API Testing: Best Practices and Sage Advice
API is acronym speak for Application Programming Interface and its full name is a good description of what it does. An API is a user interface to an application where the intended user is another program. The most common uses of APIs are in ecommerce and web service sites.
An ecommerce site typically has a front-end (the user facing website), middle-ware (business logic), and a back-end (database or data manipulation function). The API provides connections between and within these system segments.
It is the programming strategy of choice over creating dedicated interfaces between program modules. Largely because it provides a more stable data/command exchange connection and helps isolate code changes to keep them from spreading unintended effects through the system.
Third party services, such as credit card authorization sites, employ APIs to present their functionality to the sites that use them. As a functional example, a user enters credit card information on a site form to make an on-line purchase. Clicking the submit button sends that information from the website to a middleware module that recognizes the need to get authorization for use of the card. That module makes a series of API calls to a third party authorization service in which it transfers the information and receives an authorization code in return.
The API provides both information and acts as barrier against code functional errors. It becomes a boundary, offering information that can be examined by error traps and is independent of changes to the code that created it.
API Testing Considerations
Wonderful as they are, APIs and the code linked to them still need to be thoroughly tested. As with other software quality efforts, there are a number of perspectives that are vital to the API testing process.
Data Driven API Testing
APIs are used to convey information and commands. Both are forms of data. They need to be tested using input and output data that covers the entire range the interface is intended to handle. This means covering the spectrum of possible values for each API parameter in as many combinations as possible.
Out-of-Band Data
Once operation is confirmed from exercising the API within its band of expected data, what happens when the data goes out of bounds? Testing with out-of-band data verifies the API’s firewall functionality for isolating errors. Both the API itself and the code that calls it should have error trapping in place that is fully effective.
Test to Failure
Make a point of adding test cases to all API verification efforts that push the code to failure. This is part and parcel of out of band testing and it also verifies that the API fails gracefully rather than simply crashing the system with an unanswered call or a completely bogus response.
Call Sequencing
API calls typically occur in groups. Robust reliability is promoted by making API data exchanges as granular as possible. This leads to a need for testing a series of API calls with associated data and expected results. Each call should have varied data and the sequence should be tested with the calls both in and out of order.
Automated API Testing
Since APIs are machine to machine interfaces, it makes sense to machine-test them. This makes API verification one of the best places to implement test automation. Test automation also offers excellent opportunities to pursue data driven test cases. As with all automation, test script maintenance is key and must be carefully coordinated with design and code updates.
Stress Performance
APIs are a critical point of performance in any complex code system. Load testing should stress API calls and monitor them carefully for any signs of degradation and performance drop off. API call responses are critical to overall system performance in both content and timing.
API Test Documentation
APIs are commonly used for third party services which means that one company creates the API and another must correctly use it. This makes documentation of API calls a critical point of communication between those entities. Many expensive system stoppages have been caused by a third party’s API change that was not communicated in either a timely or accurate fashion to the customer’s development staff.
API Testing: Early and Often is the Key
API’s are potent tools for increasing system reliability and robust handling of error conditions. But that said, an insufficiently tested API can be the Achilles heel of the system it was intended to support.