Rest API Testing 

Rest API Testing has 5 phases which start with specification review and the last step is AP test execution. Let us look into it in detail.


API Specification Review

The first step is to document API testing requirements. What is the purpose of the API? What are the features of the API? Where it will be used in the workflow of the application? Which integrations are supported by the API? Documenting all these API testing requirements is the first step in the API testing process. This will help in planning API tests throughout the testing process.


Setting Up Test Environment

The next step is setting up a testing environment. This involves configuring the database and server for the application requirements. In this step, the required set of parameters around the API is also defined. The project is created and integrated with available testing frameworks like TestNG or JUnit and all the relevant dependencies are added to the project.

Integrating Application Data

In this step, application data is integrated with the API tests against all possible input configurations to check the API functions are working as expected. The data is prepared in an excel sheet.

Deciding Type of API Test

After the testing boundaries and requirements are created, types of the test need to be performed with the API is decided. There are different types of API tests like functionality testing, validation testing, load testing, security testing, end-to-end testing, etc.  

Text Execution & Reporting

The next step is to create test cases against the requirements and execute them. After the execution is completed the test results are then documented. Extent reporting framework is widely used in generating the execution report.


Rest API Testing Types

Functionality Testing – This helps to verify if the API is working as per the requirement defined. This testing happens against the requirement with all types of test scenarios as mentioned below in test scenario categories.

Reliability Testing – This helps to verify if API can be consistently connected to and lead to consistent results. Any diversion in result including the response time marks the test case as Fail.

Validation Testing – This helps verify the aspects of the product, behavior, and efficiency of an API.

Load Testing – This is performed to ensure the performance of API under both normal and at peak conditions. Response time is an important factor in this type of testing.

UI Testing – It involves testing the user interface for the API and other integral parts.

Security Testing – This helps to test that the API is secure against all possible external threats. Various security testing factor is considered in this testing type.

Penetration Testing – This helps to detect vulnerabilities of an application from an attacker’s perspective. This is done by simulating the attack that hacker can attempt to hack the system


Rest API test procedure

For any API test, following need to be verified:

1. Verify the correct HTTP status code – Response code has to be verified to ensure the operation performed successfully happens. For example, creating a resource should return 201 CREATED and unpermitted requests should return 403 FORBIDDEN, etc.

2. Verify the response payload – Verify the JSON body and field names, types, and values returned. This also includes checking the error responses.

3. Verify response headers – HTTP server headers have implications on both security and performance thus response headers should also be validated.

4. Verify the correct application state – This is optional and applies mainly to manual testing, or when a UI or another interface can be easily inspected.  

5. Verify basic performance sanity – If an operation was completed successfully but took an unreasonable amount of time, the test is considered as fails. For example, the POST request returns 200 but the response time is more then the test is marked as Fail.


Test scenario categories

The test cases of API is generally classified into the following scenario group:

  • Basic positive tests (happy paths)
  • Extended positive testing with optional parameters
  • Negative testing with valid input
  • Negative testing with invalid input
  • Destructive testing
  • Security, authorization tests