Many web based platforms and Software as a Service (SaaS) organizations have created different Application Programming Interfaces, (APIs) to allow their customers to interact with and consume data from the platform on their own terms. APIs typically allow machine to machine communication using industry standard languages or file formats. APIs free end users from the confines of using a default interface and allow controls and outputs to be integrated into their own dashboards and custom applications as well as automating common functions and procedures.
Whether the API is a restful application that uses XML or JSON, or a SOAP-based XML container, you should build test scripts that check response time and accuracy of the service. Once you have established the responsiveness and the accuracy of the API, it is important to perform two additional tests on the system as well—API load testing and stress testing.
- Load testing an API proves that the API and the underlying infrastructure can handle an expected number of simultaneous requests.
- Stress testing an API tests the upper limits of simultaneous users by increasing the number of requests up to and beyond the theoretical capacity of the service.
You can learn how to test SOAP APIs, REST APIs, and perform other API level testing and validation with Dotcom-Monitor. Dotcom-Monitor’s suite of testing and monitoring tools are capable of both load/stress testing a system as well as performing ongoing monitoring of the service for uptime and performance. In order to understand how Dotcom-Monitor API testing services fit into your overall testing needs, we should first establish a basic understanding of what API testing is, why API testing is necessary and how it’s performed.
Important Details of API Testing
There are a number of questions you need to answer when setting up API tests including:
- Who is your end user, or target audience?
- Why are they using your API?
- What is the user trying to achieve with the API?
- How critical is the API to your users?
- What happens if the API is unavailable or unreliable?
- How fast do users expect to receive feedback from the API?
- How will you test each of these assumptions?
Once you have answered these questions you can build test cases for the API to verify the needs of each case are met. Depending on the answers to each of these questions, different types of tests might be necessary to validate the assumptions of each test case. For example, submitting data to an API might only look for a “successful” response from the API while sending a query may elicit certain keywords or values in the response from the server.
The results of API testing also differ based upon the reason for testing. There are many different times during the development process and even post production that you would want to test an API, and each of these instances may need to be setup differently.
Ways to Test APIs
- Integration testing: Integration testing makes sure that any new changes or additions to the API do not cause problems or bugs in other modules anywhere else in the system.
- Load Testing: Load Testing ensures the production infrastructure is capable of handling the expected number of simultaneous users accessing the system.
- Regression Testing: Regression testing determines whether any new changes cause negative effects in previously successful tests for existing functionality.
- Security Testing: Security testing attempts to exploit potential vulnerabilities in a system or the underlying framework.
- UI testing: UI testing makes sure every aspect of the user interface functions as expected. Every test case possible is then attempted using the GUI to ensure it is successful.
- Functional Testing: Functional testing takes the system requirements and user stories and tests each use case to be sure the system is capable of handling all necessary scenarios.
- Stress Testing: Stress testing is similar to load testing in that it may take common use cases and run many simultaneous instances of the case at the same time. Stress testing takes the test one step further than load testing because it continues to push additional simultaneous users through the system until the system reaches a failure point. Stress tests can be performed on both a system wide level as well as on very specific components of a system.
There are many additional names for tests and types of test that can be performed to accomplish additional goals. Due to the nature of Dotcom-Monitor tools, we generally focus more on functional testing and load or stress testing APIs.
What Will You Test in the API?
Now that you are going to test the API using a variety of methodologies, how will you know if the API has succeeded or failed? You need to design your test cases by specifying parameters such as:
- Input parameters
- Expected resulting outputs
- Maximum time to receive a response
- Parsing inputs
- Error handling
- Proper response formatting
Each test case should be included in a testing script and run successfully after each new build of the code. Optimally, each test should also be scheduled as part of a load test to verify that the API can handle simultaneous load of all different types of tests at once without issue.
Why Test APIs Externally?
While testing an API from within your network should theoretically help discover the majority of problems with your system, you are best off performing additional tests emulating the end user experience from outside of your network. External API testing can identify response time averages from the perspective of an end user or 3rd party system. These average response time values server as a baseline performance metrics to which you can compare future responsiveness. Typically external testing results are going to be much more representative of a customer’s experience than a low latency test from within your firewall. External API tests also can help identify problems that you may not experience while testing behind your firewall.
Why Monitor APIs?
APIs provide secondary interfaces for your application users to interact with a system. If there is an expectation that the system is online 24×7, then any associated APIs should be held to a similar service level agreement (SLA). 3rd party, external API monitoring is the easiest way to provide a nonbiased verification that the API is performing within the SLA requirements. Even after you have built and performed tests to verify the API is working, it is a best practice to setup those tests to recur in an ongoing manner to verify continuous service. Scripts built to perform load tests on a system are often times reusable to continue to monitor the system throughout the service period.
How Do You Test a REST API?
As REST APIs continue becoming more common due to the standard of the Resource Description Framework (RDF), more and more APIs are available for integrating one system with another. At their simplest, REST APIs consist of URI Requests such as GET, POST and DELETE. While the complexity of a given API may be as simple as a single GET request, they are often much more complicated, requiring secure credentials to authenticate and supplying a list of different commands that can be executed, all with multiple variables.
A basic API test using GET and POST commands can be scripted to authenticate, read data from a system, POST new data to the system, and confirm the expected response. Once this test is created it can be used as a single use test as well as a load testing script.
Learn How to Test SOAP APIs
SOAP APIs can be tested in a similar fashion to REST APIs. A SOAP API may use a WSDL to specify the available endpoints and data formats for each endpoint. Brendan Quinn at Techwell wrote a great introductory article with links to resources for getting started testing APIs.
Testing Web APIs
Web APIs are empowering external systems to tie into existing applications every day. For example, most common social media platforms have APIs that are used to connect users of one web application to another. Many platforms utilize multiple APIs to let developers of other applications interact with their own systems.
There are many tools available to perform testing on a web API. The LoadView testing tool focuses on generating external commands from servers outside your network and validating the responsiveness and effectiveness of the API under the stress of many simultaneous users. For applications that expect to have hundreds of thousands of simultaneous users, simultaneous user load testing is an extremely important component of a web API testing process.
API Testing Automation
While testing APIs is clearly essential for both software and websites, it’s an area where automation is often overlooked. Believe it or not, an API is really one of the most important things to be tested continually, mostly because it’s one of the biggest targets when it comes to cyber attacks. For example, are you sure that your API prevents unauthorized queries or submissions? Are you sure that someone can’t start guessing other user’s authentication tokens? Does your API provide error message when there’s a problem or are these properly hidden? There are a lot of security considerations when it comes to API usage, and it’s important to test these continuously to ensure that a security loophole doesn’t arise. If you fail to automate testing, it’s not only your data that could be at stake, but also the data of your users as well.
So, how can you fix this problem? The best thing to do is automate your API testing so that you can check for all of these security problems without having to remember to test manually. There are a variety of solutions to do this, with Postman being one of the most popular open source options. If you’re looking for a robust, paid option that comes with all of the bells and whistles you’d need for true enterprise API testing, then you should consider LoadView and Dotcom-Monitor’s full suite of automated API testing tools. Not only does the Dotcom-Monitor suite cover REST, SOAP, and other APIs, but it also allows for nearly limitless configuration options and reporting tools. Having access to a testing tool like that can literally change the way you run your website or business. Try Dotcom-Monitor for free today and see how you can automate your API testing in minutes!
Page last updated: May 2018