Why API Testing Is Mission-Critical
Everyone these days seems to focus on how to test applications, and specifically, how to test the user interface. This is important—after all, if your user interface is broken, then none of your customers will be able to use your application.
However, we often seem to forget about testing APIs, which is just as important.
If your API serves 500 other companies, and they each have 1,000 customers of their own, you will be affecting 500,000 users, not just your own customers. As a more dramatic example, if the Google Maps API suddenly went offline, every ride-hailing driver or meal delivery service would be unable to do their job. You could effectively destroy Uber, Lyft, Uber Eats, Deliveroo, and a whole host of other companies with a single issue. So, API testing should be seen as mission-critical for most companies.
One of the biggest mistakes we find is that people don’t realize that once an API has been released into the “wild,” it takes on a life of its own. When you find a problem with an application screen, you can choose to either fix the problem or to potentially change the test, if the way the application works is acceptable but different from what was initially specified.
With API testing, if you change how the API works—even if it now works better—it will break all of the code written by people using the API. Consequently, testers have a responsibility to make sure they are testing the same contract that was established when the API was first released.
A common technique is to “version the API,” so that newer versions of the application will implement a newer API that can avoid breaking old code that is expecting an older version of the system. That means developers and testers need to maintain and test a compatibility layer between the versions, so this also needs to be factored into the effort to test the API.
Finally, when it comes to security and performance, these aspects are critical for any part of the system, but because APIs are typically designed to be used by machines rather than humans, they are in many ways ideal vehicles for hackers to take down your system with precision code. Making sure you have penetration tested and load tested the API is a must.