According to a SlashData 2020 survey, almost 90% of the developers interviewed were using APIs to some extent. With this in mind, it’s no wonder that even if you’re a manual or an automation tester looking for a job change, the hiring interview will consist of API-related questions.
In this article, I’ll take you through some of the most common and important API testing interview questions, and provide the right answer for each one. Let’s get to it!
1. What is API testing?
API testing is a type of software testing that involves evaluating APIs (Application Programming Interface) to see if they meet the requirements for functionality, dependability, performance, and security. Since APIs don’t have a GUI, API testing is performed at the message layer of the system.
2. What are the advantages of performing API testing?
API testing has several advantages. Among the most important, you can mention:
- Test without GUI: Testers can conduct API tests without having to use the software directly. This is a huge benefit because it gives QA engineers early insight into flaws and faults, allowing developers to fix them before they have an impact on the GUI.
- Test for core functionality: Before performing GUI tests, testing an application's code-level functionality allows for an evaluation of its overall build quality. This helps reveal little errors that may grow into more significant issues at the GUI level. Core access makes it possible to do testing concurrently with development, enabling communication and better teamwork.
- Time effective: API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled. API test automation particularly involves less code and can therefore give better and faster test coverage, when compared to GUI automated testing.
- Language dependent: An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent, therefore you can use any programming language when writing automated tests for your API.
3. How is API testing different from UI testing?
API testing focuses a lot more on testing the business logic, data replies, and security, as well as performance bottlenecks. In contrast, UI testing focuses on verifying the look and feel of a web interface or that certain buttons, forms, dropdowns, etc work.
4. What are the components of an HTTP request?
An HTTP request has five elements:
- An HTTP method (discussed below) that defines the action.
- A URI (Uniform Resource Identifier), which is the resource’s identifier on the server.
- An HTTP Version, e.g. HTTP v1.1.
- The Request Header, which carries metadata (as key-value pairs) for the HTTP Request message. Client (or browser) type, client-supported formats, message body formats, cache settings, and other information are examples of metadata.
- The Request Body, which represents the data sent by the client to the API.
5. What are the most used HTTP methods in REST APIs?
The most important HTTP methods used when performing REST API testing are the methods that perform CRUD operations:
- GET is the HTTP method that reads the information from the resource.
- POST method is used to create or update resources.
- PUT modifies an existing resource.
- DELETE will remove a specified resource.
6. What is the difference between the PUT and the POST methods?
This is an interview question I got at a lot of jobs, and the answer is partly answered above.
When you need to change a single resource that is a component of a resource collection, you call the PUT method. When you need to add a child resource to a resource collection, you must use the POST method. If the PUT HTTP call is sent more than once, the results will stay the same. If a POST request is sent multiple times, then the results will differ, i.e. multiple resources might be created or an error is returned.
For example, if you have a resource for creating and updating users, sending the same PUT method for a user will update the user each time. Sending the same POST method for a user will result either in multiple users created, or in an error that the username or email address is already in use.
7. What are the HTTP response status code classes?
Another one of the common interview questions, and also something important to know when performing API testing. The HTTP response code classes are
- 1xx: the response calls in this category are informational responses. They mean that the client should continue the request or ignore the response if the request is finished.
- 2xx: a 200 code means Success.
- 3xx: these responses are redirect responses. This means that there are multiple possible responses to the request. One of them should be selected by the user agent or user.
- 4xx: the codes in this group denote a client error. This means that the server cannot process the request and it perceives it as an error from the client side, such as an unrecognized URL, an incorrect request syntax, and so on.
- 5xx: the 500 HTTP response code is returned when there is an error on the server side and the server is unable of performing the request.
If you want to get into the details of the response statuses, you can find the complete list online.
8. What are some common API automation testing tools?
For this question, I would answer with some tools I have already worked with or am at least a little familiar with. So, if you have experience with any API testing tools, go ahead and mention them. If not, you can answer with some of the popular ones, such as Katalon, Postman, or SoapUI. You can take a look at this article for some inspiration, too.
9. What are some commonly used authentication methods in API testing?
An appropriate answer for this question would be
- Session/Cookies based authentication
- Basic authentication
- Digest authentication
10. What is the difference between authentication and authorization?
In short, authentication is the process of verifying a user's identity, whereas authorization is the process of confirming their level of access.
11. Why is API testing preferred to UI testing when it comes to automated tests?
Coming back to the classical test automation pyramid, it is well known in our industry that UI end-to-end tests should be at the top of the pyramid, meaning that they should account for the least number of tests. This is because UI automated tests tend to take more time, and are more prone to flakiness because they have many dependencies. API automated tests represent the integration testing part of the pyramid, and they are a lot faster and usually more reliable.
12. What is the difference between API and unit testing?
Unit testing falls under the white box testing category, while API testing is usually black box testing. Since an end-user will engage with the user interface, API testing must represent the system as a whole. In unit testing, a key consideration is whether each component or module functions flawlessly on its own. That is, to achieve a solid module architecture, dependencies should be minimized.
13. What types of testing can be applied to APIs?
Most of the testing types applied to UI testing work on APIs at well. A few of the most notable testing types you can mention for this API interview question are
- Functional testing: most of the time, you will want to test that the APIs do what they are designed to do. This means that you’ll be running functional test cases on APIs.
- Manual testing: just because you are not an automation tester doesn’t mean you can’t test APIs. You can use tools such as Postman to send requests and test the responses manually.
- Automated testing: It’s a good idea to automate the API test cases if you can. A lot of the tools mentioned above can help you with that, or you can create your own API framework.
- Load testing: By simulating traffic to APIs, testers can identify bottlenecks before they get into production. In the absence of a production load, it might be challenging to identify these bottlenecks in development environments. There are tools, such as Apache JMeter, that enable you to send HTTP calls to a given endpoint and measure the response time, errors and error rates, and other useful data from the responses. They can also help simulate large amounts of data to evaluate how an application behaves.
- Security testing: with security testing, the API implementation is protected from outside threats. Phases in security testing include verifying encryption techniques and the architecture of the API access control. User access management and authorization verification are also included.
- Penetration testing: With this type of testing, users unfamiliar with the API will attempt to evaluate the threat vector from a distance, focusing on functionalities, resources, workflows, or the complete API and its components.
Whether you are a manual tester or work on test automation, it’s important to know how to work with APIs. This article went over some of the most common API testing interview questions, providing the answers for them, too, of course. So if you’re preparing for the news testing interview, this post should help you with that.
Don’t forget to subscribe to the newsletter for more testing tips and tutorials!