Website API Testing Tips
APIs (Application Programming Interfaces) are the means by which software systems talk to each other. While errors in UI (User Interface) are bad enough, the speed at which software operates can make an API problem a disaster in no time. Since APIs are commonly used to offer third-party services over the Web, many companies depend on them as their primary delivery systems. This makes ongoing verification of their operation an essential business function.
Testing API Calls Individually
Well-designed APIs keep the individual calls fairly simple in their operation and use multiple calls in concert to achieve business objectives. Following this design precept, QualityLogic tests API calls both individually and in functional groups. Individual calls have to operate properly across the entire range of valid input parameter values, and that includes the extremes. They also have to work in concert with each other to perform specific functions.
For example, a credit card authorization service has an API set that, as individual calls, transfers a credit card number, transfers customer ID information, requests a charge amount, and returns a validation or denial of the charge. Each call must be tested to verify handling of expected data ranges, as well as with out-of-range data to verify graceful error trapping.
Testing API Calls as a Functional Group
Beyond these individual call tests, they must be tested as a functional group. This type of API testing verifies their ability to deal with each other’s failures and error trapping, as well as odd occurrences of call timing and situations where responses from the called system are missing or delayed. Each of the independent API calls has to be able to respond with its normal function when data is appropriately presented, and with a graceful effort notification when it is not, even when the failure is in a call to a different API function.
Once proper operation of independent API calls and functional group use is verified, the responsiveness and performance of the system should be verified under controlled load conditions. This is especially important for third-party services whose APIs may be used by a wildly varying number of connections at any given time.
For business-to-business connections between servers, QualityLogic often uses a tool such as SoapUI to directly connect varying numbers of virtual users in order to constrain the test results to measurements of just the API connections. The monitoring aspects of this test can even be used after production release as a surveillance measure to assure the system’s performance in day-to-day operations.