Getting Started

A Comprehensive Guide to API Test Automation

As software development becomes increasingly modular and complex, applications are built using interconnected components, microservices, and external services that communicate continuously with one another. The backbone of many modern applications is formed by APIs (Application Programming Interfaces)—these define how different components can access each other's data and functionality, enabling developers to integrate diverse systems without needing to understand their internal implementations.

The goal of API testing is to ensure that this communication is reliable, secure, performant, and functioning as intended.

API testing is a process that confirms an API is working as expected. There are several types of API tests, and each one plays a distinct role in ensuring that the API's functionality, security, and performance remain reliable. Developers can run API tests manually, or they can automate them with an API testing tool.

Historical Background

Before 2000, there was no standardized approach to API design or implementation. Early APIs required complex protocols like SOAP (Simple Object Access Protocol), which were notoriously difficult to build, debug, and maintain. During this period, APIs prioritized flexibility over accessibility^3.

The API landscape transformed dramatically in 2000 when Roy Fielding and his team introduced REST (Representational State Transfer) as part of his doctoral dissertation. This innovation established a set of architectural principles that made APIs more accessible, standardized, and easier to implement. REST introduced key concepts like resource-oriented architecture, interface uniformity, client-server separation, statelessness, caching capabilities, and leveraging the HTTP protocol^3.

Shift left approach in API testing:

One of the seven testing principles outlined by ISTQB, that testing should begin as early as possible in the SDLC. Following this principle, early detection of defects can save money, time, effort and quality. Traditionally, API testing has occurred at the end of the development phase. This practice led to the last minute hustle to meet the deadline and it also hampered the product quality to a great extent. Implementing shift left approach in API testing, where the communication and flow between components is crucial, led to a successful migration from defect detection to defect prevention, and is crucial in any agile project.

How does an API work?

Lets take a common example, www.trivago.com compares and lists down the price, availability, etc. of different hotels from a particular city. This website communicates with APIs of multiple hotels to access the database and lists down the prices and availability from their website.

Thus, a Web API can be defined as “an interface which facilitates the communication between a client machine and the webserver”.

Client/Server Model: Client sends request → Server processes → Response sent back.
Key Concepts:

Endpoint: URL to access a resource (e.g., /users)
Method/Verb: GET, POST, PUT, DELETE
Headers: Metadata (e.g., content type, auth token)
Query Parameters: Data in URL (e.g., ?id=123)
Request Body: Data sent with POST, PUT
Status Codes: 200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 404 Not Found, 500 Server Error

API Styles Overview:

REST: JSON-based, stateless
SOAP: XML-based, strict contracts, legacy systems
gRPC: High-performance, binary protocol, used in microservices

Web services vs. API

The major difference that arises between API and Web Services is that the Web Services uses a network. It is safe to say that all Web Services are Web APIs but all Web APIs are not Web Services. Thus, Web Services are a subset of Web API.

Both Web API and Web Services are used to facilitate the communication between the client and the server. The major difference comes only in the way they communicate.

Each of them requires a request body that is acceptable in a specific language, their differences in providing a secure connection, their speed of communicating to the server and responding back to the client, etc.

Both Web API and Web Services are used to facilitate the communication between the client and the server. The major difference comes only in the way they communicate.

Web Service

Web Services generally use XML (Extensible Markup Language), which means they are more secure.
Web Services is more secure as both Web Services and APIs provide SSL (Secure Socket Layer) during data transmission, but it also provides WSS (Web Services Security).
Web Service is a subset of Web API. For Example, Web Services are based only on three styles of use i.e. SOAP, REST and XML-RPC.
Web Services always need a network to operate.
Web Services support “One Code different applications”. This means a more generic code is written across different applications.

Web API

A Web API generally uses JSON (JavaScript Object Notation), which means Web API is faster.
Web API is faster as JSON is light-weighted, unlike XML.
Web APIs are the superset of Web Services. For Example, All three styles of Web Services are present in the Web API as well, but apart from that, it uses other styles like JSON – RPC.
Web API does not necessarily require a network to operate.
Web API may or may not support interoperability depending upon the nature of the system or application.

Full spectrum of API testing:

Testing of APIs is not restricted to sending a request to API and analyzing the response for correctness alone. The APIs need to be tested for their performance under different loads for vulnerabilities.

contract testing

Contract testing, as referenced in the ISTQB CTFL syllabus, focuses specifically on verifying that the API adheres to its defined contract (the agreement between the provider and consumer regarding the API's structure and behavior). It ensures that changes to an API don't break existing consumers.

Key differences between API testing and contract testing:

Scope: API testing is broader and tests the entire functionality, while contract testing specifically verifies conformance to the agreed interface^2.
Purpose: API testing validates behavior and correctness, while contract testing focuses on compatibility and integration^2.
Perspective: Contract testing emphasizes the relationship between providers and consumers rather than just functionality.
Coverage: As noted in search result^2, contract testing alone doesn't cover important aspects like:

How the application accesses the API
Secret management for API calls
Handling of diverse result values
Network latency strategies
Application-level caching

Contract testing is valuable but should be used as part of a broader testing strategy that includes end-to-end testing, as the end-user interacts with the application's UI, not directly with the API^2.

unit testing

Unit testing API endpoints involves verifying the functionality of individual API components in isolation. This means testing specific endpoints to ensure they return the expected output for various inputs, including both valid and invalid data. It's a crucial part of API testing, helping to catch issues early in the development cycle and ensuring the API behaves as designed.

end-to-end testing

End-to-end (E2E) verifies the complete functionality of an application, from the user's perspective, by testing the interaction of multiple APIs and components, simulating real-world user scenarios.

security testing

Application Programming Interfaces or APIs are vulnerable and are the easiest access point for malicious hackers who want access to data or gain control of an application. This can lead any company into legal trouble, where due to a security breach unintended people and/or organizations are able to access client’s data through a venerable API. Security testing is a specialized branch of testing and should be handled by specialists. The security testing resources can be from within the organization or independent consultants.

load testing

load testing is a performance testing method that assesses how well an API handles a specified load, simulating real-world traffic to identify potential bottlenecks and ensure performance under expected usage conditions.

integration testing

Verifies how different APIs work together. It ensures that various parts of an application, or even different applications, can communicate and exchange data correctly and efficiently.

functional testing

Helps ensure that the application and the API are working as expected under a specific workload it can handle. Here, the developers and QA team have to analyze what the application is supposed to do and ensure that it satisfies the purpose. Functional testing can be a challenging task due to the lack of a GUI interface. esters who usually do GUI based functional testing find it a little harder to transition into non-GUI application testing when compared to someone who is already familiar with it.

Types of APIs

REST (Representational State Transfer)

REST has become the dominant API paradigm due to its simplicity and scalability. RESTful APIs:

Are stateless (each request contains all necessary information)
Use standard HTTP methods (GET, POST, PUT, DELETE)
Represent resources as URLs
Typically return data in JSON or XML format
Are cacheable and support layered system architecture
REST Testing Tools:

Postman: User-friendly GUI
Insomnia: Clean interface, open source
curl: CLI-based, scriptable

SOAP (Simple Object Access Protocol)

SOAP is an older protocol that provides a more structured approach to API communication:

Uses XML exclusively for message formatting
Operates primarily over HTTP but can use other protocols
Provides built-in error handling and security features
Includes a formal contract definition through WSDL (Web Services Description Language)
Is generally more verbose and resource-intensive than REST^5
SOAP – Built on XML & Often Over HTTP:

SoapUI, ReadyAPI: Enterprise solutions
SOAP (Simple Object Access Protocol) communicates via XML envelopes, often transported over HTTP, but can use SMTP or FTP too.
Heavy, formal, and strict — still used in legacy enterprise systems.

GraphQL

GraphQL is a more recent API query language developed by Facebook that allows clients to:

Request exactly the data they need (no over-fetching or under-fetching)
Retrieve multiple resources in a single request
Describe the shape of the response data

gRPC

gRPC is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.

gRPC Tools:
BloomRPC, grpcurl, Postman beta support
Uses HTTP/2 under the hood — allowing streaming, multiplexing, and more efficient communication.
Sends data in binary format (Protocol Buffers) — fast, lightweight, and structured.
Ideal for microservices and high-performance environments.

WebSocket

WebSocket APIs enable bi-directional, real-time communication channels between clients and servers, making them ideal for applications requiring instant updates like chat apps or live dashboards.

WebSockets – For Real-Time Two-Way Communication

While not typical for API testing, they’re useful for chat apps, live dashboards, or game state sync.
Unlike HTTP (request/response), WebSockets stay open for continuous communication.

How API Requests Work

HTTP/HTTPS Protocol

APIs primarily communicate over HTTP (Hypertext Transfer Protocol) or its secure variant HTTPS. When making an API request, we essentially act like a browser but with more direct control over the communication process:

A client initiates a request to a specific endpoint URL
The request includes a method (GET, POST, etc.), headers, and possibly a payload
The server processes the request and returns a response
The response contains a status code, headers, and typically a body with the requested data

Request Components

A typical API request consists of:

URL/Endpoint: The address of the resource (e.g., https://api.example.com/users)
HTTP Method: Indicates the action to be performed (GET, POST, PUT, DELETE, etc.)
Headers: Metadata about the request, including authentication tokens, content type, etc.
Query Parameters: Additional data sent in the URL (e.g., ?id=123\&sort=name)
Request Body: Data sent with the request (typically for POST, PUT, and PATCH methods)

Response Components

A typical API response includes:

Status Code: A numerical code indicating the outcome of the request
Headers: Metadata about the response (content type, cache directives, etc.)
Response Body: The actual data returned by the API (often in JSON or XML format)

API Methods and Status Codes

Common HTTP Methods

GET: Retrieves data from a specified resource. Should not modify any resources.
POST: Submits data to be processed by the specified resource, often creating a new resource.
PUT: Updates an existing resource or creates a new resource if it doesn't exist.
DELETE: Removes the specified resource.
PATCH: Applies partial modifications to a resource.
HEAD: Similar to GET but retrieves only the headers (no response body).
OPTIONS: Describes the communication options for the target resource.

HTTP Status Codes

HTTP status codes provide standardized responses to API requests, indicating the outcome of the requested operation. They are crucial for both humans and machines to understand what happened with a request^4.

1xx: Informational

These codes indicate that the request was received and understood, and that the process is continuing.

100 Continue: The server has received the request headers and the client should proceed to send the request body.
101 Switching Protocols: The server is switching protocols as requested by the client.

2xx: Success

These codes indicate that the request was successfully received, understood, and accepted.

200 OK: The request succeeded. The response contains the requested data.
201 Created: The request succeeded, and a new resource was created as a result.
204 No Content: The request succeeded, but there's no content to return.

3xx: Redirection

These codes indicate that further action needs to be taken to complete the request.

301 Moved Permanently: The requested resource has been permanently moved to a new location.
302 Found: The requested resource is temporarily located elsewhere.
304 Not Modified: The resource hasn't been modified since the last request.

4xx: Client Error

These codes indicate that there was a problem with the request.

400 Bad Request: The server couldn't understand the request due to invalid syntax.
401 Unauthorized: Authentication is required and has failed or hasn't been provided.
403 Forbidden: The client doesn't have permission to access the requested resource.
404 Not Found: The requested resource couldn't be found on the server.
422 Unprocessable Entity: The request was well-formed but contained semantic errors.

5xx: Server Error

These codes indicate that the server failed to fulfill a valid request.

500 Internal Server Error: The server encountered an unexpected condition.
502 Bad Gateway: The server received an invalid response from an upstream server.
503 Service Unavailable: The server is temporarily unable to handle the request.

Status codes are essential for API testing as they provide immediate feedback about the success or failure of operations, helping to identify problems quickly and accurately^4.

Dummy Examples – Let’s Hit an API!

Use: https://reqres.in

Scenario: Test basic user flow

GET /api/users?page=2 → retrieve list of users
POST /api/users with JSON body:

{
  "name": "morpheus",
  "job": "leader"
}

Expected response: 201 Created with new user data
GET /api/users/23 → returns 404 Not Found

Walkthrough:

Open Postman
Create GET/POST requests
Check:

Status code
Response body fields
Error handling

What to Check – Good Practices

Validate:

Status codes are correct
Response times are acceptable (<1s ideally)
Schema of the response (fields, data types)
Data accuracy (compare inputs to outputs)
Headers (e.g., content type, CORS)
Authentication/authorization behavior

Test edge cases:

Missing fields
Wrong data types
Invalid tokens

Core Testing Skills for API Testing

1. Understanding of HTTP Protocols and REST/JSON Basics

Most modern APIs are based on REST architecture and use JSON format. A tester should understand how HTTP requests are structured (methods like GET, POST, PUT, DELETE, PATCH), what status codes mean (200 OK, 400 Bad Request, 404 Not Found, 500 Internal Server Error, etc.), and how to read and interpret JSON responses.

2. Familiarity with Basic Authentication and Authorization Mechanisms

Many APIs require some form of authentication, such as OAuth 2.0, JWT tokens, or Basic Auth. Testers should understand how these work to send the appropriate headers or parameters with their requests.

3. Proficiency with Testing Tools

Tools like Postman, Insomnia, or HTTPie support manual API testing, while documentation platforms like Swagger or OpenAPI help testers understand available endpoints. For automation, testers should explore tools like RestAssured (Java), pytest (Python), Katalon Studio, or use Postman Collections integrated into CI/CD pipelines.

4. Basic Scripting and Programming Knowledge

You don’t need to be a professional developer, but a basic understanding of scripting makes automating API tests much easier. Skills like using variables, loops, conditionals, and basic data handling enable testers to build dynamic and data-driven test cases.

5. Understanding Data-Driven Testing

In real-world applications, the same endpoint is often tested with various inputs (e.g., different user data). A data-driven approach allows a single test case to cover multiple scenarios, making testing more efficient and scalable.

6. Error Handling and Log Analysis

Effective API testing goes beyond verifying correct responses. When errors or unexpected results occur, a tester should analyze logs, error messages, and stack traces (if available), and be able to produce clear, constructive bug reports for developers.

7. Understanding Continuous Integration (CI) and Continuous Delivery (CD)

API testing becomes far more powerful when integrated into CI/CD workflows. Tests can run automatically with each code change, build, or release. Knowing how to set up and work within these pipelines is an essential skill for modern QA professionals.

Comprehensive Guide to API Testing Techniques.pptx4793.0KB