The Simplified Guide to API Testing

COVID-19 Note: There is a virus shutting down the world right now. It’s destroying a lot of lives and livelihoods. However, I want to take some of the focus off the destruction this virus is causing, and focus on creating instead of destruction. For my creative act of defiance, I want to do a series of posts on API testing over the next few weeks. Consider it to be my way of fighting back against the covid-19 virus. We can still go on with life even in times like this.

When I started testing APIs, didn’t know anything about them. I’ve learned a lot over the last few years and I now feel pretty comfortable with using and testing APIs, but it wasn’t always that way. When I first started it was hard to even figure out what to do. I can still remember some of that pain I went through.

In my first year of university we had a calculus professor we nicknamed Einstein. Partly because of his hair and partly because he managed to make calculus as confusing as relativity. He would start to solve a problem on the board and then he would say ‘and therefore it is obvious that’ and write down some solution. We would all sit there and look puzzled.  What was obvious to him was not obvious to us as the students. We needed to know the intermediate steps that he had skipped in order to understand what had happened.

This is a common occurrence. As you learn things, the pain of that initial learning curve goes away and it becomes harder and harder to explain things to those who are just starting out. You start to assume things and makes leaps of logic that seem obvious to you but that are confusing to those who are new to the subject.  As I continue to progress in what I am learning about APIs, I want to get down some of my basic thoughts on API testing, hopefully before it is ‘too late’ for me to explain to those that are just starting out.

So with that long preamble, here is my attempt at a simplified guide to getting started with API testing

Figure out the endpoints

I found this to be one of the most difficult parts of API testing. How do I even know what there is to test? What things can the API do?  If you are working with a well documented public API, this isn’t much of a concern, but in my experience most API testing is done on internal APIs that support different parts of your application.  These kinds of APIs tend to be poorly documented (if they are at all). So how do you figure it out?

Well of course any available in house documentation helps, so certainly start there if you have some available.  And don’t forget that documentation can sit in places you might not expect. For example sometimes code comments or even signatures in a method can help you out. You also might also be able to find documentation in stories or requirements that point you in the direction you need to go.

Another great source of information is humans. You see there are people in your company who have created, designed, tested and/or used the API you are looking at. If you can find and talk to those people, they can be an invaluable source of information.

Code bases are another place that contain information about how APIs work. You might not know how to write code, but you can often still find out some information by looking at how an API is called. You might be able to pick up something by the urls used in the caller, or you might be able to find some unit tests that use the API and give you insights into how it was used.

Last, but certainly not least, you might want to look at network calls in the developer console to figure out what API endpoints are available.  Often API calls are sent over the network and by looking at network calls in the developer tools you can figure out a lot about how they work.

One thing you will find with all of these sources of information is that they will give you imperfect and incomplete information.  There will be things you just don’t understand and (especially at first) everything will be very unclear and foggy.  But if you stick with it and continue to ask questions and get feedback, you will suddenly realize one day that you actually get it and have a decent understand of the API.

Auth and Security

Authorization. Authentication. Security. What is it all about and how does it work? I found auth workflows hard to understand. Security is obviously very important to the way an API works, but it can significantly complicate the use of an API.  This article would get far too long if I was to dive deep on this, but I do want to point out a few hints.

First of all look at how your tools can support you. Tools like Postman offer a lot of support for making authorization and authentication easier.  They can also provide you with insight in the security of your API. Dig into those features a bit in whatever tool you use and see what you can figure out.

Another consideration is that, again, when you find yourself frustrated by it, consider it to be a learning experience. Ask questions of your coworkers (and Google).  Try and figure out a bit about how Oauth works. Get a bit of an understanding of authorization workflows.  I have found that digging into authorization really pushed me with respect to understanding stuff about how APIs and HTTP protocols worked and so it was a great way to learn a lot more about API testing

A last comment on the security front, is that many things are ‘security’ issues that are not related directly to technical security testing. Making sure that different users types can only access the information they have permissions for and making sure that all paths give back the correct information are also forms of security testing.  Remember to look at your API holistically

Learn to do by doing

It can be tempting to spend a lot of time learning about things like API testing. We can feel like we need to know what we are doing before we get started, but I really believe that the best way to learn is by doing. Just try making API calls. Figure out one endpoint and try calling it. Start with the smallest thing you know and use it. As you try to do things and get stuck and then figure it out you will learn the things you need to know for the API you are working on.  You will also learn what things you don’t know and where you need further study and so you’ll be able to find resources that can help you with the exact things you need to know.

Figure out some of the basic terminology

I have a glossary of terms I’ve put together here. This is a set of terms I had to learn. You may find it helpful, but I think it will be important to also figure out what terms you hear that you don’t understand and figure them out. It is also important to listen to how your team uses terms and to make sure you are understanding what they mean. Often different teams or companies can use the same or similar terms in different ways. Pay attention to the words and build up a vocabulary.  You will find that this makes it easier to ask questions and to understand what is going on.

Next steps

So where to do from here?

1. Install an API testing tool (Postman perhaps)
2. Find an endpoint on the API you are interested and make a call to it
3. Change something in the API call and try again
4. Start writing down what you observe and try to build a mental map of what the API does
5. Try to use the API to answers some questions you have and follow up on figuring out how to get it to do those things
6. Research and learn the things you need
7. Try your hand at some API testing challenges (The automation in testing site is a great place to start).  You could also try out some public APIs (here is a list of some you could try)
8. Ask lots of questions!

Photo by Daniil Silantev on Unsplash