API TESTING QUESTIONS AND ANSWERS

1- What is API?

API stands for Application Programming Interface and is a computing interface that defines how software components interact with each other. API defines what requests can be made, how they will be made and hides complexity from developers.

2- What is API Documentation?

API documentation is a technical content deliverable, that contains the instructions about using and integrating APIs effectively. It is a concise reference manual with all the information required to work with the API such as classes, functions, arguments, return types, and more.

3- How does API work?

APIs communicate through a set of rules that define how computers, applications or machines can talk to each other. The API acts as a middleman between any two machines that want to connect with each other for a specified task.

4- What is API Testing?

API testing is a set of quality assurance actions that determines if the developed APIs meet expectations regarding the functionality, reliability, performance, and security of the application. API testing is usually performed by a software tool or web service and mainly focuses on testing the business logic layer.

5-What is difference between API and web services?

Web service is a collection of open source protocols and standards used for exchanging data between systems or applications, whereas API is a software interface that allows two applications to interact with each other without any user involvement.

6- What is the approach followed in API Testing?

We follow the below approaches in API Testing:

  • Firstly, write required test cases for testing the APIs by making use of different testing techniques like equivalence class, boundary value analysis etc that helps to verify the functionalities.
  • Clearly define the scope and functionality of the APIs.
  • Define the different input parameters that you want to test the API with.
  • Verify the test cases by passing the input parameters.
  • Compare the results of the different test cases based on their expected behavior.
  • Also subject the API to different conditions depending on the description of the functionality

7-How to test security of API?

1. Use the proper HTTP method according to the operation

2. Return the proper status code according to the operation completed

3.Don’t use Basic Auth. Use standard authentication instead (e.g. JWT, OAuth).

4. All endpoints with access to sensitive data require authentication

5. Auto-incrementing IDs

6. Handling large amounts of data

7. Secure HTTP (HTTPS) encrypts data between clients and server

8. Implement max retry/rate limit policies

9. Use encryption on all sensitive data.

10. Don’t use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL

8-What is the process of API Specification Review?

API Specification Review is the first and foremost step of documentation of the API testing needs and requirements. It should clearly state the purpose of the API, the application workflow and its features along with all other required details which could possibly help to plan the API testing process smoothly.

9-What is Latency in API testing?

Latency refers to the response time or the delay taken by the request to reach the server. We need to ensure that the latency involved in reaching the server is minimum as higher the latency, greater is the impact in the application’s speed and performance.

10-What do you understand by Throughput in Performance testing?

Throughput refers to the number of transactions per second that an application can handle under the influence of lot of users (load). The API needs to ensure that required throughput is met before it is deployed on production. We can identify this by performing the Load Testing of the APIs. We can do this by identifying multiple transactions of different priorities and check how many requests are successfully passed in acceptable time governed by the SLAs (Service Level Agreements) defined by us.

11-What is Payload?

Payload is the most common term used in the case of REST APIs. It refers to the actual data sent to the server in the API request in different formats like JSON, XML etc.

What is the importance of caching mechanism?

Caching mechanism is the practice of storing data temporarily to retrieve data for repeated requests. This increases the performance of the system by obtaining the data from the cached copy instead of hitting the database and getting the original data.

12-Why is automated API testing useful?

1-Automated testing is useful in the long run as it helps to maximize the test coverage of the applications in a shorter period of time meaning it helps to test large test sets very easily and quickly.

2-It enables parallel execution and helps to reduce human-generated errors in testing.

3-It saves the time required to test applications thereby saving the overall cost.

13-What do you understand by Input injection?

Input injection is the act of simulating inputs for testing APIs. It can be simulated in different ways:

  • Direct Method Invocation
  • Accessibility interface invocation
  • Low-level input simulation
  • Device driver simulation
  • Robot Simulation.

14-What do you understand by the test environment for API?

The test environment is an environment that helps test the APIs developed by providing a feature to send requests and get the responses from the server. It is similar to the production environment where the Quality Analyst has enough data to perform their functionality testing.

15-Is it possible to hack API while testing?

Yes, it is possible. This is because we are sending requests over the internet which mostly follows HTTP protocol. This protocol is text-based and is easier to read. Hence, it is required to perform security testing of the APIs to ensure safer systems.

16-How should we test the API security?

To test the security of the API, we need to validate 2 things:

  • Authentication: Whether the identity of the end-user is correct.
  • Authorization: Whether the user is allowed to access the resource.

We can also validate whether the TLS (Transport Layer Security)or the SSL (Secure Sockets Layer) certificate used over the HTTPS protocol is valid or not.

17-What do you understand by Big Bang Approach in testing?

The big bang approach is the approach of combining all modules at once and then performing verification of the functionality after the individual modules are tested. It belongs to the category of integration testing of the applications.

18-Types of Output API Testing

●Any type of data : integer, float, decimal,chars,string,..

●Status (say Pass or Fail)

●Call another API function.

18-How API testing was done?

API Testing is done by by submitting requests to the test object using its application programming interface and verifying the response with expected results.

20-Common Factors/component of an RESTful API request

API Request consists 4 things:

  1. The endpoint
  2. The method
  3. The headers
  4. The body/data

21-What needs to be verified in API testing?

In API Testing, we send a request to the API and then we analyze the responses based on the following parameters:

  1. Data accuracy of the actual response with the expected response.
  2. HTTP status codes of the resultant API.
  3. Response time of the API.
  4. Error codes if the APIs are expected to throw an error.
  5. Authorization Details
  6. Test non-functional specifications of the applications like security, performance, availability etc.

22-How many HTTP methods?

API developers typically only use GET, PUT, or POST, but the official HTTP Request Method registry lists 39 total HTTP verbs, each providing a method for powerful interactions.

23-What kinds of response code for Post method?

200 (success), 400 (bad request), 500 (server error)

24-What is the purpose of Post method?

POST is used to send data to a server to create a resource. Some notes on POST requests: POST requests are never cached. POST requests do not remain in the browser history.

25-How do you authorize an API?

With API key auth, you send a key-value pair to the API either in the request headers or query parameters.

26-Why is API Testing Important?

API testing determines whether the API meets expectations for functionality, reliability, performance, and security. API testing is essential for the entire development, implementation and maintenance of APIs. API testing is necessary to accompany the API to make it functional and ready for its purpose.

PUT vs POST

PUT vs PATCH

URI vs URL

CRUD 

CREATE – READ – UPDATE – DELETE

27-Mention what is the difference between SOAP and REST?

28-What are non-functional requirements for API?

  • Security.
  • Volume and performance. Volumetric. Performance.
  • Capacity.
  • Scalability.
  • Availability.
  • Recoverability.
  • Audit and provenance.
  • Maintainability.

29-What are the common API testing types?

While there are certainly specialty tests, and no list can be asked to be comprehensive in this realm, most tests fit broadly into the following nine categories that you should remember before attending an API testing interview.

  1. Validation Testing
  2. Functional Testing
  3. Load testing
  4. Runtime/ Error Detection
  5. Security testing
  6. Interoperability and WS Compliance testing

30-What are the differences between API Testing and Unit Testing?

31-Why is API testing considered as the most suitable form for Automation testing?

API testing is now preferred over GUI testing and is considered as most suitable because:

  • It verifies all the functional paths of the system under test very effectively.
  • It provides the most stable interface.
  • It is easier to maintain and provides fast feedback.

32-Explain the architectural style for creating web API?

The architectural style for creating web api are
• HTTP for client server communication
• XML/JSON as formatting language
• Simple URI as the address for the services
Stateless communication (A stateless protocol is a communication protocol in which the receiver must not retain session state from previous requests.)

33-SOAP API VS REST API

34-API Testing vs Back-end Testing

35-What is difference between API and WebService.

Web service is a collection of open source protocols and standards used for exchanging data between systems or applications, whereas API is a software interface that allows two applications to interact with each other without any user involvement.

36-What is difference between OAuth1.0 and OAuth2.O

OAuth (Open Authorization) is a protocol used for access delegation, where resource owners grant third-party applications to access their resources without sharing their user credentials.

OAuth 1.0 needs to generate a signature on every API call to the server resource and that should be matched with the signature generated at the receiving endpoint in order to have access for the client. OAuth 2.0 do not need to generate signatures. It uses TLS/SSL (HTTPS) for communication.

POISED API Testing Strategy

POISED =Parameters, Output, Interop, Security, Errors, and Data

37-Stateless Protocol

Stateless Protocols are the type of network protocols in which Client send request to the server and server response back according to current state. It does not require the server to retain session information or a status about each communicating partner for multiple request.
Example of Stateless are UDP , DNS , HTTP , etc.

38-What are the benefits / advantages of performing API testing?

API testing has several advantages. Among the most important, you can mention:

  1. •Test Without UI
  2. •Test for Core Functionality
  3. •Time Effective
  4. •Language-Independent
  5. •Easy Integration With GUI
  6. •Improved test coverage
  • Test without GUI: Testers can conduct API tests without having to use the software directly. This is a huge benefit because it gives QA engineers early insight into flaws and faults, allowing developers to fix them before they have an impact on the GUI.
  • Test for core functionality: Before performing GUI tests, testing an application’s code-level functionality allows for an evaluation of its overall build quality. This helps reveal little errors that may grow into more significant issues at the GUI level. Core access makes it possible to do testing concurrently with development, enabling communication and better teamwork.
  • Time effective: API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled. API test automation particularly involves less code and can therefore give better and faster test coverage, when compared to GUI automated testing.
  • Language dependent: An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent, therefore you can use any programming language when writing automated tests for your API. 

39-What are the main challenges of API testing?

The main challenges in API testing is

  • The main challenges in Web API testing are Parameter Combination, Parameter Selection, and Call Sequencing
  • There is no GUI available to test the application, which makes it difficult to give input values
  • Validating and Verifying the output in a different system is a little difficult for testers
  • Exception handling function needs to be tested
  • Coding knowledge is necessary for testers

40-HTTP vs HTTPS

HTTP stands for Hypertext Transfer Protocol. The HTTP protocol provides communication between different communication systems. When the user makes an HTTP request on the browser, then the webserver sends the requested data to the user in the form of web pages. In short, we can say that the HTTP protocol allows us to transfer the data from the server to the client.

HTTPS is Hypertext Transfer Protocol Secure. The HTTP protocol does not provide the security of the data, while HTTP ensures the security of the data. Therefore, we can say that HTTPS is a secure version of the HTTP protocol. This protocol allows transferring the data in an encrypted form.

41-What are the most used HTTP methods in REST APIs?

The most important HTTP methods used when performing REST API testing are the methods that perform CRUD operations:

  • GET is the HTTP method that reads the information from the resource.
  • POST method is used to create resources.
  • PUT modifies an existing resource.
  • DELETE will remove a specified resource.

42-What is the difference between the PUT and the POST methods?

  • PUT” puts a file or resource at a particular URI (Uniform Resource Identifier) and exactly at that URI. If there is already a file or resource at that URI, PUT changes that file or resource. If there is no resource or file there, PUT makes one
  • POST sends data to a particular URI and expects the resource at that URI to deal with the request.
    The web server at this point can decide what to do with the data in the context of specified
    resource
  • PUT is idempotent meaning, invoking it any number of times will not have an impact on resources.
  • However, POST is not idempotent, meaning if you invoke POST multiple times it keeps creating
    more resources

43-What are some commonly used authentication methods in API testing?  

An appropriate answer for this question would be

  • Session/Cookies based authentication
  • Basic authentication
  • Digest authentication
  • OAuth.

44-What is the difference between authentication and authorization?

In short, authentication is the process of verifying a user’s identity, whereas authorization is the process of confirming their level of access. 

45-What is API Testing process?

46-Checklist for API Testing?

47-Common Error Code

  • 200 – OK: Everything is working
  • 201 – CREATED: A new resource has been created
  • 204 – NO CONTENT: The resource was successfully deleted, no response body
  • 304 – NOT MODIFIED: The date returned is cached data (data has not changed)
  • 400 – BAD REQUEST: The request was invalid or cannot be served. The exact error should be explained in the error payload. E.g. „The JSON is not valid “.
  • 401 – UNATHORIZED: The request requires user authentication.
  • 403 – FORBIDDEN: The server understood the request but is refusing it or the access is not allowed.
  • 404 – NOT FOUND:There is no resource behind the URI.
  • 500 – INTERNAL SERVER ERROR: API developers should avoid this error. If an error occurs in the global catch blog, the stack trace should be logged and not returned as a response.
  • 502 Bad Gateway This error response means that the server, while working as a gateway to get a response needed to handle the request, got an invalid response.
  • 503 – Service Unavailable
  • 504: Gateway Timeout

48-Explain what is SOAP?

SOAP-stands for Simple Object Access Protocol, and it is an XML based protocol for exchanging information between computers.

49-Explain what is REST API?

It is a set of functions to which the developers performs requests and receive responses. In REST API interaction is made via HTTP protocol REST – stands for Representational State Transfer, it is quickly becoming standard for API creation.

50-The key area to be considered when writing API documents are

  • Source of the content
  • Document plan or sketch
  • Delivery layout
  • Information required for each function in the document
  • Automatic document creation programs

51-In API document explain how to document each function? What are the tools used for documentation?

  • Description: Small description about what a function does
  • Syntax: Syntax about the parameter of the code, the sequence in which they occur, required and optional elements etc.
  • Parameters: Functions parameters
  • Error Messages: Syntax of error messages
  • Example Code: Small snippet of code
  • Related Links: Related functions

Popular tools used for API documentations are JavaDoc (for Java code ) Doxygen (for .Net code)

52-What is XML and JSON?

XML (Extensible Markup Language): 

  • It is especially designed to store and transport data.
  • It is similar to HTML but is more flexible than HTML because it allows users to create their own custom tags.
  • It is used for representing structured information such as documents, data, configuration, etc.

JSON (JavaScript Object Notation): 

  • It is a lightweight format designed to store and transport data.
  • It is easier to understand and is a standard text-based format used for representing structured data based on JavaScript object syntax.
  • It is faster and easier to use. 

53-What are the types of Bugs will API testing finds?

The types of Bugs, API will find

  • Missing or duplicate functionality
  • Fails to handle error conditions gracefully
  • Stress
  • Reliability
  • Security
  • Unused flags
  • Not implemented errors
  • Inconsistent error handling
  • Performance
  • Multi-threading issues
  • Improper errors

54-What are the common protocols that are testing in API tesing ?

  • HTTP
  • JMS
  • REST
  • SOAP
  • UDDI: Universal Description, Discovery, and Integration (UDDI) is an XML-based registry for business internet services.

55-What is the most API architecture?

HTTP RESTful API is the most widely used architecture.

56-API testing process

API Specification Review
Test Specification Development

57-Differences between PUT and PATCH

PUT request will replace the entire content of the resource at the location while a PATCH request, on the other hand, is used to make changes to a part of the resource at a location.

58-There are 4 types of HTTP message headers:

1-General Header

These header fields have general applicability for both request and response messages.

2-Client Request Header

These header fields have applicability only for request messages.

3-Server Response Header

These header fields have applicability only for response messages.

4-Entity Header

These header fields define meta-information about the entity-body or, if no BODY is present, about the resource identified by the request.

59-POISED model for building API tests

  • Parameters — the range of parameters passed to the API
  • Outputs — validating proper outputs for both good and bad parameters
  • Interoperability — Ensuring consistency with other service APIs and other calls
  • Security — Ensuring access and authorization maintained for API calls
  • Errors — Report errors clearly and accurately
  • Data — Handle data structures and real data properly and with the appropriate timing
  1. Parameters — check both valid and invalid parameters. Mishandling of valid input will result in user frustration. Mishandling of invalid input can lead to a host of problems, from security breaches to data corruption.
  2. Outputs — ensure that the output for each service API conforms to your specification. Know how the output behaves with unexpected inputs. Check response codes versus expected responses for both successful results and improper parameters. Will the API consumer know what happened and why?
  3. Interoperability — test both function and performance implications of APIs to know how they behave with others.
  4. Security — know how the API treats active, expired, and invalid credentials. Apply potential vulnerabilities — such as passing parameters that are actually cross-site scripts, and observe results.
  5. Errors — apply known errors and validate that the API reports errors clearly and unambiguously.
  6. Data — verify the API behavior handles data structures correctly. Compare parameters entered, such as API parameters, as measured data, such as dates and times. For permanent records, validate that data does not change over time. For databases, compare API behavior for different functions (search, sort, etc) versus database size.

60-API Testing Best Practices

  1. Create API test cases for maximum possible input combinations of the API
  2. Group the API Test cases by test category
  3. API tests should be easy to maintain and write
  4. Every test case should be independent and self-contained
  5. Include the API declarations on the top of every test
  6. Prioritize the API function calls to make it easier for testers
  7. The sequencing of API calls should be well planned and performed
  8. API testing should be a part of your continuous integration and delivery pipeline.

How to Start API Testing

There are many different types of tests you can perform on your APIs:

  • Functionality tests focus on ensuring that the API is able to perform its intended functions.
  • Performance tests measure the response times of the API and check for bottlenecks.
  • Security tests assess the vulnerability of the API to attack vectors such as SQL injection and cross-site scripting (XSS).

API testing is performed by submitting requests to the software through the API and then checking if it returns the expected data.

To get started with API testing, you will need to have access to an application with an exposed API. You will also need to choose a method for sending requests to the API (manual or automated), and select a tool or framework for writing your tests (if using automated testing).

Once you have these things set up, you can begin writing your test cases and running them against the API.

API Testing Tips

API testing can be a challenge, but regardless of the tools you decide to use here are some tips that can help:

  1. Make sure you have a clear understanding of the API before you start testing. Read the documentation and any other available materials. This will help you know what to expect and how the API should work.
  2. Use API testing tools: This will give you a better understanding of how the API works and make it easier to find any issues.
  3. Test all aspects of the API, including input validation, error handling, and security. These are all important factors in ensuring that your API is working correctly.
  4. Keep your tests up-to-date as the API changes. This will help ensure that you catch any new issues that may arise.
  5. Use mobile apps for API testing. Things are changing all the time these days, where many people are working remotely, and from their phones too. By using mobile apps you can increase your productivity, become more mobile, and work from anywhere in the world. A good example of such a tool is the API Tester.

Four types of web APIs

APIs are broadly accepted and used in web applications. There are four different types of APIs commonly used in web services: public, partner, private and composite