Blog API Testing

Actionable Test Tactics For API and Web Services Testing

October 5, 2021

Every software tester starts his/her testing journey with UI (User interface). This is not a myth but a reality in most cases. Hence shifting focus to testing the core layer of the application or system – The API becomes pivotal. Considering that the API is what gives most modern applications and services their value, it’s easy to see why API testing has become such an important part of the software development process.

In this blog, I have tried to capture essential information (in my opinion and from my experience) on API and web services testing for testers at various levels of learning.

“All web services are APIs. All APIs are not web services”


It is never late to start your API testing journey. API testing aims to ensure that APIs and their integrations function in the most optimal manner possible. Start with simple tests that validate the functionality of the APIs and then gradually improve your tests to cover various scenarios and detect issues at various stages. Complex API tests can also be made simpler with tools available. So, start now 🙂

– Understanding the basics of web services and APIs

  • What is an API?
  • Why are APIs important?
  • Types of API requests
  • Headers/cookies – Headers represent the metadata associated with the request body and response.
    E.g. Authorization: “api_key” sent as headers along with the request body
  • Path parameters – Variable parts of a URL path. This is used to point to a specific resource, such as a user identified with an ID.
  • Query parameters – These parameters are used to sort/filter the resources
  • How to construct an endpoint URL – BaseURL/resource/(query/path)parameters

API Endpoints

A REST API exposes a set of public URLs that client applications use to access the resources of a web service. These URLs, in the context of an API, are called endpoints
Endpoints for a customer resource:

HTTP Method API endpoint Description
GET /customers Get a list of customers
POST /customers Create a new customer

– API test design
Test Prerequisites:

  • Endpoints are correctly named
  • Resources and their types correctly reflect the object model
  • No missing functionality or duplicate functionality

– What to validate:

  • Verify correct HTTP status code
  • Verify response payload
  • Verify response headers
  • Basic positive tests (Positive test scenarios that validate the functional behavior of the API )
  • Negative testing with valid input (Execute API calls with valid input that attempts illegal operations)
  • Performance tests (Check API response time, latency)
  • Security, authorization, and (role/access) permission-based tests

Status Codes

Once a REST API receives and processes an HTTP request, it will return an HTTP response. Included in this response is an HTTP status code.
Common status codes returned by REST APIs:

Status code Meaning Description
200 OK The requested action was successful
201 Created A new resource was created
400 Bad Request The request is malformed
401 Unauthorized The client is unauthorized to perform the requested action

API Testing Types:

a. Validation Testing – Whether the API meets the product requirements.
b. Functional Testing – Evaluate whether specified functionality works the way it was expected

API Testing tools:
a. Postman
b. Kataloan Studio

To try hands-on:


After understanding the basics of APIs and primary tests that can be conducted on them, the next step would be to deep dive into understanding the REST architecture (Why REST? REST is considered easier to use than a prescribed protocol like SOAP (Simple Object Access Protocol) and is lightweight and perfect for Internet of Things (IoT) and mobile app development.)
QA Touch
Understanding REST Architecture:

REST stands for representational state transfer and is a software architecture style that defines a pattern for client and server communications over a network. REST provides a set of constraints for software architecture to promote performance, scalability, simplicity, and reliability in the system

– REST Architecture constraints:

  • Stateless: The server won’t maintain any state between requests from the client.
  • Client-server: The client and server must be decoupled from each other, allowing each to develop independently.
  • Cacheable: The data retrieved from the server should be cacheable either by the client or by the server.
  • Uniform interface: The server will provide a uniform interface for accessing resources without defining their representation.
  • Layered system: The client may access the resources on the server indirectly through other layers such as a proxy or load balancer.
  • Code on demand (optional): The server may transfer code to the client that it can run, such as JavaScript for a single-page application.

“REST is not a specification but a set of guidelines on how to architect a network-connected software system.”API

– Test Automation: Take slower and steadier steps into API test automation. There are ‘n’ number of tools available for helping you in this journey. My choice to start with –

  • Rest Assured – ​​REST-assured was designed to simplify the testing and validation of REST APIs

– Assertions on JSON response body

  • Status code
  • Hamcrest package for assertions
  • JSON parser => Jsonpath class – converts string input to JSON. Use this for extracting details from Json response to assert
  • JSON path evaluator (

– Serialisation(java object to request body) and deserialization of Requests and Responses using POJO(Plain Object Java) classes
– Log Request and Response details – log().all().To log only specific parts of the request – log().params()

Congratulations, you are an API testing pro now 🙂 I have listed a few items that I am personally learning and trying hands-on. When you are at this level, you are on your own, to explore the world of APIs and have fun.

a. Mocking – Python requests to send requests and can use Flask to mock server endpoints. So you can perform TDD test development or validate your test code.

b. Python and REST – Pytest requests

Dictionaries: ​​A dictionary consists of a collection of key-value pairs. Python dictionary looks very like JSON format, but there are still some differences, so we cannot simply put a quote around a dictionary to convert it to JSON string format, though it works most of the time, e.g. ‘{“key1”: “value1”}’ is a valid JSON string format.

d = { <key>: <value>, <key>: <value>, .- . . <key>: <value> }

c. Handling JSON: Serialization and Deserialization.

d. Schema validation: Validate incoming JSON data by checking all necessary fields present in JSON files or responses and also validate data types of those fields. jsonschema is an implementation of JSON Schema for Python.

install jsonschema=>Define Schema=>Convert JSON to Python Object(json.loads)=>Pass resultant JSON to validate()method of jsonschema

e. JSON schema validation Flex: Validation tooling for Swagger 2.0 specifications.

f. Try out your expertise by practicing and attempting API challenges

“Test deep and learn more with APIs”

Leave a Reply