API Testing: "Do Interfaces Work Correctly?"

Validating that your API contracts are correct — every endpoint returns the right status codes, headers, and response shapes.

What is API Testing?

API testing verifies that endpoints return correct responses for various inputs, focusing on the interface layer.

What API Testing Checks:

✓ Correct HTTP status codes (200, 404, 500)

✓ Response format (JSON structure)

✓ Response time (performance)

✓ Authentication/Authorization

✓ Error handling

✓ Data validation

Real-World Analogy:

Like testing a restaurant's ordering window:

Customer: "One burger, please"

Window: Returns burger + receipt ✅

Customer: "Ten burgers"

Window: Returns 10 burgers ✅

Customer: "One dragon" (invalid order)

Window: "Sorry, we don't have that" ✅

Customer: (no payment)

Window: "Payment required" ✅

Test the window interface thoroughly!

API Test Example: User Management API

Endpoint: GET /api/users/{id}

Test Case 1: Valid User ID

Test Case 2: Invalid User ID

Request: GET /api/users/999999

Test Case 3: No Authentication

Request: GET /api/users/123 (no auth header)

Response:

Test Case 4: Malformed Request

Request: GET /api/users/abc (non-numeric ID)

Response:

Status: 400 Bad Request ✅

API Testing Types:

1. Contract Testing

Verify API matches documented contract:

Contract says:

POST /api/users

Test:

✓ Request with correct fields → 201 Created

✓ Response has all required fields

✓ Field types match contract

✗ Request with extra fields → How does API handle?

✗ Request missing required field → 400 Bad Request?

Contract must match reality!

2. Security Testing

Endpoint: DELETE /api/users/{id}

Security Tests:

✓ Without auth token →

401 Unauthorized

✓ With regular user token →

403 Forbidden (can't delete others)

✓ With admin token →

200 OK (allowed)

✓ SQL injection attempt:

DELETE /api/users/1' OR '1' ='1 → Blocked

✓ XSS attempt:

POST /api/users {name: "<script>alert('xss')</script>"} → Sanitized

✓ Rate limiting: 1000 requests in 1 second →

429 Too Many Requests

3. Performance Testing

Endpoint: GET /api/products

Performance Requirements:

• Response time < 200ms (95th percentile)

• Can handle 1000 requests/second

• Response size < 100KB

Tests:

✓ Single request: 150ms ✅

✓ 100 concurrent requests: Average 180ms ✅

✓ 1000 req/sec sustained: Average 195ms ✅

✓ Response compression enabled: 45KB ✅

API Testing Tools:

Popular Tools:

1. Postman

   • GUI interface

   • Collection runner

   • Environment variables

   • Automated testing

2. curl (Command line)

3. REST Assured (Java)

4. Pytest + Requests (Python)

Key characteristics:

• 🔌 Interface focused: Test the API layer specifically
• 📊 Multiple scenarios: Happy path, errors, edge cases
• 🔒 Security crucial: Authentication, authorization, injection
• ⚡ Performance matters: Response time, throughput

Key Takeaways

1. API tests validate request/response contracts — ensuring endpoints return correct status codes, headers, and body formats
2. Test all HTTP methods and status codes for each endpoint — GET, POST, PUT, DELETE with 200, 400, 401, 404, 500 scenarios
3. Use tools like Postman, REST Client, or pytest for API testing — automate them in CI to catch regressions
4. Contract testing ensures API changes don't break consumers — tools like Pact verify both producer and consumer expectations