30 Days of API Testing Day 2: API Exploratory Testing

(KMS Nam Nguyen) #24

I started to learn about API testing from my project KBB at KMS Technology. Below that is my approach for API Exploratory test.

  1. Understand API requirements

    • What is the API’s purpose?
    • Parameters,Inputs,Constraints in API.
    • Requests/Responses
    • Error Handling (Exception, Error messages being used)
  2. Specify the API output status:

    • Verify responses code equals to 200 or not

    • There are five values for the first digit:

      • 1xx (Informational): The request is received and continues to be processed
      • 2xx (Successful): The request is successfully received, understood, and accepted
      • 3xx (Redirection): Further action needs to be taken to complete the request
      • 4xx (Client Error): The request contains the wrong syntax or cannot be fulfilled
      • 5xx (Server Error): The server fails to fulfill an apparently valid request
  3. Focus on small functional APIs

  4. Using some testing techniques(equivalence classes, boundary value analysis, error guessing) to write a test case for your API

  5. Run testcases and compare actual result with expected result.
    You can find more information related to API testing at https://www.katalon.com/resources-center/blog/api-testing-tips/.

  6. Apply automation testing for API

(Thao) #25

There is my approach for API testing:

  • Refer some documents to get the basic knowledge about API testing ex https://docs.katalon.com/katalon-studio/tutorials/introduction_api_testing.html
  • Learn about JSON, XML format, HTTP methods, the requests, responses, how to handle the error … (because I don’t know about API so it will take a lot of efforts)
  • Get the basic knowledge about tools for API testing such as Postman, Katalon …
  • Define test case and apply API testing for a sample API testing project such as load testing to check the performance on the website

(Dong) #26

I think the approachment for API Exploratory Testing is based on many aspects, one of that is Software Development Life Cycle (SDLC). Different SDLCs have different approaches. For example:

In traditional Waterfall/V-model: The testers collect requirement, apply the testing technique to generate Test Cases/Test Scripts. After the program is completed its Built Stage, they execute the Test Suite and collect the results.

In Agile, the Test Ideas are not mainly come from reading Requirement, but also from exploring the working software. More cases are tested, and so more results are gotten. The testers will have more knowledge about the product, so they can explore it better, generate better Test Cases/Test Scripts.

In DevOps culture, the SDLCs can be shorter than in Agile model (for faster delivery, better stability, etc…) and also more challenges. The testers will need CI/CD documents, explore the whole system (not just only the product), so they can generate even better Test Suite that covers more and costs less. They will have more time to understand the system, or learn new thing. Combining API Testing with other skill sets/knowledge will bring more positive change to the product.

That’s my approachment for API Exploratory Testing, from different SDLC points of view. I hope to know more about your opinion. Thanks!

(Trang Ta) #27

My approach API Exploratory Testing get from Heuristic Test Strategy Model:

  • Focus working with limit understanding about API requirements: my testing target with the environment it depends on, purpose of users.
  • Research API tools (ex: Postman, katalon…) to choose the tool suitable with my project
  • Determine scenarios for testing
  • Define: calls and operations, inputs and outputs, exceptions.
  • Write scripts for API testing
  • Run & report results

(Duong) #28

Thank all for sharing. I’m a automation tester and not familiar with API testing as well as exploratory testing. After researching about exploratory testing and reading some of your opinions, I found my own approach as below:

  • Read/ Explore the documentation if it is available and try to understand
  • Ask around for what the intended uses are and what applications we know of are currently using our API
  • Review the code for the API or go over the API with the developer if possible
  • Know the endpoint, and what are the operations it supports
  • Compare responses with their requests
  • Experiment with different variations of params to see the API behaviour.
  • Identify example messages from typical user journeys to derive variations of those journeys (e.g in/valid tokens).
  • Checking if the API will justify the purpose for which it was developed after being integrated with the Application.
  • Document the complete testing process so that it can be referred by the developers and can be used in future for testing

(Thanh) #29

Exploratory testing is simultaneous learning, test design, and test execution
(Exploratory Testing Explained by James Bach, v.1.3)

Exploratory testing is more like an approach or mindset than a methodology, it’s the way to understand product/features deeply and widely with the purpose of finding bugs through investigation and learning freedom based on tester’s skill, experience and adaptability.

In my opinion, via seeking and reading about API Exploratory Testing, I think it is use automation tools to test APIs within Exploratory approach. Besides, because API is almost automated test, it assists about reproduction and regression what’s tested, which is a difficult when applying exploratory in manual testing.

(Tuan Tran) #30

Below is my approach for API Exploratory testing:

  1. Get information about this API (some item)
  • The API endpoint
  • The API method: GET, POST, PUT…
  • Parameter (if any)
  • HTTP status Code
  • The response value
  • Authentication (if any)
  1. Play with the API:
  • Execute the API with valid/invalid parameter
  • Try some exception case.
  • Try with/without authen token. And invalid token.
  1. See the response:
  • Observe if the response is match your expected on: the response type, status code, value filed.
  • The status code of response should match your expectation.
  1. Document: write down your knowledge about this API for future using.

  2. DO automation:

  • Try create the automated script for your API.

(duncs) #31

(kms_lantran) #32

I think I will go API Exploratory Testing like below steps:

  1. Read more about the api testing for different testing types
  2. Read documents for api testing at basic level to explore the whole picture of api testing
  3. Try to find a tool
  4. Read the tourtorial of the tool and explore how to use the tool
  5. Read api testing example
  6. Practice the example on tool with different api testing example
  7. Note down

(Han Ho) #33

I’m a newbie in API testing. After researching about exploratory testing an API on the Internet as well as referring your comments. I would like to share my own apinion about API exploratory testing approach as below:


  • Know the different between web service and API.

  • Know types web service likes SOAP/ REST.

  • The format of the API request/response ( XML, JSON,…)

  • What is a HTTP API request/response.

  • Is there a documentation of each service? How it works? What business function service perform?

  • What are HTTP methods - GET, POST, PUT, DELETE?

  • What methods which web service supports?

  • List of HTTP status code

  • Tools: POSTMAN, SOAPUI,…

  • Configuring a tool to request an API.

API exploratory testing approach:

  • First of all, read the document if it is available and make sure you understand it.

  • Talk to the developers to understand what inputs need to make an API call.

  • Know the end point and what form does the end point take.

  • Try to communicate with client or developers if there are any issues.

  • Make a request and review the results.

  • Make an invalid request and see the HTTP status and response returned.

(khanh nguyen) #34

When it comes to exploratory testing, there are some misconceptions that ET (Exploratory testing) is only used with GUI testing and intended for Devs;even some are surprised when ET is mentioned in API. Below is my approach for API ET after reading some articles related:

Before jumping to write API testcases, do the following preparation steps underneath:
1. Try to get familiar with API concepts:

  • HTTP => used to transfer web based information
  • Servers and Clients, Requests and Responses
  • Creating HTTP methods (get, put, post,delete,…)
  • How data (input/output) is formed in requests/responses (XML (Extensible Markup Language) and the more recent JSON (JavaScript Object Notation))
  • Status codes: are divided into 5 classes
  • 1xx (Informational): The request is received and continues to be processed
  • 2xx (Successful): The request is successfully received, understood, and accepted
  • 3xx (Redirection): Further action needs to be taken to complete the request
  • 4xx (Client Error): The request contains the wrong syntax or cannot be fulfilled
  • 5xx (Server Error): The server fails to fulfill an apparently valid request
  • Authorization (who can access the API?)
  • Endpoints
  • Pick up an automation tool that u find most comfortable to practice

2. To do API testing:

  • Read API docs carefully before writing API testcases
  • Pick up a few scenarios to write API testcases(not too complicated)
  • Determine inputs, outputs, responses
  • Organize your endpoints
  • Choose suitable verification methods:
  • Compare the whole response body content with the expected information
  • Compare each attribute value of the response
  • Compare matching with regular expression
  • Write negative and positive TCs

For more details, please refer as below:


That is mine, I’d love to hear more thoughts from you guys :slight_smile:

(swapnali kadu) #35

Really very excellent article. Got to know many new information. Thanks for sharing this article with us.