12 API security best practices to protect your business Use an API mapping tool to demystify complex API integrations
Tip

API testing checklist and best practices

Proper API testing isn't just determining if an endpoint is functional. Follow these steps to identify your organization's important APIs, which tests to run, and which tools to use.

APIs are crucial assets for a modern business. They are the gateway through which an organization delivers applications and services, both externally and internally, to customers and partners. Despite an awareness of the business-critical nature of APIs, many organizations don't prioritize API testing, and software development shops don't test APIs on a regular basis.

Here's the reality: API test development and execution are the most important tests you'll perform. Your applications share data and messaging, and rely on the input and output of various API endpoints. Any problem will cause defects and performance issues that affect customers and partners, and may create data corruption headaches. Let's discuss how to test APIs and create an API test strategy.

Why is API testing important?

API testing ensures that your applications perform as expected for end users as well as your partners' interconnected applications. Testing ensures that:

  • application endpoints and data sharing functions work as expected;
  • partners' data feeds send the data you expect, how, when and where you expect it;
  • junk data does not enter your database and create application problems or data corruption; and
  • an application functions across all platforms, including desktop, web or mobile.

How will your application function for customers if data feeds do not function? What happens when expected data does not flow outbound to a partner's system? Any disruption in the back-end exchange of data, files and other information means an application won't function well for your customers. If those connections fail, so does the application. That's why the first step is to plan an API testing strategy that prevents connection disruptions.

Make an API testing strategy checklist

Thorough and regular API testing is complex. It is far from enough to merely confirm that the endpoint is functional. An API test strategy lays out your goals and the steps to get there. This can be a detailed formal document, or a checklist such as below.

  • List every API your organization uses, and prioritize them in order of their importance to applications and customers. The business needs to know how many APIs it has and what they do, before it can truly determine what testing to perform.
  • Determine who creates API tests, and who executes them. Collaborate with the IT team.
  • Determine how often the tests are run, and how are they deployed -- with a commercial testing tool or an internally developed tool.
  • Define the types of tests to run. Examples include: access security, endpoint security, data security, data validation and file validation, error messaging and failover handling.
  • Ensure staff has sufficient security access to execute tests, and know how to access the APIs directly and through the application.
  • Obtain partner consent to create and send test data.
  • Develop a plan that ensures test data won't harm production data that's required for business analytics and reporting.
  • Evaluate and select an API testing tool. Involve development and QA teams.
  • Schedule and regularly conduct functional and security tests.
  • Plan for resources to maintain and update API tests.

Pick the right API tool

With an API test strategy in hand, pick or create a tool to test your APIs. There are nearly as many tools available to develop and execute API tests as there are languages with which to code an API. Some are open source. So, how to determine which ones to use?

Most API testing tools offer straightforward ways to create a range of test scripts, from a simple connection test to checking data and ensuring secure authentication. Users can specify the format of both the request and response, so you can test using JSON, XML or another format. Most tools also offer a way to create different tests to validate. For example, in Postman users can create any number of test scripts that execute each time the send button is clicked. Users can also create tests to simulate and test error conditions.

In certain cases, you may need a security expert to help design the security-related API tests and select the preferred tool to use. For the remainder of the tests, nearly any standard tool will work. Examples of tools that perform API testing include Postman, Katalon and Karma.

Remember to include your development and QA teams in this discussion. That way you'll pick a tool that works for the entire team. And, if those colleagues are already familiar with such tools, they'll be able to discuss a product's advantages and limitations.

Types of API tests you'll need

Once you develop a suite of functional tests and security tests, you'll need to execute them on a regular basis. How often you execute the tests depends on your business needs. Daily API testing on production is ideal -- better yet, multiple times per day or even continuously. Consider creating a critical test suite for items that require continuous testing, and leave the rest on a daily schedule. Access security and data validity tests are good candidates for continual execution, whereas tests that confirm the correct response to error messages or other data failures can be executed less often.

Guide to scheduling frequency of API tests.
Ideally an organization performs all manner of API tests continuously, but that's not always feasible. As a guide, run security tests as often as possible every day, while other tests such as error handling can be done less frequently.

Whatever you do, don't skip the error messaging or failure tests. It's important to know how an API responds to bad data and about any other problem within the application and its API set. It's far better to catch where the API can't handle failures in testing than to find out when customers encounter defects.

Guidelines for executing API tests

Several common practices can help you avoid problems when you're ready to execute your API tests against the live production server.

Include the IT team on your testing strategy. An API test execution plan requires that you accommodate the IT team in charge of the APIs in addition to those who actually execute the tests. You will need their expertise to determine when to conduct tests so that testing doesn't take down the production server and all its connections. You'll also need their help to schedule error tests; sending bad data as a test without warning is a poor idea. They may need to monitor the APIs during testing in case a failure occurs.

Ensure test developers can use the API testing tool. Plan some time for those who create and execute the tests to become comfortable with the test tool. This can prevent problems caused by the stress of those resources pressured to test while also learning a tool.

Create and follow a plan for test maintenance. It's a fact of software development life: Like test scripts, API tests require maintenance. Someone has to keep the test up to date and functional. Endpoints tend to change, as does the security used to exchange data and files. Your business partners may change their endpoints as well. Plan ahead for resources to keep your API tests up to date with any back-end changes that affect the API system.

When you integrate applications that depend on APIs for data or messaging, you need an API testing strategy. It's not enough to confirm that you have functional endpoints, any more than it is to say that your application is functional because the server is up. An API testing strategy keeps your application and all its connections happy and functioning as expected for both customers and business partners.

Next Steps

Explore API documentation basics and best practices

Review these top FAQs on cloud development APIs

API gateway comparison: Kong vs. Tyk

12 API security best practices to protect your business

Dig Deeper on API design and management