API stands for Application Programming Interface. It is a software interface that enables two applications to communicate and exchange data with each other. It is a set of functions that can be executed by another software program.

Let us now understand how an API works. When you use an application on your smartphone, the application connects to the Internet. It sends data to a server. The server will retrieve that data, interpret it, and perform the required actions. Then it sends it back to your phone. The application interprets that data and provides you with the information in a readable way without exposing the internal details.

API is a part of integration testing to check whether the API meets expectations in terms of functionality, reliability, performance, and security of applications.
Unit testing: To test the functionality of individual operation
Functional testing: To test the functionality of broader scenarios by using a block of unit test results tested together
Load testing: To test the functionality and performance under load
Runtime/Error Detection: To monitor an application to identify problems such as exceptions and resource leaks
Security testing: To ensure that the implementation of the API is secure from external threats
UI testing: It is performed as part of end-to-end integration tests to make sure every aspect of the user interface functions as expected
Interoperability and WS Compliance testing: Interoperability and WS Compliance Testing is a type of testing that applies to SOAP APIs. Interoperability between SOAP APIs is checked by ensuring conformance to the Web Services Interoperability profiles. WS-* compliance is tested to ensure standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust are properly implemented and utilized
Penetration testing: To find vulnerabilities of an application from attackers
Fuzz testing: To test the API by forcibly input into the system in order to attempt a forced crash

API protocols facilitate a standardized exchange of information. They provide a collection of defined rules that specifies the accepted data types and commands. Below are some of the common protocols used in API testing:

• HTTP
• JSON-RPC
• REST
• SOAP
• JMS
• UDDI
• XML-RPC

Some of the popular API testing tools for 2022 are:

• SoapUI
• PostMan
• Karate DSL
• Rest Assured
• Alertsite API monitoring
• Apigee
• Assertible

1. Test for Core Functionality

API testing allows accessing the application without the UI (User Interface). The core functionality of the application is tested before the GUI tests. It helps in identifying the minor issue which can become bigger during the GUI testing.

2. Time Effective

API Testing does not need GUI to be ready. It can be performed earlier in the development cycle. API testing is less time-consuming than GUI testing. API tests offer test results quickly. They significantly accelerate development workflows. This helps in speeding up the feedback loop and identifying issues faster.

3. Reduced Cost

API testing requires less code and provides better and faster test coverage compare to GUI test automation. You can identify issues at an early stage. It is easier and comparatively inexpensive to fix the issue at the early stages. This reduces the cost of the testing project.

4. Language-Independent

The data in API testing is exchanged data using XML or JSON. These transfer modes are completely language-independent. It means that you can select any core language when using automated testing services for the application.

5. Easy Integration with GUI

API testing allows highly integrable tests. This is useful if you plan to perform functional GUI tests after API testing. For example, simple integration will allow for the creation of new users within the application before the start of a GUI test.

SOAP stands for Simple Object Access Protocol. It is an XML-based protocol for exchanging information between computers. It is a communication protocol for communicating through the Internet. SOAP is platform-independent and language-independent and can be used for broadcasting a message.

REST stands for Representational State Transfer. REST API is an API that conforms to the principles of the REST architectural style. It allows for interaction with RESTful web services. This is why REST APIs are sometimes referred to as RESTful APIs.

All Web services are APIs but not all APIs are Web services.
Web services might not contain all the specifications and cannot perform all the tasks that APIs would perform.
A Web service uses only three styles of use: SOAP, REST and XML-RPC for communication whereas API may be exposed to in multiple ways.
A Web service always needs a network to operate while APIs don’t need a network for operation.

Test for Core Functionality: API testing provides access to the application without a user interface. The core and code-level of functionalities of the application will be tested and evaluated early before the GUI tests. This will help detect the minor issues which can become bigger during the GUI testing.
Time Effective: API testing usually is less time consuming than functional GUI testing. The web elements in GUI testing must be polled, which makes the testing process slower. Particularly, API test automation requires less code so it can provide better and faster test coverage compared to GUI test automation. These will result in the cost saving for the testing project.
Language-Independent: In API testing, data is exchanged using XML or JSON. These transfer modes are completely language-independent, allowing users to select any code language when adopting automation testing services for the project.
Easy Integration with GUI: API tests enable highly integrable tests, which is particularly useful if you want to perform functional GUI tests after API testing. For instance, simple integration would allow new user accounts to be created within the application before a GUI test started.

• Accuracy of data
• Schema validation
• HTTP status codes
• Data type, validations, order and completeness
• Authorization checks
• Implementation of response timeout
• Error codes in case API returns, and
• Non-functional testing like performance and security testing

API testing is now preferred over GUI testing and is considered as most suitable because:

It verifies all the functional paths of the system under test very effectively.
It provides the most stable interface.
It is easier to maintain and provides fast feedback.

A Web service is a web application that can communicate with other web-based applications over a network.
Web service implementation allows two web applications developed in different languages to interact with each other using a standardized medium like XML, SOAP, HTTP etc.

As web services are based on open standards like XML, HTTP so these are operating system independent.
Likewise, web services are programming language independent, a java application can consume a PHP web service.
Web services can be published over the internet to be consumed by other web applications.
The consumer of web service is loosely coupled with the web service, so the web service can update or change their underlying logic without affecting the consumer.

Client-Server – Client and server are separated by a uniform interface and are not concerned with each other’s internal logic
Stateless – Each client request is independent and contains all the necessary information required to get executed. No client data is saved at the server.
Cacheable – Client should have the ability to cache the responses
Layered System – A layered system having multiple layers wherein each layer communicates with adjacent layer only
Uniform Interface – A uniform interface design requires each component within the service to share a single and uniform architecture
Code on Demand – This constraint is optional. It extends client-side execution of code transfer of executable scripts like javascript from the server.

REST architecture treats any content as a resource, which can be either text files, HTML pages, images, videos or dynamic business information.
REST Server gives access to resources and modifies them, where each resource is identified by URIs/ global IDs.

REST uses different representations to define a resource like text, JSON, and XML. XML and JSON are the most popular representations of resources.

RESTful web services use the HTTP protocol as a medium of communication between the client and the server.

RESTful web services use the HTTP protocol as a communication tool between the client and the server. The technique that when the client sends a message in the form of an HTTP Request, the server sends back the HTTP reply is called Messaging. These messages comprise message data and metadata, that is, information on the message itself.

An HTTP request contains five key elements:

An action showing HTTP methods like GET, PUT, POST, DELETE.
Uniform Resource Identifier (URI), which is the identifier for the resource on the server.
HTTP Version, which indicates HTTP version, for example-HTTP v1.1.
Request Header, which carries metadata (as key-value pairs) for the HTTP Request message. Metadata could be a client (or browser) type, format supported by the client, format of a message body format, cache settings, and so on.
Request Body, which indicates the message content or resource representation.

GET is only used to request data from a specified resource. Get requests can be cached and bookmarked. It remains in the browser history and haS length restrictions. GET requests should never be used when dealing with sensitive data.
POST is used to send data to a server to create/update a resource. POST requests are never cached and bookmarked and do not remain in the browser history.
PUT replaces all current representations of the target resource with the request payload.
DELETE removes the specified resource.
OPTIONS is used to describe the communication options for the target resource.
HEAD asks for a response identical to that of a GET request, but without the response body.

PUT and POST operation are quite similar, except the terms of the result generated by them.

PUT operation is idempotent, so you can cache the response while the responses to POST operation are not cacheable, and if you retry the request N times, you will end up having N resources with N different URIs created on server.

GET /device-management/devices : Get all devices
POST /device-management/devices : Create a new device

GET /device-management/devices/{id} : Get the device information identified by “id”
PUT /device-management/devices/{id} : Update the device information identified by “id”
DELETE /device-management/devices/{id} : Delete device by “id”

The OPTIONS Method lists down all the operations of a web service supports. It creates read-only requests to the server.

URI stands for Uniform Resource Identifier. It is a string of characters designed for unambiguous identification of resources and extensibility via the URI scheme.

The purpose of a URI is to locate a resource(s) on the server hosting of the web service.

A URI’s format is :////.

The “payload” is the data you are interested in transporting. This is differentiated from the things that wrap the data for transport like the HTTP/S Request/Response headers, authentication, etc.

appends data to the service URL. But, its size shouldn’t exceed the maximum URL length. However, doesn’t have any such limit.

So, theoretically, a user can pass unlimited data as the payload to POST method. But, if we consider a real use case, then sending POST with large payload will consume more bandwidth. It’ll take more time and present performance challenges to your server. Hence, a user should take action accordingly.

Caching is just the practice of storing data in temporarily and retrieving data from a high-performance store (usually memory) either explicitly or implicitly.

When a caching mechanism is in place, it helps improve delivery speed by storing a copy of the asset you requested and later accessing the cached copy instead of the original.

Use the SOAP API to create, retrieve, update or delete records, like accounts, leads, and user-defined objects. With more than 20 different calls, you can also use the SOAP API to manage passwords, perform searches, etc. by using the SOAP API in any language that supports web services.

When using SOAP, users often see the firewall security mechanism as the biggest obstacle. This block all the ports leaving few like HTTP port 80 and the HTTP port used by SOAP that bypasses the firewall. The technical complaint against SOAP is that it mixes the specification for message transport with the specification for message structure.

It is a common XML document that contains the elements as a SOAP message

Envelope: It is an obligatory root element that translates the XML document and defines the beginning and end of the message.

Header: It is an optional item which contains information about the message being sent.

Body: It contains the XML data comprising the message being sent.

Fault: It provides the information on errors that occurred while during message processing.

• SOAP is both platform and language independent.
• SOAP separates the encoding and communications protocol from the runtime environment.
• Web service can retrieve or receive a SOAP user data from a remote service, and the source’s platform information is completely independent of each other.
• Everything can generate XML, from Perl scripts through C++ code to J2EE app servers.
• It uses XML to send and receive messages.
• It uses standard internet HTTP protocol.
• SOAP runs over HTTP; it eliminates firewall problems. When protocol HTTP is used as the protocol binding, an RPC call will be automatically assigned to an HTTP request, and the RPC response will be assigned to an HTTP reply.
• Compared to RMI, CORBA and DCOM, SOAP is very easy to use.
• SOAP acts as a protocol to move information in a distributed and decentralized environment.
• SOAP is independent of the transport protocol and can be used to coordinate different protocols.

• SOAP is typically significantly slower than other types of middleware standards, including CORBA, because SOAP uses a detailed XML format. A complete understanding of the performance limitations before building applications around SOAP is hence required.
• SOAP is usually limited to pooling and not to event notifications when HTTP is used for the transport. In addition, only one client can use the services of one server in typical situations.
• If HTTP is used as the transport protocol, firewall latency usually occurs since the firewall analyzes the HTTP transport. This is because HTTP is also leveraged for Web browsing, and so many firewalls do not understand the difference between using HTTP within a web browser and using HTTP within SOAP.
• SOAP has different support levels, depending on the supported programming language. For instance, SOAP supported in Python and PHP is not as powerful as it is in Java and .NET

Postman is a free HTTP client-based software application and a collaboration platform for API development. It is mainly used to perform API testing. It is a very popular API client which facilitates developers and provides a platform to design, build, share, test, and document APIs. Postman supports testing of HTTP requests by utilizing GUI (Graphical User Interface), which later we can execute and validate the responses.

The Postman tool also facilitates us to send HTTP/s requests to a service and get their responses. We can ensure that the service is up and running by using this.

• It is free: Postman is free software that we can use for API testing. It is free to download and use for teams of any size.
• It is easy to use: Postman is an easy-to-use software tool. We can send HTTP requests of various types (such as GET, POST, PUT, PATCH, etc.). We have to download it, and we can send our first request in minutes. It also gives us the ability to save environments for future use.
• Community & Support: It has a huge community forum for customer support and extensive documentation.
• It is extensible: Postman facilitates us customizing it according to our needs with the Postman API.
• APIs Support: It facilitates us to make any API call (REST, SOAP, or plain HTTP) and easily inspect even the largest responses. It also helps manage the end-to-end lifecycle of the API – starting from design to mocking to testing and finally maintaining the APIs.
• Runtime Services: Postman provides Runtime Services that help us manage API collections, environments, work-spaces, and different examples.
• Integration: Postman facilitates us to easily integrate test suites into our preferred CI/CD tools and services, such as Jenkins with Newman (command-line collection runner).

• API Key
• Oauth 1.0
• Oauth 2.0
• Bearer Token
• Basic auth
• Digest auth
• Hawk Authentication
• AWS Signature
• NTLM Authentication

In Postman, a collection is used to group similar requests. It systematically arranges the requests into folders.

• Status/Response Code – These are response codes issued by a server to a client’s request. For example, 404 means Page Not Found, and 200 means Response is OK.
• HTTP Version – describes HTTP version, for example-HTTP v1.1.
• Response Header – Includes information for the HTTP response message. For example, Content-type, Content-length, date, status and server type.
• Response Body – It contains the data that was requested by a client to server.

• GET
• POST
• PUT
• PATCH
• COPY
• DELETE
• HEAD
• OPTIONS
• LINK
• UNLINK
• PURGE
• LOCK
• UNLOCK
• PROPFIND
• VIEW

HTTP methods: It is a set of request methods used to perform needed action for a given resource (GET, PUT, POST, and DELETE).
Uniform Resource Identifier (URI): It is a kind of address that describes the resource.
HTTP Version: It specifies the version of the HTTP. For example HTTP v1.1
Request Headers: It specifies the content type and content length of the request. For example: Content-type: application/ JSON, Content-Length: 511
Payload: It is used to specify the Request Body that includes message content.

Postman accepts authorization credentials in Base64 encoding only. This is inbuilt in Postman, or else you can refer to a third-party website to convert the credentials in base64. The Base64 authorization credentials are generally used because they transmit the data into a textual form and send it in an easier form, such as HTML form data.

In Postman, the term environment is a set of key-value pairs. You can create multiple environments in Postman and switch among them quickly by pressing a button. There are 2 types of environment, global and local.

In Postman, if 2 variables have the same name (one being local, the other global), then the higher priority is of the local variable. The local variable will overwrite the global variable.

We can log the variable values in the console by using the following command:

console.log(pm.variables.get(“variable_name”));  

The Postman monitor is used for running collections. Collections run till the specified time defined by the users. It requires the users to be logged in, and the users share the Monitor reports over an email on a daily or monthly basis.

A workspace is a collaborative environment for users to develop and test APIs. In the same way, a team workspace is a workspace that is shared by the whole team working on the same collections of requests. Usually, it is time-consuming and hard to share the collections through external drives or other sharing; the team workspace synchronizes and collaborates all the team’s work in one place.

Query Params or Query Parameters are used for sorting or filtering the resources. On the other hand, Path Variables are used for identifying specific resources.
Path params are part of the url where as query parameters are added after the ? mark symbol and separated from other query parameters by & symbol.

PathParam example
GET http://base-url/students/{roll-number}

QueryParam example
GET http://base-url/students?grade=10

The Postman Collection runner is used to perform Data-driven testing. It runs a group of API requests for multiple iterations with different data sets.

In Postman, Basic Auth is an authorization technique provided for HTTP user agents like web browsers to enter username and password. After entering the username and password, it gets associated with the request.

Yes, we can import local variables in Postman Monitors, but it is not allowed to import global variables in Postman Monitors.

• Postman cannot process 1000+ API requests.
• In the case of huge projects, it isn’t easy to manage the collections and requests.
• Postman is not suitable for managing the workspace in the form of code. This is because there would be a lot of code duplication for dynamic API requests.

In POST methods, the binary form is designed to send data easily in a format it is impossible to enter data manually. This is mainly used when sending large files like images, CSV files, etc., in the POST request. The binary representation is one of the easiest representations used for sending complex data with the request.

The Postman cloud is a common repository of companies to access Postman collections. That is why we use it when we are working in a company. We can save the work instantly in the Postman cloud after logging in. It facilitates the team members to access data/collections from anywhere.

The digest auth or digest authorization is one of the authorization techniques provided by Postman. This technique lets the clients send the request first to the API and get responses from the server, including a number that can be used only once a real value and 401 unauthorized responses. After that, the client can send back an encrypted data array with both username and password and the data received from the server earlier. Now, the server uses this data to generate an encrypted data string and compares this with what was sent for authenticating the request.

The status code 201 means created when you have successfully created a resource using POST or PUT request. It returns a link to a newly created resource using the location header.

The status code 304 means NOT MODIFIED. It is used to minimize the network bandwidth usage in conditional GET requests. The response body should be empty. Headers should have a date, and location, etc.

In Postman, the 301 status code is used to specify that the page has been permanently redirected from one website page to another. It tells the search engine that the old page is outdated, and the search engine has to index the new page URL.

Global Variables: Global variables allow data access between different collections, requests, and scripts. They are available throughout the workspace.
Local Variables: Local variables are the temporary variables that can be accessed only within the scope of requests scripts. Depending on the requirements, these variables are either scoped to a single request or single collection. These variables are not available once the script execution is completed.
Environment Variables: The Environment variables allow us to tailor the requests about different development environments such as local testing, stage testing, or prod testing.
Collection Variables: The Collection variables are independent of the environment and scoped to be available for all the requests present within the collection.
Data Variables: The Data variables come from external JSON or CSV files and define the datasets required to run the collection in Collection Runner or Newman

We can use the different forms of data content types as defined by the W3C committee. They’ve defined multiple formats for sending the data over the Network Layer. These include form-data, x-www-form-urlencoded, and raw data. By default, we can send data in simple text/ASCII format by using the x-www-form-urlencoded format.

However, using the x-www-form-urlencoded data type has a data limit. As such, we can use form-data for sending large binary or non-ASCII text to the server.

The raw data type sends any plain text or JSON to the server, as the name suggests. It supports multiple content types, and Postman will send the raw data without any modifications, unlike with the other data types.

We can use the raw data type to send any type of data in the request body. This also includes sending the Javascript functions that could be executed on the server side. We can send the scripts under the Javascript option. The raw data type also supports markup languages, such as HTML and XML. This can be helpful when there’s no logic at the front end and we need to consume the whole HTML/XML page.

Yes, it is possible to reuse the authentication token for multiple requests. We can achieve it by creating a collection and adding all the requests having the same authentication token to that collection and then assigning the auth token to the same collection. We can apply it to the individual requests by selecting the “Inherit auth from parent” option in the Authorization tab.

The pre-request scripts at the compilation level are executed first in a collection run.

We can access a Postman variable by entering the variable name as {{var}}.

We can use the Newman tool to run Postman collections in Jenkins.

200 (OK): Status code 200 specifies that the request was correct.
201 (Created): Status code 201 specifies that the value wrapped with the request has been created in the database. Here, it is obvious that the request was correct.
204 (No Content): Status code 204 specifies that the request was correct and received, but there is no content to send. It means there is no response to send to the client by the server.
400 (Bad Request): Status code 400 specifies a bad request. A bad request means that the syntax of the request was incorrect. It appears when we have sent the wrong parameters along with the request URL or in the request’s body.
401 (Unauthorized request): Status code 401 specifies an unauthorized request. An unauthorized request is a request for which you are not authorized. This status code appears when we are not authorized to access the server or enter the wrong credentials.
404 (Not Found): Status code 404 specifies that the server was connected, but it could not find what was requested. It simply means “request not found”. This status code normally appears when we request a web page not available on the server.

Postman provides a space known as Scratch Pad. The Scratch Pad facilitates us to work without being connected to Postman servers and also provides the flexibility to utilize some of the features of Postman offline. These features include collection creation, creating requests, and the ability to send requests. The Scratch Pads are stored locally, and once logged in; the work is saved into the workspace.

We can iterate a request 100 times in Postman using Collection Runner.

Some examples of the JS libraries available in Postman are Lodash, Moment, GUID, etc.

GUID is an acronym that stands for Global Unique Identifier. It is a set of hexadecimal digits separated by hyphens and solves the purpose of uniqueness.

In Postman, it is used to generate and send a random value to APIs.

Example:

{
“id”: “{{$guid}}”,
}

const customerId = Math.floor((Math.random() * 100 + 1));
pm.globals.set(“customerId”, customerId);

finally block is used with try-catch to put the code that you want to get executed always, even if any exception is thrown by the try-catch block. finally block is mostly used to release resources created in the try block.
finalize() is a special method in Object class that we can override in our classes. This method get’s called by garbage collector when the object is getting garbage collected. This method is usually overridden to release system resources when object is garbage collected.