Ensuring your application's smooth and secure operation, especially with millions of daily users, calls for thorough API testing. Identifying vulnerabilities and errors early helps prevent disruptions and protect sensitive data, addressing crucial functionality and security concerns.
In this post, you'll learn how to write manual test cases for API testing, ensuring your systems' integrity and reliability while delivering flawless user experiences and safeguarding your application's reputation. Let's begin!
What is manual API testing?
Manual API testing involves testers manually interacting with APIs to validate their functionality, reliability, performance, and security. This process includes sending requests to the API and verifying the responses, ensuring the API performs as expected under various conditions. It helps identify bugs and issues that automated tests might miss, providing an assessment of the API's behavior in real-world scenarios.
Types of API testing
Here are some key types of API testing:
- Functional Testing: Ensures the API functions correctly according to specified requirements.
- Load Testing: Measures the API’s performance under high traffic or data loads to determine its scalability and reliability.
- Security Testing: Assesses the API’s vulnerability to attacks and ensures it handles sensitive data securely.
- Integration Testing: Verifies that the API integrates well with other systems and APIs within the application.
- Validation Testing: Confirms the API's responses and data format are accurate and meet expectations.
- Regression Testing: Checks if recent code changes have negatively impacted existing functionality.
- Runtime/Error Detection: Monitors the API for any performance issues or errors during execution.
- Penetration Testing: Simulates cyber-attacks to identify and address potential security vulnerabilities in the API.
How to write manual test cases for API testing?
Now, let's examine a detailed step-by-step guide for writing manual test cases for API testing.
Understand the API documentation
Start by thoroughly reviewing the API documentation. This includes understanding the following key elements:
- Endpoints: These are the specific locations where the API can be accessed. Each endpoint corresponds to a different resource or action within the API.
- Request Methods: These indicate the type of action to be performed. Common methods include:
- GET: Retrieve data from the API.
- POST: Submit new data to the API.
- PUT: Update existing data.
- DELETE: Remove data.
- Request Parameters: These are the API's inputs to perform a specific action. Parameters can be query parameters, path parameters, or body parameters.
- Response Formats: The structure and format of the data returned by the API, usually in JSON or XML format. Understanding the expected format helps in validating the responses.
- Authentication Methods: The mechanisms used to verify the user's identity making the request. This can include API keys, OAuth tokens, or other methods.
- Rate Limits: The restrictions on the number of requests that can be made to the API within a specific time frame. This prevents abuse and ensures fair usage.
- Restrictions: Any other limitations or rules that govern how the API can be used, such as IP allowlisting or specific user permissions.
Identify test scenarios
Identify all possible scenarios that need to be tested. Some of the possible ones include:
- Positive Test Cases: Scenarios where valid inputs are provided to ensure the API functions as expected.
- Negative Test Cases: Scenarios where invalid inputs are provided to test the API’s error-handling capabilities.
- Edge Cases: Unusual or extreme inputs that might push the API to its limits, such as maximum and minimum values, empty inputs, or large data sets.
Also, consider all aspects of the API’s functionality, including:
- Data Retrieval: Test scenarios where data is fetched from the API using GET requests.
- Data Submission: Test scenarios where new data is sent to the API using POST requests.
- Error Handling: Ensure the API correctly handles errors, such as invalid inputs, unauthorized access, or server errors.
- Security: Verify that the API’s security measures, like authentication and authorization, are functioning properly. This includes testing for potential vulnerabilities and ensuring data privacy.
Prioritize test cases
Prioritize your test cases based on their importance and impact. Focus first on critical functionalities and high-risk areas. This will help ensure that the API's most important features are tested early and thoroughly.
Define input data
Determine the input data for your test cases. This includes both valid and invalid data. For example:
- Valid data: Correctly formatted inputs that the API expects.
- Invalid data: Incorrectly formatted inputs, missing parameters, or boundary values.
Determine expected outputs
For each test case, define the expected output by considering the following:
- Expected Status Codes: Identify the appropriate HTTP status codes the API should return, such as:
- 1xx - Informational Responses: Status codes in the 100-199 range indicate that the request was received and understood and that the client should continue or ignore it if it has already been finished.
- 2xx - Successful Responses: The 200-299 range status codes indicate that the request was successfully received, understood, and accepted.
- 3xx - Redirection Messages: Status codes in the 300-399 range indicate that the user must take further action to fulfill the request.
- 4xx - Client Error Responses: Status codes in the 400-499 range indicate that the request contains bad syntax or cannot be fulfilled by the server.
- 5xx - Server Error Responses: The 500-599 range status codes indicate that the server failed to fulfill an apparently valid request.
- Response Times: Define acceptable response times to ensure the API performs efficiently under various conditions.
- Data Returned: Specify the structure and content of the data the API should return. This includes:
- Data Types: Verify the types of data returned, such as strings, numbers, or JSON objects.
- Data Values: Ensure the values meet the expectations outlined in the API documentation and business rules.
Remember that HTTP status codes are a standard for web services, but the concept of expected outcomes is universal. Similar codes or messages indicating success, failure, or specific errors would be used for non-web APIs.
Create test cases
Write detailed test cases that outline the steps to be followed. Each test case should include the following:
- Test Case ID: A unique identifier for each test case.
- Test Description: A brief description of what the test case aims to verify.
- Pre-conditions: Any setup or conditions that must be met before the test can be executed.
- Test Steps: Step-by-step instructions to perform the test, including the method and endpoint.
- Input Data: The data to be sent with the API request.
- Expected Results: The expected outcome of the test, including status codes and response content.
- Post-conditions: The state of the system after the test has been executed.
Execute test cases
Run the test cases manually by using manual testing tools. Follow the steps outlined in each test case, send requests to the API, and record the actual responses.
Analyze the results
Compare the actual results with the expected results. Note any discrepancies or unexpected behavior. This step helps identify API functionality, performance, or security issues.
Report defects
Document any defects found during testing. Provide detailed information about the defect, including steps to reproduce, expected and actual results, and any relevant screenshots or logs. Reporting defects helps developers understand and fix the issues efficiently.
API test case examples
Example 1
Test Case ID: TC001
- Test Description: Verify login fails with invalid password.
- Pre-conditions: User must be registered.
- Test Steps:
- Send a POST request to /api/login.
- Include valid username and invalid password in the request body.
- Input Data: { "username": "user1", "password": "wrongpass" }
- Expected Results: Status code 401 Unauthorized. Error message: "Invalid credentials."
- Post-conditions: No session is created.
Example 2
Test Case ID: TC002
- Test Description: Verify fetching user profile details.
- Pre-conditions: User must be logged in.
- Test Steps:
- Send a GET request to /api/user/profile.
- Include valid auth token in the request header.
- Input Data: Auth token: Bearer validtoken123
- Expected Results: Status code 200 OK. Response contains user profile details.
- Post-conditions: User profile details are retrieved.
Example 3
Test Case ID: TC003
- Test Description: Verify creating a new user.
- Pre-conditions: None.
- Test Steps:
- Send a POST request to /api/user/create.
- Include new user details in the request body.
- Input Data: { "username": "newuser", "password": "newpass123" }
- Expected Results: Status code 201 Created. Response contains user ID.
- Post-conditions: New user is created in the system.
API testing checklist
Here is a checklist you can use for your manual API testing:
Status Code Check: Verify that the response status code is as expected.
☐ Done ☐ Pending ☐ Failed
Response Time Check: Measure the API response time and ensure it’s within acceptable limits.
☐ Done ☐ Pending ☐ Failed
JSON Schema Validation: Validate the response against a predefined JSON schema.
☐ Done ☐ Pending ☐ Failed
Response Headers: Check for the presence of specific headers (e.g., Content-Type, Cache-Control).
☐ Done ☐ Pending ☐ Failed
Response Payload: Verify the correctness of the response data, including fields, values, and nested objects.
☐ Done ☐ Pending ☐ Failed
Response Size: Check the size of the response data to ensure it’s within reasonable limits.
☐ Done ☐ Pending ☐ Failed
Response Encoding: Verify the encoding (e.g., UTF-8) of the response.
☐ Done ☐ Pending ☐ Failed
Pagination: Test the pagination logic if the API supports it.
☐ Done ☐ Pending ☐ Failed
Authentication and Authorization: Check if authentication and authorization mechanisms are correctly implemented.
☐ Done ☐ Pending ☐ Failed
Error Handling: Validate the response when incorrect parameters are passed or errors occur.
☐ Done ☐ Pending ☐ Failed
Cross-Origin Resource Sharing (CORS): Verify that CORS headers are set correctly if applicable.
☐ Done ☐ Pending ☐ Failed
Concurrency and Threading: Test how the API handles concurrent requests and threading.
☐ Done ☐ Pending ☐ Failed
Rate Limiting: Verify if rate limiting is enforced as expected.
☐ Done ☐ Pending ☐ Failed
Security: Ensure sensitive data is not leaked in the response. Verify that the API follows security best practices.
☐ Done ☐ Pending ☐ Failed
Negative Testing: Test the API’s response to invalid or unexpected inputs.
☐ Done ☐ Pending ☐ Failed
Performance and Load Testing: Test the API’s performance and response time under various load conditions.
☐ Done ☐ Pending ☐ Failed
Integration Testing: Perform integration tests if the API interacts with other services.
☐ Done ☐ Pending ☐ Failed
How can Global App Testing assist you with creating your API test cases?
Global App Testing (GAT) provides an API that integrates crowdtesting into your development process, allowing you to manage functional tests for web and native applications. By leveraging GAT's API, you can efficiently launch, monitor, and retrieve test results directly within your existing tools and systems. This integration facilitates continuous integration and deployment, ensuring testing across multiple device combinations in over 190+ countries.
With GAT's API, you can achieve the following:
- Launch functional tests: Execute test cases for web and native applications using professional testers.
- Manage your test case suite: You can import, retrieve, update, and delete test cases from your system to GAT's platform.
- Monitor test status and results: Check the status of recently launched tests and retrieve results, importing them into your systems.
- Seamless integration: Connect GAT's platform with other software, enabling crowdsourced tests at the press of a button.
- End-to-end automation: Integrate with customer development systems to pick up test cases, run tests, and pull results into bug-tracking systems without logging into any platform.
- Streamline regression testing: Ensure new releases are pushed to production only if no critical bugs are found.
You can get started in just two simple steps:
- Obtain your API key so GAT can authenticate your integration’s API requests.
- Make a test API request to confirm everything is up and running.
By utilizing GAT's API, you can streamline your testing processes, ensure higher-quality releases at a faster pace, and unlock team and company efficiencies. Interested in partnering with Global App Testing? Schedule a call with one of our specialists today to discover more.
Keep learning
9 Best bug tracking tools to keep testing fluid
10 Best load testing tools to consider
5 Generative AI testing tools to consider