Best practices for monitoring & testing APIs

    9687
    testing APIs

    Application Programming Interfaces (APIs) help software development teams easily engage and connect end-to-end business processes. Common examples include an e-commerce shopping cart connected to a payment gateway, widgets that display tweets or Facebook updates on a website, or tools like Slack integrated into collaboration and productivity applications – check out useful testing tools for API frameworks here.




    APIs are the key to web applications and services working. However, these end-to-end processes can only be as high-performing (fast, reliable) as the APIs they depend on. Here we’ll explore the concept of APIs: how they work, why they must be included in software testing processes, and best practices for monitoring and testing them.

    About APIs

    The prolific growth in web services was driven by APIs – HTTP-based protocols that enable otherwise disparate applications to convey data and communicate seamlessly with one another. This approach allows developers to leverage existing technology to make their applications more functional.

    Amazon is an example of a power API user. It provides APIs for its sellers to automate inventory management, order processing and even revenue growth. The APIs make it easy for sellers, who often list thousands of products on the site, to gain insight into their business using custom-built dashboards and applications that handle everything from out-of-stock alerts to auto-updating tracking data for shipments.

    APIs are also a foundational technology for the Internet of Things (IoT), connecting ordinary items like household appliances, cars, and smartphones to cloud-based services that control and dictate their functionality.

    How APIs work

    APIs depend on two main components – data encapsulation and transfer, and security. The API data consists of the API request and response. The data is structured in a specific format, either XML or JSON. Data transfer and security consist of the API then exchanging data, with requests and responses processed based on the web service being used – SOAP or REST. HTTP headers, cookies, or query string parameters also secure the data as it is exchanged.

    SOAP, REST and JSON offer extensibility to APIs, making them compatible with other applications irrespective of the language used. For example, Instagram and Facebook are two different social media platforms with functions that are exclusive to their respective interfaces. Although these two applications are independent, both Instagram and Facebook leverage APIs to allow interconnectivity. Hence, a user can log in to Instagram using their Facebook user account and share photos on either platform.

    Examples of API monitoring

    Many software testers take special care to ensure that websites and mission-critical applications remain available and fast under heavy site traffic, protecting both brand and revenue. We see a lot of scrutiny here especially during high traffic periods such as the holiday season.

    While monitoring page load and response times, and the internet infrastructure that supports modern websites and web applications, is critical, many of these – particularly in the e-commerce space – are heavily dependent on APIs, which influence shoppers’ earliest interactions. This includes APIs for site search, product catalogue integration, personalisation, and recommendation and price comparison engines.

    Entering credit card information and shipping choices requires still more API calls. Want to share a purchase on social media after completing a transaction? APIs kick in again. A failure or slowdown anywhere along this chain can derail your customer’s experience and cost you a sale. These APIs need to be tested and monitored regularly as part of your overall e-commerce site monitoring strategy.

    API monitoring is also crucial within mobile apps, which rely on APIs for data delivery and consumption. Without APIs, mobile apps are little more than a slick tactile interface that can’t actually do anything, much less generate revenue. Since many mobile app users are browsing these apps to inform future purchases in-store or via your desktop site, poor API performance within apps can cost an organisation a lot of future business, both online as well as offline.

    The importance of API testing

    Modern websites and applications incorporate many third-party services to extend and create more feature-rich functionality. Not all of these services involve APIs – for example, conversion-tracking tools are often embedded on sites as Javascript tags with no API involvement.

    All third-party services, whether they rely on APIs or not, need to be thoroughly tested and monitored on an ongoing basis, because one slow, unreliable performer is all it takes for an entire site or application to decelerate or even grind to a stand-still. There are several factors that can degrade API performance including: API endpoints experiencing downtime; bugs in the integration causing errors and timeouts; API authentication taking longer than usual; the API service not being robust enough to handle spikes in incoming requests or outbound responses; and latency in API calls, which can add up and create performance bottlenecks.

    Since API-dependent processes often support customer-facing, revenue-generating (and therefore mission-critical) applications, continually monitoring and testing APIs an absolute must.  Consider the following:

    • When an online shopper places an order on an e-commerce site, the payment gateway uses APIs to verify the user’s credit card data. If the API that integrates the payment options on the site is broken, not only does this result in an abandoned cart, it also adds to frustration resulting in a negative user experience.
    • If a commerce-oriented site relies on a third-party search widget, and if the API that runs this widget is broken, then users will be unable to find the product. This, too, can cause user frustration and negatively impact the business.
    • For sites using APIs to automate inventory management, an API performance issue can cause delays in order fulfilment that cascades to all stages of order processing, impacting site revenues.
    • The number of API calls is higher in IoT devices as they rely on real-time data updates, so even a negligible latency can add up quickly and hinder performance.

    The scenarios we discussed above makes it clear that API monitoring cannot be ignored when building your APM strategy and this is true for any type of application that makes use of APIs.

    If you are an API provider, then your API monitoring strategy must account for the following:

    • Availability – The APIs must be up and running at any time of the day; availability issues can degrade application performance and impact the end-user.
    • Security – API monitoring can be used to test the reliability of the API transactions. It should handle API authentication which helps you ensure the data exchange is secure and not requested by bots trying to mine data.
    • Benchmarking – The data collected by the monitoring tool must be comprehensive and easy to analyse; it should help benchmark your API performance against competitors. Benchmarking gives a better perspective of API performance, so you can ensure it is on par with other API providers in the industry.
    • SLA – The monitoring tool will alert you if there is a performance degradation or outage. Monitoring proactively will help you detect and resolve issues faster and prevent any SLA breach.

    If you are running applications that consume multiple APIs, it is just as important to monitor each API you use, as it is to monitor the application as a whole. Each API integration must be tested constantly for any performance bottlenecks.

    How are APIs monitored?

    There are multiple parts to monitoring APIs and depends on the monitoring solution that you use and the features it offers. Availability monitoring is one of the basic features you would find in any monitoring solution; it involves running tests at defined frequencies to determine if the API endpoint is accessible and returning a response. The tests will trigger alerts in case of an outage or performance degradation so that you can troubleshoot and resolve issues quicker.

    Monitoring API endpoints is not always a simple process; most API calls require authentication to secure data exchange and this requires additional parameters to be sent along with the HTTP request. The monitoring solution you use must be able to simulate complex API transactions which are possible only if the tests can be configured with:

    • Request Headers – To simulate an API transaction, it is important to include the Request Headers that make up the API call. This defines the HTTP request, whether the request is a POST or GET and if it requires authentication or if any of the data needs to be cached during the session.
    • Authentication – Most API endpoints are secured to ensure data reliability. Simulating such API transactions would require passing a username and password in the Request Header, so the monitoring solution should support basic HTTP authentication.

    Best practices for API testing

    Since APIs run core processes in many applications, they should be a major focal point when analysing overall application performance. If a business relies on API integrations or allows customers to access their data via an API, it will need a testing solution providing a 360-degree perspective of the processes that make up the application.

    • First, keep tabs on API performance functionality using API tests. These tests can be set up to monitor availability and speed issues, and the data collected over time can be used to analyse these performance trends.
    • Testing availability is not enough; most API transactions involve data exchange, so it becomes necessary to ensure the data is reliable. Organisations can also test if the APIs are functioning correctly by validating the inputs and ensuring the data is structured in the right format.
    • API testing tools have APIs themselves, enabling the data they generate to be integrated with larger application performance monitoring systems.

    Other best practices for API testing include:

    • Continuously testing API endpoints to ensure availability – proactively monitoring API endpoints will help identify outages or performance issues quickly. This minimises the impact on end-users.
    • Test functionality of new deployments to catch issues before users are impacted – when rolling out new features as part of a release, it is imperative to measure the impact on existing API integrations. The application can slow down drastically or even crash if the changes in the application do not work with the APIs you use.
    • Test all application API dependencies to ensure performance is not degraded – when you have multiple APIs built into your application or you provide APIs that integrate with applications using multiple APIs, then it is highly recommended to test API dependencies regularly as these tend to be constantly updated or upgraded.
    • Ensure you are enforcing SLAs using API monitoring – the faster you can identify performance issues, the faster you can fix it. Resolving issues quicker makes it easier to avoid breaching SLAs.

    Conclusion

    APIs are a fundamental part of the internet fabric, enabling services that may otherwise not be possible. Applications not only provide APIs but also integrate with multiple other applications using APIs. Monitoring such complex integrations is essential when we talk about the ideal APM strategy. APM must include API monitoring solutions that not only monitor API endpoints but also evaluates the performance of all APIs that are consumed by the application itself. This provides a comprehensive application performance analysis that accounts for every function/process handled by the application.

    To conclude, it is vital to test APIs before, during and after implementation, to ensure they’re available, fast, secure and otherwise working properly. As the saying goes, “a chain is only as strong as its weakest link,” and with APIs becoming more ubiquitous, it is critical to include them in broader software testing initiatives.

    Written by Mehdi Daoudi, Co-Founder and CEO, Catchpoint