depends upon the payload. You should measure it against the SLA.
5. Response
You also need to validate the response being returned. e.g if the response of a GET endpoint is to return names starting with ’N’ , make sure all the names returned in the response are stating with “N”.
Common Types of API Testing
- API Response time
- Response Data according to the mentioned schema
- The response should be verified on the basis of the provided input.
- Verification of the API whether it triggers some other event or request another API
- URI and URL parameters combination
Generic test scenarios for the APIs:
- Verify the API returns 200 with all the valid parameters
- Verify the API returns 400 when user sends invalid parameters
- Verify the API returns 500 when the server is down or not responding
- Verify the API returns 405 with invalid request type
- Verify the API when user sends all required parameters
- Verify the API when user sends all parameters
- Verify the API when user sends invalid parameter {A}
- Verify the API when user don’t send any parameter
- Verify the API when user sends invalid parameter {B}
- Verify the end point sequence if any i.e
1) POST a request to add values > GET a request to view the values added by the POST request
2) POST a request to add values > PUT a request to amend values > GET a request to view the updated values
3) POST a request to add values > DELETE request to delete the values > GET a request to view the empty response
- Perform the negative testing on URI or URL parameter e.g if the parameter is accepting names and API document states it should be alphabets then the test scenario can be
Verify the API returns 400 when the user sends numerics in “name” parameter - If the API response is being used in the FE, you should design test cases that verify the API’s utilization.
