API TESTING

API TESTING SYLLABUS

1. Introduction to API and web services.
2. What is API?
3. What is API testing?
4. Advantages or benefits of API testing.
5. What are web services?
6. Types of API testing.
7. API testing enabling tools.
8. What is client and server?
9. How this API testing is different from manual testing and mobile application testing?
10. Architectures of software (T1, T2 and T3) microservices.
11. Rest and soap API’s.
12. Resident soap architectures.
13. What are CRED operations.
14. HTTP methods: GET, POST, PUT, DELETE, PATCH.
15. Difference between API and web services.
16. What is JSON and how to write JSON file?
17. What is XML file and how to write?
POSTMAN TOOL
1. Introduction.
2. Workflow postman tool?
3. How to create workspace and collection?
4. What is endpoint URL URI/resource?
5. What is path parameter query parameter and how to pass in API request?
6. What is payload and how to pass Json and XML as payload?
7. What are all the status codes are available and how to check status codes in postman
tool.
8. Postman tool important features we will be focusing while testing API’s.
9. Chrome Dev tool.
10. How run collections?
11. Difference between authentication and authorization?
12. How to do authorization testing?
13. How to set local and global variables in postman tool?
14. How to set the environment?
15. How to run the data test data from excel file?
16. How to import collections from curl body?
17. How to write test scripts JavaScript code?
18. What are cookies and how to use cookies?
19. How to write API test cases?
20. Interview questions
WHAT IS AN API?
 API we also called as a middle layer. It enables the communication between 2
separate systems or server.
OR
 API enables the communication via data exchange between 2 system.
OR
 API stands for application programming interface it is a software middle layer that
allows 2 applications to talk to each other.

EXAMPLE: Monolithic architecture

HTML, CSS,
JAVA MICROSERVICES
SCRIPT,
ANGULAR

It’s like a large container holding all the software components like user interface business
layer and database layer. It has its own limitations
1. It is not flexible.
2. Lack of reliability.
3. Difficulty in scaling up and scaling down the application.
4. And also, it will slow down the development process.
To solve all these problems, we started building micro service architecture
MICRO SERVICES ARCHITECTURE
  Earlier developers they use to face lot of problems with this monolithic architecture.
 Developers wanted to deploy the application quickly & to make changes in
application without redeploying the application.
 Then these micro services came into picture, where application is broken into small
small pieces as an independent unit and the communication becomes independent for
respective features.
WHAT IS THE API TESTING?
 API testing means here we will be testing the request and response between the 2
system
 Here API is the middle layer between presentation layer and application layer
 It will enable the communication and data exchange between one system to another
system
 We will be checking whether the communication happens or not.
WHY API IS REQUIRED?
1. API plays a major role on the various business industries as a test engineer I will be
representing an end user and I will make sure that user will get quality of a product.
2. API testing is completely different from UI testing here we don’t concentrate on look
and feel of an application we mainly focus on business logic layer of the application.
3. Whenever developer develops an application by the time, parallelly we develop the
API instead of waiting for UI development, we don’t want to waste our time we will
start testing the API in the back end.
4. Nowadays 70% to 80% of the testing is done on API level and remaining will be done
on UI level.
NOTE: Can you please explain your application is developed on which technology both front
end and backend?
Ans: Front end of an application is developed using HTML, CSS, JavaScript and angular
when it comes to backend, we have two layers i.e., application layer and data layer.
Application layer is developed using Java & database layer is used developed using MySQL.

Where API testing is performed?

 API testing is performed on the most critical layer that is business logic layer. Here lot
of business logic processing will happen and it is present between user interface and
data layer.
ADVANTAGES OR BENEFITS OF API TESTING
1. It’s a language independent: Because API data exchange will happen via XML or
JSON but application might be developed in some other technologies.
2. It’s a GUI independent: While doing API testing, we don’t concentrate on UI of an
application but we will focus more on the backend data. To do API testing we do not
require UI of an application
3. Improved test coverage: Since 70 to 80% of the testing will be done on API level
and we would have identified more number of bugs in the back end itself and once UI
is developed we will do 20 to 30% of the testing on UI level and we might find less
number of bugs. With the help of this API testing, we can improve our test coverage.
4. Faster release: This API testing will save lot of time than this UI testing and it will
help the developers and test engineers to develop, test and to release the software
application to the production environment in a faster way.
CLIENT AND SERVER

SERVER: It is a system that provides the services to the other systems in its network and
server is a kind of a host computer that stores and processes the data which is requested by
the customer.
CLIENT: It is a system that uses their remote service from the server & client is a computer
it will try to access all the data from the server.
Note for my understanding: Com is used for commercial websites and it’s a Top-Level
Domain (TLD). ". in" and "co.in" is used for Indian country.
Note: Initially we test the APIs in the local environment during the development, for API’s
we don’t require internet connection. Once all the APIs are developed, developer he will push
all the APIs to web which means all the APIs are exposed to the internet & those APIs we
call it as web services.
What is web service?
1. A service which is available over the web is called web service.
2. It enables the communication between the applications over the web.
3. It provides the standard protocol format for the communication.
Why we use web services?
It provides the platform independent communication between the two different applications
using this web services. Those applications can interact with each other & exchange the data.
DIFFERENCE BETWEEN API & WEB SERVICE
SL.N WEB SERVICE
O
1 WEB service is an API which is
wrapped under HTTP
2 All the web services are APIs
3 Web services require an internet
connection to perform its operations
4 Sometimes web services will not
perform all the activities on the
application
5 It uses REST, SOAP & XML-RPC
for its communication
6 It supports only HTTP protocol
7 It supports XML format for data
exchange
API
API means application programming
interface & these APIs will be developed
in local environment
All the APIs are not web services
API does not require an internet
connection for its operations
Sometimes APIs will perform all the
activities which web services cannot
perform
It is used for any style for communication
It supports both HTTP/HTTPS protocol
It supports XML & JSON format

API PROTOCOLS: These APIs comes up with set of rules or regulations. Developers will
utilize those rules & regulations to integrate their applications (Protocol means set of rules &
guidelines)
1. Simple object access protocol (SOAP)
2. Representational state transfer (REST)
3. Google remote procedure call (gRPC)
4. JavaScript object notation–remote procedure call (JSON-RPC)
5. Xtensible mark-up language remote procedure call (XML-RPC)
6. Graph query language (GraphQL)
7. Apache Thrift.
How this API testing is different from manual testing and mobile application testing?
OR What is the difference between manual, API & mobile application testing?
1. Manual Testing Means testing an application manually without using any of the
automation tool. Here we will be mainly testing on web applications
2. API testing is performed on the middle layer i.e., business logic layer. It will enable
the communication & data exchange between two applications. To perform API
testing, we don’t require UI of an application
3. Mobile application testing: Any application which is developed to support the
mobile devices & testing such kind of application we call it as mobile application
testing. While doing mobile application testing, we will install the APP on either
android or IOS devices & will test it manually.
WHAT IS HTTP PROTOCOL?
 HTTP Stands for Hyper Text Transfer Protocol.
 Its A Web Application Layer Protocol.
 It works on client & server model.
 Using this protocol, we can access the data on web (WWW- World wide web).
 The data it might be in the form of images, text, sound/audio file, video file & other
multimedia files & so on.
TYPES OF WEB SERVICES: Web services have been divided into 2 types.
1. SOAP:
 SOAP is an API protocol.
 SOAP stands for simple object access protocol, It came into the year of 1998.
 SOAP uses XML file to transfer the data between web services.
 SOAP supports only XML file format data.
 SOAP has more tighter security than REST (in addition to the SSL certificate it
uses web service security
 SOAP is complex compared to REST
 SOAP supports only POST request. 95% of the time in the banking or telecom
sectors they will be using this request & GET method is rarely used.
Sample XML file example:
<Studentslist>
<student id=”1”>
<firstname>Greg</firstname>
<lastname>Dean</lastname>
<certificate>true</certificate>
<scores>
<module1>70</module1>
<module12>80</module12>
<module3>90</module3>
</scores>
</Student>
<student ind=”2”>
<firstname>Wirt</firstname>
<lastname>Wood</lastname>
<certificate>true</certificate>
</scores>
<module1>80</module1>
<module12>80.2</module12>
<module3>80</module3>
</scores>
</Student>
<Studentslist>

Sample SOAP request

<soapenv:envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/
Xmlns.no=http://example.com/ns>
<soapenv:header/>
<soapenv:body>
<ns:request>
< ns:customer>
<ns:id>123</ ns:id>
< ns:name type=”NCHZ”>John Brown< ns:name>
 </ns:customer>
</ns:request>
</soapenv:Body>
</soapenv:Envelope>

2. RESTFULL WEBSERVICES:
 REST stands for representational state protocol.
 RESTFULL webservices is light weight, maintainable & scalable service.
 It is an architectural style.
 REST supports XML, text, JSON, PDF, WORD format files.
 REST uses the common HTTP requests like GET (to retrieve the data from server),
PUT (to update the data), POST (to create a new data) & DELETE (to delete the
data from server).
Sample JSON format
{
“Name”: “Basavanna gouda”
“Age”: 28
“Address”: “Raichur Karnataka”
}
Endpoint:
Method:
Header:
Body (Data):

WHAT IS WSDL?
 WSDL stands for Web service descriptive language

SOAP & REST REQUEST FORMAT ARCHITECTURES

1. SOAP architecture

2. REST architecture
DIFFERENCE BETWEEN SOAP & REST
SL. SOAP REST
NO
1 SOAP stands for simple access object protocol REST stands for representational
protocol
2 SOAP is protocol REST is an architectural style
3 SOAP requires more bandwidth to process the REST requires less bandwidth
request because it will be having more data which is compared to SOAP
carried to server
4 SOAP supports only XML format requests REST supports plain text, XML,
JSON, PDF, WORD & HTML
format
5 Security handling is different in soap. It uses SSL REST uses SSL support for its
on top of that it uses WS-web service security security

6 Soap is complex to understand REST is easy to understand

7 SOAP cannot make use of REST Rest can make use of SOAP

WEB SERVER
 It is a computer that runs the website.
 The main objective of web server is to store, process & deliver the web pages to users.
 It uses HTTP protocol for its communication.

WHAT IS XML?
 XML is the hardware & software independent tool for storing & transporting the data
from one layer of application to another layer of application.
 XML stands for extensible mark-up language.
 XML it does not do anything it will just carries data from one place to another place.
Example of XML:
<note>
<to>Nagugowda</to>
<from> BG </from>
<heading >reminder</heading>
<body> Hey this weekend lets go for party and don’t forget</body>
 </note>
The above XML formats it consisting of
 It has sender information
 It has receiver information
 It has heading
 It has a message body

WHAT IS JSON?
 JSON stands for java script
 JSON is light weight data interchange format
 IT is used to send data between two layers or two computers
 JSON is a language independent
Example of JSON format:
{“TO”:” Nagugowda”, “FROM”: “BG”, “Heading”:” Reminder”, “Message”:
“Hey this weekend lets go for party and don’t forget”}

String = “address”: “#128 father name, village name”

Number =” Age” =28, “Name”: “Basavanagouda”, “BATCH CODE”: “QC 10”
Array = {“employees”: [“Basava”, “Nayana”, “Vidyadhara”]}

Why JSON is better than XML?

 JSON data is light weight compared to XML.
 XML is much more difficult to parse the data than JSON.
 JSON is parsed into ready-to-use JavaScript objects.
Types of API testing
1. Functional testing
2. UI testing
3. Security testing
a) Penetration testing
b) Fuzz testing
4. Load testing

HTTP & HTTPS

HTTP
 HTTP requests & responses are not secured.
  Whenever we enter any of the sensitive information on the website like password or
credit details chances are there, hackers might steal/hack the data.
 If the website is using HTTP & it is not secured then it will look like http://qacircle.in/
HTTPS
 HTTPS is HTTP with encryption & verification.
 The main difference is HTTPS protocol uses SSL certificate to encrypt the normal
HTTP request & responses & it will digitally sigh those request & responses.
 Hence, HTTPS is far more secure than HTTP.
 If the website is using HTTPs & it is secured then it will look like
https://qacircle.com/
Top API testing tools available in market
1. POSTMAN
2. SOAP UPI
3. SWAGGER
4. JMETER
5. Rest assured
6. Python pytest Request module & so on.

Difference between authentication & authorization

SL.NO AUTHENTICATION AUTHORIZATION

1 It verifies the identity of a user or service.
2 It is usually done before authorization.
3 Generally, it will transmit information in
the form of id token.
It determines their access rights.
It is usually done after successful
authentication.
Generally, it will transmit information in
the form of access token authorization.

Few technological terms

1. Base URL: It is the host or domain name & it ends with .com, .in, .net etc.
Example: https://qacircle.com or https://regres.in
2. End point or resource path: It is the path & it is additionally added to the base URL of
the web server & it will help us to determine the path of the resources wherever we have
stored in the server
3. Resource: It is a kind of resource information which we have stored in the server & we
want to access this resource whenever is required for us.
 Example: Employee’s data or car related information or payment information etc.
4. Query parameter: They are added to the end of the base URL & are separated by a
question mark is called query parameters.
Example: https://regres.in ---- base URL
/api/users ---- end point/resource path
?page=2 ---- query parameter
5. Payload: It is one of the API modules & it is the body of our request & response
message. It contains the data which we want to send it to the server when we want to
make API request.
6. Path parameter: It’s a kind of set of within a curly brace. Path parameters are placed
within the path of end joint just before a query parameter
Example: https://regres.in/service/myresource/user/{user}//bicycle/{bicycleid}?page=2

Path Parameters
HTTP methods
SL. HTTP Crud operations Description
NO methods
1 GET It is used to read the data from We will get 200 OK successfully
server/It is used to retrieve the information has been received from the
information from the server server
If the requested resource is available in the
server, then we will get a 200-status code if
not 404 not found status code
2 POST Create This method is used to create the resource in
the server, when we create a resource, we
will get 201 status code along with new ID
gets generated
3 PATCH Update Whenever we want to update the patch APIs
or a complete information that time, we use
this patch method & when we update the
details, we get a 200-status code
4 PUT Update/Replace Whenever we want to update/replace
particular content like username, password,
phone number that time we use this put
method & we get a 200-status code
5 DELETE Delete Once we delete the resource from server, we
get a 204-status code (no content)

STATUS CODES: Status code has been divided into 5 types

1. 100 series status code means informational status code (100-199): These status codes
we will get when communication happens on the transfer protocol level information.
100 means it indicates that client should continue the request or ignore the
response if the request is already finished.
 101 means switching the protocol.
102 processing this code indicates the server has received the request & still it is
processing the request but no response is available yet.
2. 200 series status code means successful status code (200-299): These status code we
get when server accepts the client request successfully.
200 means the request is successful
This status we get when we use GET method, PUT method or POST method.
201 the request is successful & the new resource has been created for this we will be
using POST method.
NOTE: Whenever we create new resource in the server that time, we get 201 status code &
we will be using POST method for that. Similarly, sometimes we use the post method to add
the product to the cart or move the product from one page to another page that time we will
be getting 200 status code. Reason is we are not creating a fresh resource (product) in the
server we are just trying to move from one place to another place.
202 means accepted: The request has been received but server is still handling the
request & still processing.
203 means non-authoritative information: We get this status code whenever we send
the information to the server, we get the response back with the meta data saying that it is not
exactly same as the data which is available in the server.
204 means no content: there is no content to send for this request.
3. 300 series Re-directional messages: If we are getting 300 series status code means client
should take some action in order to complete their request. (Multiple response: The
request has more than one possible response)
301 means moved permanently: The URL of requested resource has been changed
permanently then we get this status code.
302 means found: Whenever we request any of the resource in the server if it is changed
for temporarily during that time, we get this status code.
304 means not modified: This is used for CACHE purposes. This status code tells the
client that response has not been modified, client can use to continue the CACHED
version.
4. 400 Client Error Status Code
400 means bad request: Server cannot process sometime because there might be a
problem from client side (may be invalid message request framing).
401 means unauthorized: if we enter wrong username & password so there is problem
from client side. Client has either entered wrong username or wrong password.
403 means forbidden: the client does not have access rights to the content.
404 means not found: whenever client request the resource server cannot find the
resource.
5. 500 Server error status codes: These errors are coming from the server side & server
will take the entire responsibilities of these error codes
500 means internal server error: These errors we get whenever server has encountered
the situation it doesn’t know how to handle it.
501 means not implemented: Which means the requested method is not supported by the
server & cannot be handled.
502 means bad gateway: If we are getting this response means there is a problem from
the server (we would have got invalid response).
 503 means service unavailable: Which means server is not ready to the handle the
request.
504 Gateway time-out: This error response we get when server is acting as a gateway
& It will not get the response in time from the server.
Installation of postman tool & execution of HTTP methods
Why we set the environment?
 Whenever we want to test any of the APIs, every time we have to hardcode the base
URL & whenever developer makes changes to the URL so we have to go inside each
& every collection & make the changes in all the hardcoded methods.
 Instead of this I will set this base URL as a test environment & I will use that
environment variable in all the methods, so whenever developer makes on the URL it
is easy for me to make changes on the environment level & it automatically applies to
all the methods & collections.
How to set the global variables?
1. Open the postman tool
2. Select the environment on which we want to perform API testing
3. Click on environment quick look view, then we will get 2 options edit environment &
edit global variables.
4. Click on edit global.
5. Add variable, initial value & current value
1. In which format we get APIs from developer?
 In my company we used to get API in the form of curl body and then we will import
that girl body into postman tool.
2. How do you import curl body in postman?
Step 1: Copy the curl body request given by the development team.
Step 2: Go to postman tool click on import.
Step 3: Select raw text option---paste the curl body request---continue---import.
3. How to download or export collection on postman tool?
click on collection view more option …/right click on collection---export---choose the
location---save.
4. How to import shared collection on postman tool?
select the workspace where we want to import the collection---import---file---choose
file---select the Json file from your local drive---open---import.
What are all the API defects we get while performing the testing?
1. Sometimes we will be getting authentication errors.
2. Sometimes we get security or performance issues.
3. Sometimes we get a missing functionality issue.
4. Sometimes the error handling mechanism is incomplete.
Challenges of API testing?
1. Initially API testing was completely new for me 2 years back. I used to spend lot of
time on understanding the HTTP methods and how the API works and then slowly I
started using postman tool to perform API testing.
2. Since I was working on manual testing, we used to work on UI but in API testing
there is no UI we have to give the input and we have to check the output it was
challenging.
 3. Parameter selection was little challenging and also understanding the status code.
4. Little coding knowledge is required for the testers to understand the Json response and
to verify Json data.
COOKIES: Cookies is nothing but a small piece of information that is stored in the form of
text file in user hard drive by the web browser cookies have been divided into 2 types
 Session cookies &
 Persistent cookies.
1. Session Cookies: These cookies are active till the browser is active in the application
is running for a certain period of time once we close the browser the session cookies
get deleted.
2. Persistent Cookies: These cookies are stored in the user’s hard drive permanently
from the web server and these cookies will be stored in the user machine for longer
period of time.