API testing is a rich field for QA teams' testing efforts. Make API testing part of your QA test planning any time you work on a web or mobile application, because APIs gather, send and exchange data between applications.
APIs are essential to many applications. Consider how many mobile and web banking, healthcare and entertainment applications you use on a weekly basis. Each of those applications relies on data passing from one storage location to another. Without APIs, applications are less efficient, less integrated and less useful.
In many software development teams, API testing is the developer's responsibility. But it's beneficial for the QA team to learn how to do API testing -- even if it's just to have another set of eyes on your APIs. Ultimately, QA-led API testing adds to an application's quality, reliability and business success.
When to test APIs
API tests should be part of an overall application quality plan.
Perform API testing frequently, or continuously, and in short cycles. Test APIs often, at least after any significant code change. Execute API tests as part of a smoke test, as well as before and after each release. Track all database changes and execute API tests to verify the database functions with the application as you expected.
What to test
An essential API test verifies that an API is capable of connection, and that it is sending and receiving data.
At some level, the QA team should include security testing. API messages must verify security at both ends of a data exchange.
In addition to connectivity and security, verify database validity. If the APIs allow invalid data during an exchange, the database and applications are susceptible to failure from an unexpected source. Data validity is critical for API, database and application communication.
To vet these areas, make sure to test error conditions as well. The API developer should share the error codes that will generate when the system rejects an incoming message for security or data issues, when messages are in the wrong format and when the API endpoint is down or non-functional.
The QA engineer should verify that the API returns the data the IT organization expects across systems. Many applications have integrated components, such as a web portal and a mobile app. One API likely serves both components, so validate the application functions in both systems and that the data matches -- which isn't always a guarantee.
API testing vs. web services testing
Both web services and APIs are means for one application to exchange data with another. However, the two technologies are not one and the same. Accordingly, testers should not assess web services and APIs in the same way. Check out this overview of how to approach QA for APIs and web services respectively.
If an application includes both a web and mobile option, programmers often code those systems separately. Likewise, they might have created the coded calculations differently, which requires separate testing for each platform. This setup creates headaches for testers, as the results in the application likely function the same way. Check that the data that displays in one matches the other, and that both systems remain in sync.
API testing tools
If you have existing, valid functional test automation for your application, you might create a test suite focused on verifying the API runs -- all without any additional effort. For example, an automated smoke test suite can include tests that cover the API functionality. Testers can likely cover the data and error conditions with existing functional tests. However, the suite will still lack the security-based tests.
QA teams don't need tools to do API testing -- they can work with code or in the application instead. But numerous tools provide valid, useful capabilities for the task. Postman, API Fortress, SoapUI and SmartBear offer testing capabilities, as does AWS and other vendors. There are low-cost options for QA teams to get started on the basics and see if API testing adds value, then move to more sophisticated tools as needed.