10 best API testing tools to know

Why API testing is important

Because APIs are at the heart of most modern apps, it's essential that teams catch issues in the API layer. Being able to test individual API endpoints helps front-end and back-end teams work independently and build faster. Teams can work on truly separate pieces of functionality, letting teams test and deliver separately without risking creating an error elsewhere in the system.

API tests run faster, are less brittle and can be more accurate than tests that go through the UI, in part because they interact directly with application logic. While the web browser still gets images and design from a single web server, it will likely get all data -- including login, search results and processing updates -- through an API endpoint.

Top 10 API testing tools

To test API endpoints reliably, teams need an API test framework that can run suites of tests automatically on every build and API testing tools to record each test.

The tools on this list were selected based on their presence in the marketplace, fitness for use and availability of commercial support. The list works in ascending complexity and is designed to match what a software developer might look for as they need additional features.

1) In-browser API testing

The URL for an API endpoint is the same as a website. With knowledge of how the API is structured -- meaning the URL that corresponds with the API endpoint -- and a GET request, a tester can copy and paste the URL into the address bar of a web browser to get API results. For example:

Most modern APIs require users to log in to the application under test and manage the session with a cookie. The tester can log in to the environment through the traditional front end -- which should create the session -- and then access the URL through the browser.

This approach is limited to a single request at a time and is very human-intensive. APIs that use the POST command will be a problem in this technique, as POST submits additional information in the payload, which the browser doesn't allow users to modify. The browser is best for HTTP GET commands.

In-browser testing is a good starting point for inspection and experimentation while also looking at webpages. However, testers shouldn't rely on it as their only tool. Consider using in-browser testing alongside Fiddler or mitmproxy.

2) CURL

Short for "client url," cURL takes a URL and places the output on the screen. Free, and open source, cURL comes preinstalled on Linux and Mac. It also has command-line options to support basic authentication and can make HTTP requests using a TLS handshake. CURL can read payloads from a file and redirect results to a separate output file, making it an excellent component of a Linux text-based toolchain. That said, with a text-only interface, cURL is most suited as part of a homebrew API testing framework. The most straightforward alternative to cURL in a homebrew framework is to write the code in a native programming language and use that language's socket library to connect to URLs directly.

CURL is more of a batch process and does not enable easy interaction with an API in real time. For that, consider Fiddler or mitmproxy.

3) Fiddler

Originally an extension for Internet Explorer on Windows, Fiddler sits between the browser and the OS' networking layer. This allows the user to intercept messages coming both ways, assess the URL and payload, and change them. It helps pinpoint exactly what was requested and what was returned, making it easier to determine if an error originates from the front end or back end.

Today, Fiddler Classic runs on Windows and remains free, while Fiddler Everywhere runs on Linux, Mac and Windows and costs $6 to $15 monthly as a service. While Fiddler has a reputation as a tool for exploration and real-time inspection, the classic version does offer a scripting language similar to JavaScript, called FiddlerScript. It's possible to run test scenarios in FiddlerScript and report success and failure as part of a continuous integration strategy, but better tools exist.

4) Mitmproxy

Similar to Fiddler, mitmproxy sits between a browser and the OS. It can record all the traffic in a session, then replay, save, export and re-import it. The application provides three major interfaces -- command line, a Windows-based GUI and a Python extension to write programs that access mitmproxy as a code library. While lesser known commercially, mitm has an active open source community and a variety of extensions, including mitmproxy2swagger, which can take any API call and convert it into a Swagger API specification.

5) Swagger and API Hub

Best known as an API documentation tool, Swagger lets programmers document APIs in any language. Swagger and API Hub come from SmartBear, a company that delivers a variety of tools for developing, testing and monitoring APIs and software.

However, once the API is defined, Swagger can generate server stubs and client code, including code libraries that make any API look and feel like a function call. While the base Swagger app is free, the online tool, SwaggerHub, runs from $20 to $50 per month, per user. SwaggerHub offers version control in the cloud, comments, multi-user collaboration and a host of additional features and tools.

Swagger-test and SwaggerAssertions are command-line tools that compare the real output from an API to its Swagger-defined expectations. Because SmartBear Software supports Swagger, it integrates with other SmartBear applications, such as API Hub. API Hub can use a Swagger specification or a simple API call/result to create a GUI for exploring and testing that API. This integration capability creates a cohesive flow for software testers, but it can also make it hard to switch out components later.

6) Postman

Postman is perhaps the most common, well-rounded API testing tool. Users can explore API endpoints in real time, then standardize those processes and run them continuously in regression. With both a web and desktop version, along with the command-line runner for continuous integration, Postman lets users create and run collections, which combine API calls with pre-request and post-response events. Those post-response events can include assertions such as success messages.

Postman is also structured to provide authentication as a pre-request step, enabling users to configure API tests in one place. JavaScript powers Postman tests, making the tests more powerful and complex than no-code test tools.

The biggest limitation of Postman is that, by default, it stores collections locally and invisibly to the user. But users can export them to JSON files and check those into version control. This makes simultaneous editing a problem, but it's manageable if users work on different files without dependencies. Postman offers a web-based collaboration service called Workspaces, which stores collections in the cloud and currently runs from $19 to $50 per user, per month.

7) SoapUI

Another SmartBear product, SoapUI adopts the classic terminology:

• Test cases are one or more test steps.
• Test suites are one or more test cases.

SoapUI fully supports REST-style APIs, saving tests in an XML format, which can create challenges similar to those of Postman.

The layout and design of SoapUI is drag-and-drop, letting users build test cases out of reusable components that can include snippets of code in either JavaScript or Groovy. SoapUI can also import Postman collections, preventing vendor lock-in. Like Swagger, Postman and Fiddler, SoapUI is free, but is also a subset of a more expansive and modern paid product called ReadyAPI. ReadyAPI takes all of SoapUI's features and adds more data management features, the ability to stand up service virtualization and mock servers, built-in support for Zephyr integrations -- SmartBear's reporting tool -- built-in support for Jenkins integrations, the ability to launch ReadyAPI from a Docker image and performance test management. These enterprise features come at $83 per month for API testing, $110 for the service virtualization and $570 a month for the performance testing component -- all billed annually.

8) Tricentis Tosca API Scan

Tricentis became known for Tosca -- a test generator for GUIs, later expanding and investing in new products and features, including Tosca API Scan. Tricentis' approach is model-based, meaning the tool can derive dozens or hundreds of tests from a set of rules about the API. As long as those tests are self-contained and don't conflict with one another, Tosca can run them in the cloud in parallel, speeding up test run times from dozens of minutes to a few seconds. The product family is heavily tied to the Windows OS, which won't work for Mac and might lack support for Linux. Tosca's pricing structure is not public information.

9) REST Assured

A completely free and open source code library for testing APIs in Java, REST Assured supports a behavior-driven development-style syntax, testing in JUnit and other Java unit-test frameworks. It has plugins for Maven, Gradle, Spring MVC and other common Java infrastructure frameworks. REST Assured adds value to teams that write APIs in Java and want to test them the same way they code. Below is a sample bit of code in REST Assured, which checks for a 200 OK response and verifies that joker.com appears in the API output:

@Test
public void domain_request_returns_200_with_expected_id_and_winners() {
    when().
        get("v1/domains/search?domain=xndev.com").
    then().
        statusCode(200).
        body(containsString("joker.com"));
}

10) Performance testing: JMeter and Gatling

Some programmer errors introduce problems with as few as two or three simultaneous users. Once that is overcome, the next problem is usually at 20 or 30. As usage grows, applications might hit the limits of a single server, followed by challenges with scaling efficiently, and, finally, the demands of webscale performance.

Apache JMeter is a free, open source tool that can effectively test the first few rungs of that ladder -- simulating a dozen simultaneous users and perhaps a hundred simultaneous API requests. With JMeter, users can record the API calls a client makes and replay them while gradually increasing the number of users, varying the login credentials using a data file and customizing other parameters to simulate real-world usage. The bottleneck for performance testing in a small-scale system will likely be the client or internet connection, leading to limited effectiveness. BlazeMeter is a hosted version of JMeter in the cloud that promises scalability, costing from $99 to $500 per month.

Testers working on products with a larger user base can fully control a large set of computers to run performance testing sessions. Gatling offers two extremes of API testing: local and large-scale. Priced from $90 to $500 per month, Gatling tests are coded in Java, JavaScript or TypeScript using a domain-specific language -- a code library that provides access to the functions that create the tests. Because Gatling tests run in the cloud, the vendor can simulate requests from all over the world. Companies might have concerns about storing tests and test data in the cloud. Gatling is based in the EU, which has stricter security, privacy and data protections than the U.S.

How to choose an API test tool

Choose the best tool according to testing needs. If performance testing isn't needed, Gatling and JMeter are irrelevant. If coding APIs and respective tests in Java isn't a need, REST Assured would not be the right match. Tricentis won't be a fit for an all-Macintosh environment.

Use the below breakdown of each tool covered to find a match based on testing needs:

Matt Heusser is managing director at Excelon Development, where he recruits, trains and conducts software testing and development.