Application Programmable Interface

Set of rules and protocols used to communicate between different software components.

Web API: Used to communicate between two software applications with each other through the internet.

General API:Used to communicate between two software applications within the same system or network.No need for the internet to communicate these API’s can work offline.

Different types of API:

Open API(Public API): An API available to everyone, allowing anyone to use it for application development.

 Example: OpenWeather API

Partner API: Requires a special agreement or contract to access and use. 

Example: Payment Gateway API

Internal API(Private API): Designed for internal use within an organization,not exposed externally. 

Example: Payroll API

Composite API: Combines multiple APIs into a single call to simplify requests. 

Example: Social Media API

What is API testing?

Testing the functionality, reliability,stability, performance, and security of Application Programming Interfaces (APIs)

Why do we need API testing?

The main reason API testing can be done before the UI is built is to enable early detection of errors or bugs. It allows checking whether the API returns the correct response without involving the UI. API testing also verifies authentication, authorization, and consistent behavior under different conditions.

API Flow:

1. Request: A user sends a request to the server.

2. Processing: The server receives and processes the request.

3. Response: The server prepares and generates the requested data.

4. Delivery: The API forwards the server response to user/customer.

In API testing, requests are typically sent over HTTP/HTTPS using methods such as GET, POST, PUT, and DELETE to communicate with the server.

HTTP Methods

GET :Read data -Fetches data from the server. 

POST:Creates new data-Sends new data to the server to create a new resource.

PUT:Update data-Updates entire resource.If it doesn't exist, it may create it.

PATCH:Update (partial) data-Updates only specific fields of a resource.

DELETE:Delete data-Removes a resource from the server.

If we send only some fields in a PUT request, the missing fields might be overwritten or deleted, because PUT replaces the entire resource. PATCH is safer for partial updates; it only modifies the specified fields and leaves the rest intact.

If we send a PUT request to a non-existent resource, the outcome depends on the API’s implementation. Some APIs treat PUT as an upsert operation (create if not exists, update if exists), while others may return a 404 error, indicating that the resource must already exist before it can be updated.

Key Elements to Validate in an API Response

• Status Code: A three-digit number returned by the server in response to a client request, where each code is associated with a specific meaning.

• Response Body: Verify that the response body contains the expected output in the correct format.

• Response Time: Check whether the response time meets the expected performance criteria.

• Headers: Information sent by the API (such as Content-Type, authentication details, etc.); these need to be validated.

• Performance: Ensure the API can handle the expected load and respond efficiently under different conditions.

• Error Messages: Verify that clear and correct error messages are displayed when invalid or incorrect data is entered.

• Security: Ensure proper authentication, authorization, and data protection mechanisms are in place.

  
  

HTTP status codes

Let's discuss more about http status code

1xx – Informational

A request was received and the process is continuing.

100→ continue

2xx – Success

The request was successful.200  OK → Request successful.201  Created → Resource successfully created.

202  Accepted → Request accepted, processing not completed yet

204 No Content → Request successful, no response body.

3xx - Redirection

Clients need to take further action to complete the request.

301 Moved Permanently→Resource moved to new URL.

302 Found→Temporary redirect.

4xx – Client Errors

400  Bad Request →Invalid request data

401  Unauthorized →Authentication required or failed

403  Forbidden →Access denied

404  Not Found →Resource not found

5xx – Server Errors

Server failed to process a valid request.500 Internal Server Error → server error

502 Bad Gateway → Invalid response from upstream server.

503 Service Unavailable→Server overload or down

504 Gateway Timeout →Server did not respond in time.

Authentication

Authentication is the process of verifying a user’s identity and checking whether the provided credentials are valid. 

Common Authentication methods:

Basic Authentication

API Keys

OAuth 2.0

Authorization

Authorization is the process of verifying what a user can do.Even if user has authentication he may not have access to some resource

Example:Role-based access control (RBAC)

Synchronous API Calls

In Synchronous API calls, the user sends a request and waits for a response before moving to the next request.Client is blocked until the server responds.

Example:REST API calls (GET, POST, etc.) are synchronous.

Client → Server → Client (response)

Asynchronous API Calls

In Synchronous API calls, the user sends a request and doesn't wait for a response.The response is handled later when it arrives (via a callback, webhook, or polling).these are called non-blocking calls (client continues other tasks).

Common in event-driven systems, microservices, and messaging queues (Kafka, RabbitMQ).Client → Server (acknowledgment)

Server → Client (response via callback/webhook/polling)