Testing an API

So you’re a tester right? So you can test this API for me? What? What on earth is n API?

Sounds familiar? Then read on for your quick start guide to testing an API.

An API is an Application Programming Interface used by developers to power apps, websites, widgets and other cool things. An API basically allows you to make requests for data and in return a website provides a response, usually in JSON format but XML is also common.

Before you get started the first and probably most important thing to know is that an API does NOT have a presentation layer, it will not look pretty, it will not have cute colours, and depending on which browser you are using it might look downright scary (thanks IE!). Never ever raise a bug about an API looking unstyled, well not unless you want to get laughed all the way into next week.

So how are you going to test this thing? Well the great thing about an API is it is intended to be used by someone who isn’t familiar with the internal workings of your website so they should have documentation and it should be easy to understand. Basically you use a URL and the available parameters to make up a request which you fire off in your browser address bar.

Your request will look something like the following. Be aware that API requests make of use of parameters in the URL, the first one will use a ? and all subsequent ones will use an &:

API request with one parameter:


API request with multiple parameters:



In return your browser will display something like:

{ "resultsPage": {
    "status": "ok",
    "page": 1,
    "totalEntries": 2,
    "perPage": 50,
    "results": {
        "event": [EVENT, EVENT]
} }

So if you’re not testing how it looks then what are you testing? Probably the first thing to focus on is that the data being returned is actually correct, check that all the fields are filled in correctly and check that the data is accurate (you will probably be able to check this against the corresponding website). Domain knowledge will be key to finding bugs at this stage.

Next you’ll want to check that all the required requests are available, you should have some API documents to help you with this.  Read through them, check the examples work and then make sure everything they say can be done actually can be done.

Now we’re at the destructive stage. An API basically gives someone access to data from a website, therefore they are almost always restricted by an API key which allows the API owner to have control over who accesses the data and how frequently. Test that you can’t access anything without a valid key, make sure only the requests documented are actually available and if there is any way to post data back to the API make sure you give it a very thorough bashing.

Finally you should check for error handling. Just as a website has the ability to return a 404 page or maybe a 500 error when something goes wrong an API should be returning the correct error code for unavailable servers, invalid requests, empty data sets etc.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s