According to a SlashData 2020 survey, almost 90% of the developers interviewed were using APIs to some extent. With this in mind, it’s no wonder that even if you’re a manual or an automation tester looking for a job change, the hiring interview will consist of API-related questions.
In this article, I’ll take you through some of the most common and important API testing interview questions and provide the ideal answer for each one. Let’s get to it!
1. What is API testing?
API testing is a type of software testing that involves evaluating APIs (Application Programming Interface) to see if they meet the requirements for functionality, dependability, performance, and security. Since APIs don’t have a GUI, API testing is performed at the message layer of the system.
2. What are the advantages of performing API testing?
API testing has several advantages. Among the most important, you can mention:
- Test without GUI: Testers can conduct API tests without having to use the software directly. This is a massive benefit because it gives QA engineers early insight into flaws and faults, allowing developers to fix them before they impact the GUI.
- Test for core functionality: Before performing GUI tests, testing an application's code-level functionality allows for an evaluation of its overall build quality. This helps reveal little errors that may grow into more significant issues at the GUI level. Core access makes it possible to do testing concurrently with development, enabling communication and better teamwork.
- Time effective: API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled. API test automation particularly involves less code and offers better and faster test coverage when compared to GUI automated testing.
- Language dependent: An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent; therefore, you can use any programming language when writing automated tests for your API.
3. How is API testing different from UI testing?
API testing focuses a lot more on testing the business logic, data replies, and security, as well as performance bottlenecks. In contrast, UI testing focuses on verifying the look and feel of a web interface or that certain buttons, forms, dropdowns, etc., work.
4. What are the components of an HTTP request?
An HTTP request has five elements:
- An HTTP method (discussed below) that defines the action.
- A URI (Uniform Resource Identifier) is the resource’s identifier on the server.
- An HTTP Version, e.g. HTTP v1.1.
- The Request Header carries metadata (as key-value pairs) for the HTTP Request message. Client (or browser) type, client-supported formats, message body formats, cache settings, and other information are examples of metadata.
- The Request Body represents the data sent by the client to the API.
5. What are the most used HTTP methods in REST APIs?
The most important HTTP methods used when performing REST API testing are the methods that perform CRUD operations:
- GET is the HTTP method that reads the information from the resource.
- POST method is used to create or update resources.
- PUT modifies an existing resource.
- DELETE will remove a specified resource.
6. What is the difference between the PUT and the POST methods?
This is an interview question I was asked often, and the answer is partially answered above.
When you need to change a single resource that is a component of a resource collection, you call the PUT method. When you need to add a child resource to a resource collection, you must use the POST method. If the PUT HTTP call is sent more than once, the results will stay the same. If a POST request is sent multiple times, the results will differ, i.e., multiple resources might be created, or an error is returned.
For example, if you have a resource for creating and updating users, sending the same PUT method for a user will update the user each time. Sending the same POST method for a user will result either in multiple users created or in an error that the username or email address is already in use.
7. What are the HTTP response status code classes?
This is another common interview question and important to know when performing API testing. The HTTP response code classes are:
- 1xx: the response calls in this category are informational responses. They mean that the client should continue the request or ignore the response if it is finished.
- 2xx: a 200 code means success.
- 3xx: these responses are redirect responses. This means that there are multiple possible responses to the request. One of them should be selected by the user agent or user.
- 4xx: the codes in this group denote a client error. This means that the server cannot process the request, and it perceives it as an error from the client side, such as an unrecognized URL, an incorrect request syntax, and so on.
- 5xx: the 500 HTTP response code is returned when there is an error on the server side and the server is unable to perform the request.
If you want to get into the details of the response statuses, you can find the complete list online.
8. What are some common API automation testing tools?
For this question, I would answer with some tools I have already worked with or am at least a little familiar with. So, if you have experience with any API testing tools, mention them. If not, you can answer with some popular ones, such as Katalon, Postman, or SoapUI. Take a look at our article covering the best API testing tools for some inspiration.
9. What are some commonly used authentication methods in API testing?
An appropriate answer to this question would be:
- Session/cookies based authentication
- Basic authentication
- Digest authentication
10. What is the difference between authentication and authorization?
In short, authentication is the process of verifying a user's identity, whereas authorization is the process of confirming their level of access.
11. Why is API testing preferred to UI testing for automated tests?
Returning to the classical test automation pyramid, it is well known in our industry that UI end-to-end tests should be at the top, meaning that they should account for the least number of tests. This is because UI automated tests tend to take more time and are more prone to flakiness because they have many dependencies. API automated tests represent the integration testing part of the pyramid, and they are a lot faster and usually more reliable.
12. What is the difference between API and unit testing?
Unit testing falls under white box testing, while API testing is usually black box testing. Since an end-user will engage with the user interface, API testing must represent the system as a whole. In unit testing, a key consideration is whether each component or module functions flawlessly. That is, to achieve a solid module architecture, dependencies should be minimized.
13. What types of testing can be applied to APIs?
Most of the testing types applied to UI testing work on APIs as well. A few of the most notable testing types you can mention for this API interview question are:
- Functional testing: most of the time, you will want to test that the APIs do what they are designed to do. This means that you’ll be running functional test cases on APIs.
- Manual testing: just because you are not an automation tester doesn’t mean you can’t test APIs. You can use tools such as Postman to send requests and test the responses manually.
- Automated testing: It’s a good idea to automate the API test cases. Many of the above tools can help you with that, or you can create your own API framework.
- Load testing: By simulating traffic to APIs, testers can identify bottlenecks before they get into production. In the absence of a production load, it might be challenging to identify these bottlenecks in development environments. There are load testing tools that enable you to send HTTP calls to a given endpoint and measure the response time, errors and error rates, and other valuable data from the responses. They can also help simulate large amounts of data to evaluate how an application behaves.
- Security testing: with security testing, the API implementation is protected from outside threats. Phases in security testing include verifying encryption techniques and the architecture of the API access control. User access management and authorization verification are also included.
- Penetration testing: With this type of testing, users unfamiliar with the API will attempt to evaluate the threat vector from a distance, focusing on functionalities, resources, workflows, or the complete API and its components.
Whether you are a manual tester or work on test automation, it’s essential to know how to work with APIs. If you’re preparing for API testing interview questions, I hope you find this article valuable.
Don’t forget to subscribe to the newsletter for more testing tips and tutorials!