The Simplified Guide to API Testing

The Simplified Guide to API Testing

COVID-19 Note: There is a virus shutting down the world right now. It’s destroying a lot of lives and livelihoods. However, I want to take some of the focus off the destruction this virus is causing, and focus on creating instead of destruction. For my creative act of defiance, I want to do a series of posts on API testing over the next few weeks. Consider it to be my way of fighting back against the covid-19 virus. We can still go on with life even in times like this.

When I started testing APIs, didn’t know anything about them. I’ve learned a lot over the last few years and I now feel pretty comfortable with using and testing APIs, but it wasn’t always that way. When I first started it was hard to even figure out what to do. I can still remember some of that pain I went through.

In my first year of university we had a calculus professor we nicknamed Einstein. Partly because of his hair and partly because he managed to make calculus as confusing as relativity. He would start to solve a problem on the board and then he would say ‘and therefore it is obvious that’ and write down some solution. We would all sit there and look puzzled.  What was obvious to him was not obvious to us as the students. We needed to know the intermediate steps that he had skipped in order to understand what had happened.

This is a common occurrence. As you learn things, the pain of that initial learning curve goes away and it becomes harder and harder to explain things to those who are just starting out. You start to assume things and makes leaps of logic that seem obvious to you but that are confusing to those who are new to the subject.  As I continue to progress in what I am learning about APIs, I want to get down some of my basic thoughts on API testing, hopefully before it is ‘too late’ for me to explain to those that are just starting out.

So with that long preamble, here is my attempt at a simplified guide to getting started with API testing

Figure out the endpoints

I found this to be one of the most difficult parts of API testing. How do I even know what there is to test? What things can the API do?  If you are working with a well documented public API, this isn’t much of a concern, but in my experience most API testing is done on internal APIs that support different parts of your application.  These kinds of APIs tend to be poorly documented (if they are at all). So how do you figure it out?

Well of course any available in house documentation helps, so certainly start there if you have some available.  And don’t forget that documentation can sit in places you might not expect. For example sometimes code comments or even signatures in a method can help you out. You also might also be able to find documentation in stories or requirements that point you in the direction you need to go.

Another great source of information is humans. You see there are people in your company who have created, designed, tested and/or used the API you are looking at. If you can find and talk to those people, they can be an invaluable source of information.

Code bases are another place that contain information about how APIs work. You might not know how to write code, but you can often still find out some information by looking at how an API is called. You might be able to pick up something by the urls used in the caller, or you might be able to find some unit tests that use the API and give you insights into how it was used.

Last, but certainly not least, you might want to look at network calls in the developer console to figure out what API endpoints are available.  Often API calls are sent over the network and by looking at network calls in the developer tools you can figure out a lot about how they work.

One thing you will find with all of these sources of information is that they will give you imperfect and incomplete information.  There will be things you just don’t understand and (especially at first) everything will be very unclear and foggy.  But if you stick with it and continue to ask questions and get feedback, you will suddenly realize one day that you actually get it and have a decent understand of the API.

Auth and Security

Authorization. Authentication. Security. What is it all about and how does it work? I found auth workflows hard to understand. Security is obviously very important to the way an API works, but it can significantly complicate the use of an API.  This article would get far too long if I was to dive deep on this, but I do want to point out a few hints.

First of all look at how your tools can support you. Tools like Postman offer a lot of support for making authorization and authentication easier.  They can also provide you with insight in the security of your API. Dig into those features a bit in whatever tool you use and see what you can figure out.

Another consideration is that, again, when you find yourself frustrated by it, consider it to be a learning experience. Ask questions of your coworkers (and Google).  Try and figure out a bit about how Oauth works. Get a bit of an understanding of authorization workflows.  I have found that digging into authorization really pushed me with respect to understanding stuff about how APIs and HTTP protocols worked and so it was a great way to learn a lot more about API testing

A last comment on the security front, is that many things are ‘security’ issues that are not related directly to technical security testing. Making sure that different users types can only access the information they have permissions for and making sure that all paths give back the correct information are also forms of security testing.  Remember to look at your API holistically

Learn to do by doing

It can be tempting to spend a lot of time learning about things like API testing. We can feel like we need to know what we are doing before we get started, but I really believe that the best way to learn is by doing. Just try making API calls. Figure out one endpoint and try calling it. Start with the smallest thing you know and use it. As you try to do things and get stuck and then figure it out you will learn the things you need to know for the API you are working on.  You will also learn what things you don’t know and where you need further study and so you’ll be able to find resources that can help you with the exact things you need to know.

Figure out some of the basic terminology

I have a glossary of terms I’ve put together here. This is a set of terms I had to learn. You may find it helpful, but I think it will be important to also figure out what terms you hear that you don’t understand and figure them out. It is also important to listen to how your team uses terms and to make sure you are understanding what they mean. Often different teams or companies can use the same or similar terms in different ways. Pay attention to the words and build up a vocabulary.  You will find that this makes it easier to ask questions and to understand what is going on.

Next steps

So where to do from here?

  1. Install an API testing tool (Postman perhaps)
  2. Find an endpoint on the API you are interested and make a call to it
  3. Change something in the API call and try again
  4. Start writing down what you observe and try to build a mental map of what the API does
  5. Try to use the API to answers some questions you have and follow up on figuring out how to get it to do those things
  6. Research and learn the things you need
  7. Try your hand at some API testing challenges (The automation in testing site is a great place to start).  You could also try out some public APIs (here is a list of some you could try)
  8. Ask lots of questions!

Photo by Daniil Silantev on Unsplash

Effective Testing During COVID-19

Effective Testing During COVID-19

Can one blog about something that isn’t corona virus related at this time? This is affecting us all in so many ways. I’m thankful though that I have a job that makes it easy to work from home. The company I work at is also in an industry that will likely benefit from this as we enable online education which is kind of a big thing right now. So as someone who does not have to worry about their job and income and who is at an age where the impact of the virus is unlikely to be serious if I was to get it, I feel blessed.

I have always worked from home on a regular basis (usually 1 or 2 times a week), and so the transition to full time working from home hasn’t been too difficult for me. My wife and I also started homeschooling our kids just this year, so that also hasn’t been too big of an adjustment for us either. I think the biggest thing this pandemic has given me is some perspective. When everything changes you realize what things you might have been taking for granted. Full time remote work is different than going into the office to regularly have face to face contact with your coworkers. As a team we are all working on ways to stay connected and have effective communication in a world where we can’t just pop our heads over the cubicle wall and chat.

What does one do as software tester in this world? How do you work effectively in a fully remote environment? There are a few things I have been thinking about and working on at this time. One important thing (probably for all remote workers) is organization and discipline. There are different kinds of distractions when you work from home. Your family, your pets, even your housework all distract in different ways than your co-workers. You may need to have conversations with kids and your spouse about how to protect your time so that you have the ability to dive deep on your testing sometimes.

I think organization is another important factor to consider. There may be some built in accountability at work where your co-workers or boss can see what you are doing when they walk past your desk. At home you may need to watch your schedule more and make sure you aren’t spending too much time reading the latest news about the virus (it’s probably not a healthy thing to spend too much time reading about anyways).

There are also less clearly defined lines between work life and family life when you work from home, so set some boundaries for yourself that way too. You may have needed to talk to your kids about boundaries while you are working, but don’t forget to set boundaries for when you are not working too. Just because your computer is only 5 feet away in your office, doesn’t mean you need to go do some work at 8 pm. Give yourself and your family some uninterrupted time

Those items above are probably general to anyone working from home. As a tester are there any particular challenges? One thing that may be a challenge is access to your test lab or test devices. This might be the time to investigate Sauce Labs or CrossBrowserTesting or similar services as options to get access to the devices that you need. Another challenge testers may face is in communicating with developers about issues. I will often go over to a developer’s desk to discuss, debug or demonstrate an issue I’ve found. This can be more difficult when working remotely, but certainly using tools like zoom or google hangouts to do these things virtually helps a lot.

I also firmly believe that quality is a team sport. When working from home, testers need to remember that we aren’t working off on our own, finding bugs and throwing them over the wall at the developers. I think as an industry we have been making positive strides towards integrating quality into the entire development life cycle. Let’s not let this set us back to a mindset of developers develop and then give to testers who find all the bugs and give it back to developers. This kind of ping-pong approach of bouncing things back and forth over the wall between test and dev is not an effective way to create high quality software. Quality is a team sport and so in times of ‘isolation’ we need to stay connected as teams to ensure we are focused on this together.

Talk about testing and quality as a team. Meet with developers to talk about things to consider for stories they are working on. Pair up with developers to help grow quality skills throughout the team. Stay involved in design and story definition meetings. Keep working on having quality thinking permeate the entire development process. Working as teams remotely can be challenging, but stay focused on ensuring that you are indeed working as part of a team.

Take care of yourself in these crazy times in which we live, and happy testing!


Photo by Dimitri Karastelev on Unsplash