API testing

API testing is a type of software testing that involves testing application programming interfaces (APIs)
directly and as part of integration testing to determine if they meet expectations for functionality,
reliability, performance, and security.[1] Since APIs lack a GUI, API testing is performed at the message
layer.[2] API testing is now considered critical for automating testing because APIs now serve as the
primary interface to application logic and because GUI tests are difficult to maintain with the short
release cycles and frequent changes commonly used with Agile software development and DevOps.[3][4]

Contents
API testing overview
API testing, GUI testing, and test automation
Types of API testing
Software
See also
References

API testing overview

API testing involves testing APIs directly (in isolation) and as part of the end-to-end transactions
exercised during integration testing.[1] Beyond RESTful APIs, these transactions include multiple types
of endpoints such as web services, ESBs, databases, mainframes, web UIs, and ERPs. API testing is
performed on APIs that the development team produces as well as APIs that the team consumes within
their application (including third-party APIs).[5]

API testing is used to determine whether APIs return the correct response (in the expected format) for a
broad range of feasible requests, react properly to edge cases such as failures and unexpected/extreme
inputs, deliver responses in an acceptable amount of time, and respond securely to potential security
attacks.[1][4] Service virtualization is used in conjunction with API testing to isolate the services under
test as well as expand test environment access by simulating APIs/services that are not accessible for
testing.[6]

API testing commonly includes testing REST APIs or SOAP web services with JSON or XML message
payloads being sent over HTTP, HTTPS, JMS, and MQ.[2][7] It can also include message formats such as
SWIFT, FIX, EDI and similar fixed-length formats, CSV, ISO 8583 and Protocol Buffers being sent over
transports/protocols such as TCP/IP, ISO 8583, MQTT, FIX, RMI, SMTP, TIBCO Rendezvous, and
FIX.[8][9]

API testing, GUI testing, and test automation

API Testing is recognised as being more suitable for test automation and continuous testing (especially
the automation used with Agile software development and DevOps) than GUI testing.[3][4] Reasons cited
include:

System complexity: GUI tests can't sufficiently verify functional paths and back-end
APIs/services associated with multitier architectures. APIs are considered the most stable
interface to the system under test.
Short release cycles with fast feedback loops: Agile and DevOps teams working with
short iterations and fast feedback loops find that GUI tests require considerable rework to
keep pace with frequent change. Tests at the API layer are less brittle and easier to
maintain.
For these reasons, it is recommended that teams increase their level of API testing while decreasing their
reliance on GUI testing. API testing is recommended for the vast majority of test automation efforts and
as much edge testing as possible. GUI testing is then reserved for validating typical use cases at the
system level, mobile testing, and usability testing.[3][4][10]

Types of API testing

API testing typically involves the following practices:

Unit testing - Testing the functionality of individual operations.

Functional testing - Testing the functionality of broader scenarios, often using unit tests as
building blocks for end-to-end tests. Includes test case definition, execution, validation, and
regression testing.
Load testing - Validating functionality and performance under load, often by reusing
functional test cases.
Runtime error detection - Monitoring an application the execution of automated or manual
tests to expose problems such as race conditions, exceptions, and resource leaks.
Security testing - Includes penetration testing and fuzz testing as well as validating
authentication, encryption, and access control.
Web UI testing - Performed as part of end-to-end integration tests that also cover APIs,
enables teams to validate GUI items in the context of the larger transaction.
Interoperability testing - (SOAP only) Checking conformance to Web Services
Interoperability profiles.
WS-* compliance testing - (SOAP only) Checking compliance to WS-* standards such as
WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust.
Penetration testing - testing a computer system, network or Web application to find
vulnerabilities that an attacker could exploit.
Fuzz-testing - massive amounts of purely random data, sometimes referred to as "noise" or
"fuzz", is forcibly input into the system in order to attempt a forced crash, overflow, or other
negative behavior. This is done to test the API at its absolute limits, and serves somewhat
as a "worst case scenario".

Software
SoapUI
SOAtest
Swagger
See also
Automated testing
Service virtualization
Software testing

References
1. Testing APIs protects applications and reputations (http://searchsoftwarequality.techtarget.c
om/tip/Testing-APIs-protects-applications-and-reputations), by Amy Reichert,
SearchSoftwareQuality March 2015
2. All About API Testing: An Interview with Jonathan Cooper (http://www.stickyminds.com/inter
view/all-about-api-testing-interview-jonathan-cooper), by Cameron Philipp-Edmonds,
Stickyminds August 19, 2014
3. The Forrester Wave™ Evaluation Of Functional Test Automation (FTA) Is Out And It's All
About Going Beyond GUI Testing (http://blogs.forrester.com/diego_lo_giudice/15-04-23-the_
forrester_wave_evaluation_of_functional_test_automation_fta_is_out_and_its_all_about_go
ing_be?cm_mmc=RSS-_-BT-_-63-_-blog_1769) Archived (https://web.archive.org/web/201
50528225452/http://blogs.forrester.com/diego_lo_giudice/15-04-23-the_forrester_wave_eva
luation_of_functional_test_automation_fta_is_out_and_its_all_about_going_be?cm_mmc=
RSS-_-BT-_-63-_-blog_1769) 2015-05-28 at the Wayback Machine, by Diego Lo Giudice,
Forrester April 23, 2015
4. Produce Better Software by Using a Layered Testing Strategy (http://www.gartner.com/docu
ment/2645817?ref=QuickSearch), by SEAN Kenefick, Gartner January 7, 2014
5. Onus for third-party APIs is on enterprise developers (http://searchsoftwarequality.techtarge
t.com/tip/Onus-for-third-party-APIs-is-on-enterprise-developers), by Amy Reichert,
SearchSoftwareQuality July 2014
6. Accelerate Development with Automated Testing (http://www.gartner.com/document/264271
6), by Nathan Wilson, Gartner December 30, 2013
7. A Guidance Framework for Designing a Great Web API (http://www.gartner.com/document/
2827918), by Eric Knipp and Gary Olliffe , Gartner August 20, 2014
8. The Fight Against Brittle Scripts and Software Defects (http://www.drdobbs.com/tools/the-fig
ht-against-brittle-scripts-and-so/231901658), by Adrian Bridgwater, Dr. Dobb's Journal
October 26, 2011
9. How Do We Learn Composite App Testing-Speak? (http://www.drdobbs.com/testing/how-do
-we-learn-composite-app-testing-sp/232600874), by Adrian Bridgwater, Dr. Dobb's Journal
February 14, 2012
10. Cohn, Mike (2009). Succeeding with Agile: Software Development Using Scrum. Addison-
Wesley Professional. p. 312. ISBN 978-0321579362.

Retrieved from "https://en.wikipedia.org/w/index.php?title=API_testing&oldid=936778234"

This page was last edited on 20 January 2020, at 23:20 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using
this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.