Getty Images


How to develop an API test automation strategy

A suite of automated API tests can set up an application for success but only if QA teams determine the right tests to automate and implement them correctly.

Without proper API testing, disruptions in the back-end exchange of data, files and other information can wreak havoc. If those connections fail, so does the application.

To ensure an application functions as expected, create an effective suite of automated API tests. Automating API tests -- though complex -- is less complicated and error-prone than automating UI-based or workflow-based functional tests. Automated API test suites focus on the API functionality and require less test maintenance overall. With the right tool and a supportive developer resource, QA can effectively and efficiently create automated API test suites.

Learn which tests to automate, what tool to use and how to implement API test automation, using Postman as an example.

Determine which API tests to automate

Any API that requires continuous or frequent testing is a great candidate for an automated test suite. To determine which APIs require continuous testing, review the application functionality, all available workflows and API documentation.

API tests that require continuous testing or monitoring include the following:

  • Endpoint validation. Is it functional? Is it accepting valid messages?
  • Data validation. Is the application displaying the expected data? Is the data updated accurately after an update from the application?
  • API construct verification. Does the response contain the correct data type mapping, or is the right data displaying in the wrong field?
  • Security handling. Is token receipt and response working as expected? What about rejected message processing?
  • Communication failures. What happens to a failed message or data transfer?
  • Message format validation. Are messages meeting formatting standards?

APIs that are only used occasionally may be prioritized at the end or tested manually using existing functional regression test suites. APIs that serve news feeds or decorative items in the application are important but likely not in need of continuous testing or test automation.

QA testers need to verify that data-related APIs return the expected data across application platforms. For example, most applications support both a web and mobile app. Both application platforms likely depend on data from the same API connection but are coded separately on the application side. Create automated tests that ensure both display the same data.

Once teams cover the API connection with basic tests, they can add more complexity and extend the test coverage. For example, QA testers using Postman can start automating via a set of JavaScript snippets independently, or combined, to extend test coverage.

API test automation best practices

Functional, connectivity and security tests benefit from API test automation. It's essential to verify endpoints are not only responsive, but processing valid and invalid messages. Security is key to business operations, and it relates to both application functionality and connectivity. Create automated API tests that capture all three of these items to return the most business value.

Develop a suite of automated API functional and security tests to execute routinely, meaning continuously or, at minimum, daily. Add in connectivity tests for both expected and failure scenarios. Execute connectivity tests at least daily or weekly, depending on the priority of the API. Consider creating a critical test suite for items that need testing continuously, and leave the rest on a daily schedule.

Don't skip the error messaging or failure tests; they let you know and test how an API responds to bad data and alert you to any other problem within the application and its API set. It's far better to catch failures during a test than when customers are using the system.

Select a tool for automated API testing

Many tools cover API test automation. Before committing to one, consider a free trial, or free version, to ensure the tool is intuitive and expandable for maximum API test coverage.

Most API testing tools offer code snippets to get started and support custom coding. The code snippets alone enable teams to create valid tests in a variety of coverage patterns. Additionally, the tests are always editable to add more detail or expand coverage.

The following tools provide capabilities to automate API tests:

  • Postman. Includes free and paid versions. Accessible help and tutorials.
  • Katalon. Accessible to all levels of expertise. Has minimum maintenance requirements and supports integrations with CI/CD and DevOps tools.
  • Apigee. Designs, secures, analyzes, scales and tests APIs. Part of the Google Cloud offering.
  • SoapUI. API testing tool for both REST- and SOAP-based APIs.
  • JMeter. Offers open source, cross-platform testing based on Java. Apache JMeter works on any platform that has a Java VM.
  • ReadyAPI. Offers the same essential features as SoapUI but is a new offering.

The above list is a brief sampling; there are many available tools.

Sample API test automation approach using Postman

Let's discuss the initial steps to create and automate an API request test in Postman.

To get started, open Postman, create a workspace and then create a request. The request is a message sent to the API under testing. In our examples below, we use Postman's public API. To create a request, choose the HTTP Request option on the top left, as seen in Figure 1.

Screenshot of Postman's 'Create new' screen
Figure 1. Create a new request on Postman.

Next, you'll see a tab at the top of the screen labeled Untitled Request. This is your new request. You can add a title, then choose GET, POST or PUT and enter the endpoint URL, params, authorization, headers and body.

Screenshot of Postman's 'Untitled request' screen
Figure 2. Label a request on Postman.

View the sample request in Figure 3. The request tab displays the name; this example uses GET and provides the endpoint URL to test. Notice the Headers tab shows five headers exist. Postman automatically creates these for you.

When testing secured APIs, the Authorization and Params tabs would show the username and password or authentication to receive a valid security token. Your API developer or IT manager knows the API password and security token.

Screenshot of Postman's 'Sample request' screen
Figure 3. Navigate a request on Postman.

Now that the request is set up to process, hit Send. In Figure 4, the request name and request type are highlighted in the top portion of the window. Once you select Send, you'll see the response body in the lower half of the window. The best view is JSON, and there is additional information to the right indicating if the message was successfully processed -- in this case, the 200 OK message.

Screenshot of Postman's 'Response' screen
Figure 4. Process a request on Postman.

Next, we can create test automation using our request. Click on the Tests tab that displays on the same line as Params and Authorization. Use the code snippets accessible on the right to develop automated API tests. When a request is sent, the automated tests execute, and the results populate under the Test Results tab.

Screenshot of Postman's 'Tests tab' screen
Figure 5. Create test automation using Postman.

Figure 5 uses two of the code snippets. We edited the first one, so you see it pass. The second one was left as is, so it fails. You always need to edit the snippet to match the response data you are verifying. The test results populate whenever the request is sent.

Next, add detail to your automated API tests based on the testing needs for the API. Edit the snippets based on the API response data to verify data, fields, security tokens and if the message processes or fails.

Dig Deeper on Software testing tools and techniques

Cloud Computing
App Architecture