Introduction to

API Testing

Nezam Academy
1.
What is API

2
 What is API

◎ API stands for Application Programming Interface,

which is a software intermediary that allows two applications

to talk to each other using request and response.

3
What is API

Request

Request
Program API Server
Response
Response

4
What is API
Request

Request
Program API Server
Response
Response

Request
Request
API
Response
Response 5
2.
API VS Web Service

6
 API VS Web Service
API
◎ Web service is used for REST, SOAP while API is used
Web
Service
for any style of communication.

◎ Web service supports only HTTP protocol whereas API supports

HTTP/HTTPS protocol.

◎ Web service supports XML while API supports XML and JSON.
◎ All Web services are APIs but all APIs are not web services.

7
3.
Online API & Offline API

8
 Online API

◎ API that goes through the internet to get data = web services

Request
Request
API
Response
Response

9
 Offline API

◎ API that doesn’t go through the internet to get data

◎ EX: Using Camera in your phone

Request
Request
API
Response
Response

10
4.
HTTP

11
 HTTP

◎ HTTP is the protocol that supports communication between web

browsers and web servers.

◎ HTTP has a simple structure:

○ Client sends a request.
○ Server returns a response.

12
4.
HTTP Request

13
 Request Line

◎ Request Line
○ Method URI HTTP-Version

14
 HTTP Request Methods
◎ GET
○ The GET method used to only retrieve data.
◎ HEAD
○ asks for a response identical to a GET request
○ checking what a GET request will return before actually making a GET
request - like before downloading a large file
◎ PUT
○ The PUT method update data on the server
◎ POST
○ The POST method submits data to the server
◎ DELETE
The DELETE method deletes the specified resource.
15
 URI: Universal Resource Identifier

◎ Absolute URI
○ scheme://hostname[:port]/path

◎ Relative URI
○ /path

16
 HTTP Version Number

◎ HTTP/1.0 or HTTP/1.1
◎ HTTP 0.9 did not include a version number in a request line.
◎ If a server gets a request line with no HTTP version number, it assumes
0.9.

17
 Header Lines

◎ Each header line contains an attribute name followed by a “:” followed

by a space and the attribute value.

◎ Example:
○ Accept: text/html
○ Host: www.rpi.edu
○ User-Agent: Mozilla/4.0

18
 Blank Line

◎ The end of the header section is marked with a blank line.

19
 Content

◎ Content is empty when the method is Get or Head.

◎ Content only takes values with Post method.

20
4.
HTTP Response

21
 Response Status Line

◎ HTTP-Version Status-Code Message

◎ Status Code is a
○ 3 digit number (for computers)
○ Message is text (for humans)

22
 HTTP Response Status Code

◎ 1xx informational response : the request was received, continuing process

◎ 2xx successful : the request was successfully received, and accepted

◎ 3xx redirection : action needs to be taken in order to complete the request

◎ 4xx client error : the request contains bad syntax

◎ 5xx server error : the server failed to fulfil an apparently valid request

23
 Response Headers

◎ Provide the client with information about the returned entity :

○ what kind of document
○ how big the document is
○ how the document is encoded
○ when the document was last modified

24
 Blank Line

◎ The end of the header section is marked with a blank line.

25
 Content

◎ Content can be anything

26
6.
HTTPS

27
 HTTPS
The S in HTTPS stands for "secure" HTTPS uses TLS (or SSL) to encrypt HTTP requests and
responses, instead of the text an attacker would see a bunch of seemingly random
characters. For example :

GET /hello.txt HTTP/1.1

User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11

Host: www.example.com

Accept-Language: en

The attacker sees something like:

“t8Fw6T8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpDVJPvZdZUZHpzbbc”
28
6.
Idempotency and Safety

29
 Idempotency and Safety
Idempotency and safety are properties of HTTP methods. The HTTP RFC defines these
properties and tells us which HTTP methods are safe and idempotent.
◎ Safe HTTP methods

◎ Idempotent HTTP methods

30
 Safe
◎ Safe HTTP methods
○ HTTP methods are considered safe if they don't alter the server state. So safe methods can
only be used for read-only operations. The HTTP RFC defines the following methods to be
safe: GET, HEAD, OPTIONS and TRACE.

31
 Idempotency
◎ Idempotent HTTP methods
○ Idempotency means that multiple identical requests will have the same outcome. So it does
not matter if a request is sent once or multiple times. The following HTTP methods are
idempotent: GET, HEAD, OPTIONS, TRACE, PUT and DELETE. All safe HTTP methods are
idempotent but PUT and DELETE are idempotent but not safe.

32
 Summary

HTTP Method Safe Idempotent

GET Yes Yes

HEAD Yes Yes

OPTIONS Yes Yes

TRACE Yes Yes

PUT No Yes

DELETE No Yes

POST No No

PATCH No No

33
API Data
1.
XML

35
 XML

◎ XML stands for Extensible Markup Language

◎ The same organization created HTML

◎ Tags doesn’t mean anything

◎ Soap API use XML to transfer data

36
XML Example

<Employees>
<Employee>
<id> 1 </id>
<Name> Ahmad </Name>
<Position> Manager </Position>
</Employee>
</Employees>

37
1.
JSON

38
 JSON

◎ JSON stands for JavaScript Object Notation

◎ It’s a part of JavaScript that holds data

◎ JSON code is smaller than XML

◎ REST API use JSON to transfer data

39
 JSON Example
◎ String : “Ahmed”
◎ Object : {“key” : “value”} >> {“user name”: “Ahmed”}
◎ List : [“1”, “2” , “3”]

40
 JSON Example
{“Employees” :
{“Employee”
{“Id” : “1” },
{“Name”: “Ahmad” },
{“Position” : “Manager” },
}
}

41
1.
SOAP API

42
 SOAP API

◎ SOAP stands for Simple Object Access Protocol

◎ SOAP includes a WSDL file which has the required

information on what the web service does in addition to
the location of the web service.

◎ SOAP can only work with XML format. As seen from SOAP
messages, all data passed is in XML format.

43
 SOAP API
◎ SOAP requests are usually sent with the POST method rather than the GET
method because they have to send so much XML data. It is more difficult to send
that data via a GET request, and so most SOAP services require the requests to be
sent using the POST protocol.

◎ For example, I will use the country info service to get a list of continents by
name. The base page for that service is here:
http://webservices.oorsprong.org/websamples.countryinfo/CountryInfoService.wso.
instead of having the request method as a GET request, you will need to set the
request method to POST and then put in the URL.
44
1.
REST API

45
 REST API
◎ REST stands for Representational State Transfer

◎ REST is an Architectural style in which a web service can only be treated as a

RESTful service if it follows the constraints of being Client Server – Stateless
–Cacheable - Layered System -Uniform Interface

◎ REST permits different data format such as Plain text, HTML, XML, JSON, etc.
But the most preferred format for transferring data is JSON.

46
1.
Postman

47
 API Testing
◎ API Testing : is a type of software testing that test API
◎ Usage :
○ Check functionality, reliability and security
◎ For example :
○ When sending request, is status code is correct ?
○ Is data in response is relevant ?
○ If send same request for 10 times, is response have same result ?

48
 API Testing

◎ Remember API that we created on mockAPI before ?

49
 API Testing
◎ Now we will test all methods in this API

50
 Get All Students

◎ Choose GET method and write /Students at the end of API

◎ Request will be visible below

51
 Get Specific Student

◎ Choose GET method and write /Students/ID at the end of API

52
 Add new Student
◎ Choose POST method and write /Students at the end of API then we choose
Body and click on raw >> JSON from drop down

◎ If we want to check if student added repeat GET all student step.

53
 Edit Student
◎ Choose PUT method and write /Students/ID at the end of API then edit
what we need in the Body

◎ If we want to check if student added repeat GET specific student step.

54
 Delete Student
◎ Choose PUT method and write /Students/ID at the end of API then edit
what we need in the Body

◎ If we want to check if student added repeat GET all students step.

55
Save Request

◎ Click save
◎ Create new collection
◎ Give name to request
◎ Create

56
Tests in Postman

◎ Now we need to create tests to check for example status code

and time every request instead of take care of them in each
run.

57
Test Status code = 200

58
Test Time < 3000 millisecond

59
Test Retrieval Data
◎ Need to check that first name is Ahmed

60
Test Result

◎ After run the test we will see the result in test result below

61
Run all requests

◎ We can run all requests or some of them

○ Click on collection
○ Click run
○ Select requests& iterations
○ Click Run

62
Run all requests

◎ Result as you see

63
Using Parameters in Postman

◎ Parameters works as filter

○ URL?Key=Value

64
Environment Variable

◎ Variables enable you to store and reuse values in Postman. By storing a value
as a variable, you can reference it throughout your collections, environments,
requests, and test scripts.

65
Environment Variable

66
Environment Variable

◎ Now we can choose environment and use its variables using {{variable}}

67
Set Environment Variable

◎ Example : let’s add student then save his id in environment to use it in any
future request instead of write his id manually.

68
Set Environment Variable

◎ Using POST add new student

○ Body :

69
Set Environment Variable

◎ In Tests :

70
Set Environment Variable

◎ After Run as we see StudentID saved in variables in environment

71
Set Environment Variable

◎ So we can use this variable directly in any request

72
Global Variables

◎ Variables not belong to specific environment, can be used in any environment

◎ You can add it manually or in the Tests using this code in snippets

pm.globals.set("SiteName", "Nezam");

73
Global Variables

74
MockAPI in Postman

75
MockAPI in Postman

76
MockAPI in Postman

77
1.
Authentication

78
 Authentication
◎ The API authentication process validates the identity of the client by
sending his username and password

◎ Server save data encrypted for example

◎ username : Test
◎ password: Testpass
◎ Will be VGVzdHBhc3MK

79
 Authorization
◎ Authorization is a process of allowing or denying someone from
accessing something

80
 Authentication vs Authorization
◎ Authentication tells who you are while Authorization tells what you
can do.

81
 Authentication
◎ So if we try this request https://postman-echo.com/basic-auth

82
 Authentication
◎ To authorize request click on authorization tab and choose basic
auth and type username:postman password:password

83
 Authentication
◎ After Run

84
1.
Status Code in depth

85
 Status Code in depth

◎ 1xx informational response : the request was received, continuing process

◎ 2xx successful : the request was successfully received, and accepted

◎ 3xx redirection : action needs to be taken in order to complete the request

◎ 4xx client error : the request contains bad syntax

◎ 5xx server error : the server failed to fulfil an apparently valid request

86
 1xx Status Codes
◎ 100: “Continue” This means that the server in question has received your browser’s request

headers, and is now ready for the request body to be sent as well. For example :

○ Asking for allowed size before uploading file

◎ 101: “Switching protocols” Your browser has asked the server to change protocols, and the

server has complied. For example:

○ Asking change http version

○ Change HTTP protocol to IRC

○ Change HTTP to HTTPS

87
 2xx Status Codes
◎ 200: “Everything is OK.” This is the code that is delivered when a web page or resource acts exactly the way

it’s expected to.

◎ 201: “Created.” The server has fulfilled the browser’s request, and as a result, has created a new resource.

◎ 202: “Accepted.” The server has accepted your browser’s request but is still processing it. The request

ultimately may or may not result in a completed response.

◎ 203: “Non-Authoritative Information.” It means that the proxy server received a 200 “Everything is OK”

status code from the origin server, but has modified the response before passing it on to your browser.

88
 2xx Status Codes
◎ 204: “No Content.” This code means that the server has successfully processed the request, but is not going

to return any content.

◎ 205: “Reset Content.” Like a 204 code, this means that how server has processed the request but is not

going to return any content. However, it also requires that your browser resets the document view.

◎ 206: “Partial Content.” A 206 code is sent when a range header causes the server to send only part of the

requested resource.

89
 3xx Status Codes
◎ 300: “Multiple Choices.” Sometimes, there may be multiple possible resources the server can respond with to fulfill your

browser’s request. A 300 status code means that your browser now needs to choose between them.

◎ 301: “The requested resource has been moved permanently.” This code is delivered when a web page or resource has been

permanently replaced with a different resource. It is used for permanent URL redirection.

◎ 302: “The requested resource has moved, but was found.” This code is used to indicate that the requested resource was

found, just not at the location where it was expected. It is used for temporary URL redirection.

◎ 303: “See Other.” a 303 code tells your browser that it found the resource your browser requested via POST, PUT, or DELETE.

However, to retrieve it using GET, you need to make the appropriate request to a different URL than the one you previously

used.

90
 3xx Status Codes
◎ 304: “not modified This code tells the browser that the resources stored in the browser cache. It’s used to

speed up web page delivery by reusing previously-downloaded resources.

◎ 307: “Temporary Redirect.” This status code has replaced 302 “Found” as the appropriate action when a

resource has been temporarily moved to a different URL. Unlike the 302 status code, it does not allow the

HTTP method to change.

◎ 308: “Permanent Redirect.” The 308 status code is the successor to the 301 “Moved Permanently” code. It

does not allow the HTTP method to change and indicates that the requested resource is now permanently

located at a new URL.

91
 4xx Status Codes
◎ 400: “Bad Request.” The server can’t return a response due to an incorrect syntax

◎ 401: “Unauthorized” or “Authorization Required.” This is returned by the server when the target resource

lacks valid authentication credentials.

◎ 402: “Payment Required.” Originally, this code was created for use as part of a digital cash system.

Common instances include:

○ You’ve reached your daily request limit to the Google Developers API.

○ You haven’t paid your Shopify fees and your store has been temporarily deactivated.

○ Your payment via Stripe has failed, or Stripe is trying to prevent a fraudulent payment.

92
 4xx Status Codes
◎ 404: “The requested resource was not found.” This is the most common error message of them all. This

code means that the requested resource does not exist, and the server does not know if it ever existed.

93