API testing point

Understanding RESTful APIs – Connecting Software Applications Through Programming Interfaces

  • Business, Quality, Technology
  • No Comments
  • Qapitol QA

Welcome to an API (Application Programming Interface) driven world!

In Menu

  • Introduction to APIs
  • REST API architectural constraints
  • HTTP verbs
  • API Authorization & Authentication
  • Request and Response Headers
  • Endpoints

What is special about RESTful APIs?

Before getting into things, let’s understand what is an API.

Overview of APIs

API stands for Application Programming Interface. A foundational element of innovation in today’s app-driven world is the API.

From Banks, Retail, and Transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of the modern mobile and web applications.

The term REST stands for REpresentational State Transfer. It defines a set of rules in order to create APIs. In the world of REST, data is not tied to resources or methods, so REST can handle/return different data formats.

Confused!!

No worries. Let’s take an example of a customer and a hotel waiter (Pretty old example but it still works!) for a better understanding of the functionality of an API.

Authentication

Let’s assume the hotel waiter is an API and the customer who orders food is the client. As soon as the customer enters the hotel a person will assist us to get a table so that we can order our favorite food (Here, getting a table means we are logging into the app and getting a token to access the relevant APIs).

Requesting the resources

Once the waiter notes our order, he will go to the kitchen and will convey the order to the respective person to get it prepared (so here the client sends a request through API and the request will be sent to the respective resource using Endpoints).

Receiving the requested resources (response)

Once your order got prepared (yummy!!) the waiter will go to the kitchen and will get the order to your table. (API will get the response back to the client with the requested data as an Object)

Hope this example helps you understand how an API works. Let’s move forward.

REST API architectural constraints

Rest defines six architectural constraints which make any web service a true Restful API:

  1. Uniform Interface
  2. Client-Server
  3. Stateless
  4. Cacheable
  5. Layered system

Core components of REST APIs

  • HTTP verbs
  • Request/Response body
  • Headers
  • Resource path (Endpoint)

Client-Server

Let’s have a look at how the APIs are working!!

Http Verbs (Methods):

As shown in the above picture, APIs use specific HTTP verbs based on a particular type of call made to the server. The most-commonly-used HTTP verbs are GET, POST, PUT, PATCH, and DELETE. These correspond to create, read, update, and delete (or CRUD) operations, respectively.

Response & Request Data Format

  • XML
  • JSON
  • HTML

API Authentication and Authorization

Before users make an API call to the server, users should usually need to register in the respective application to get an access token in another way to authenticate the requests made by them. Mostly, for read-only APIs, sometimes users don’t need keys and this authentication will happen in the form of API keys or with some other methods.

Difference between Authentication & Authorization

  • As a part of authentication, the application will validate whether the user is the correct person or not to access the relevant data.
  • Authorization involves verifying whether the user is allowed or not to perform a particular action (For ex: a normal user is not allowed to access the admin functionalities).

Authentication & Authorization with APIs serves the following purposes

  • Authenticate the calls, so only registered users can access
  • Track who is making the requests
  • Track usage of the API
  • Block any request which exceeds the rate limits
  • Maintaining different permission levels to different users

Different types of authorizations

The following are the various types of authorization techniques we see for API authentication.

  • API keys
  • Basic Auth
  • OAuth

API Request and Response Headers

Headers are like instructors, because they instruct the browser(client) based upon the relevant action made by the client.

The REST headers and parameters contain information that can help track down issues.

Request and Response headers are playing a pivotal role in the API’s functionality, security, and performance issues.

Headers carry Information for:

  1. Request and Response body
  2. Request Authorization
  3. Response Caching & Cookies

Request headers

Request (HTTP) headers mostly consist of ‘Content-Type’, ‘Accept’, ‘Authorization/Authentication’, ‘Accept-Charset’.

  1. Content Types/Accept — To determine its type, the server uses the HTTP request header Content-Type. Similarly, HTTP header ACCEPT is used.
  2. Authorization — This header is used to authenticate the user and verify whether the client has the authority to access or manipulate the relevant data.

Response headers

Response headers are included with the data being sent back to the client by the server. These headers include instructions for the client such as, to cache the content or not and also include HTTP status codes.

HTTP Headers Use cases

  1. Disabling caching of confidential data
  2. Enforcing HTTPs
  3. Filtering XSS (X-XSS-Protection/Content-Security-Policy)
  4. Clearing the sensitive site data (Clear-Site-Data)
  5. Explicitly whitelisting the Sources
  6. Preventing Content-Type sniffing (X-Content-Type-Options)

API endpoints

An API endpoint is basically a fancy word for a URL of a server or service. The endpoint can be viewed as the means from which the API can access the resources they need from a server to perform their task.

Why API endpoints are important

As I mentioned previously, the modern world is driven by API’s, Endpoints play a pivotal role in making sure that communication that happens between the systems are robust.

The performance and productivity of APIs depend on their ability to interact and communicate with endpoints effectively.

This blog was developed by Venkata Sai Dinesh, Software Test Engineer, Qapitol QA

Write to [email protected] for API testing talent.

Our proprietary software framework, QARMA is designed to automate API testing efforts, saving valuable time and ensuring flawless quality when delivering software products.

Author: Qapitol QA