A series of digital lines with the word "API"

A Deep Dive into the Core Actions of API Testing

In the world of web services, REST APIs are the foundation of digital ecosystems. As developers and testers, we are responsible for the reliability and efficiency of these APIs. This article delves into API testing, highlighting essential practices to keep our APIs robust. 

Verifying HTTP Status Codes: The Protocol’s Handshake

HTTP status codes are the server’s way of communicating the status of a request. They are grouped into five classes, where the first digit of the status code defines the class of response.

  • 1xx: Informational
  • 2xx: Success
  • 3xx: Redirection
  • 4xx: Client errors
  • 5xx: Server errors

Example: In a banking application, when a user requests their account balance, a 200 OK status code indicates that the request was successful. However, a 401 Unauthorized status code signifies an error that the user is not authenticated.

Best Practice: It’s essential to test for expected and unexpected status codes to ensure the API handles errors gracefully.

Verifying Response Payload: Ensuring Data Integrity

Verifying the response payload involves checking the structure and content of the data returned by the API.

  • Structure: Ensure the JSON or XML returned is well-structured and parsable.
  • Content: Validate that the field names, data types, and values in the payload are correct.

Example: In an online bookstore, when fetching the details of a book, the API should return a payload with correct field names such as “title”, “author”, and “price”, and the data types should be string, string, and number, respectively.

Best Practice: Use JSON schema validation to automate the process of verifying the structure and content of the response payload.

Verifying Response Headers: Safeguarding Performance and Security

A blue vault door being closed

Response headers provide metadata about the response. Verifying these headers is crucial for security and performance.

  • Security: Headers like Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security enhance security.
  • Performance: Headers like Cache-Control and ETag are used for caching and can improve performance.

Example: In a cloud storage API, security headers should be set to prevent man-in-the-middle attacks, and caching headers should be configured to optimize file retrieval times.

Best Practice: Regularly review and update security headers in line with the latest best practices.

Verifying Application State: Cohesion Between API and Application

This involves checking that the state of the application is consistent with the changes made through the API.

Example: In a ticket booking system, when a ticket is booked through the API, the number of available seats should decrease in the application.

Best Practice: Use database checks or UI validations to verify the application state. This can be done by querying the database directly to validate the state or with a UI test to confirm the changes are reflected in the application.

Verifying Basic Performance Metrics: Keeping Time in Check

Performance testing ensures the API can handle the load and responds within acceptable time limits. There are many performance measurements, but two common ones are

  • Response Time: The time taken by the API to return a response.
  • Throughput: The number of requests that can be handled over a certain period.
A hand pressing buttons with the label "KPI"

Example: In a stock trading platform, the API should be able to handle a high volume of requests, especially during market opening hours, and return responses within milliseconds.

Best Practice: Use load testing tools to simulate various loads on the API and monitor its performance under different conditions.

Conclusion: The Pinnacle of API Excellence

APIs are fundamental to modern digital systems, with their integrity, security, and performance being core to their purpose. As developers in this digital space, our role is to code and test them. While doing this, if we maintain these essential best practices,  your APIs will be both functional and exemplary. As you use testing tools, remember that each code, request, and response represents quality.

Arek Frankowski
Senior Software Architect

Watch or read our other posts at Kimputing Blogs. You’ll find everything from Automated testing to CenterTest, Guidewire knowledge to general interest. We’re trying to help share our knowledge from decades of experience.

Similar Posts