Product
Solutions
Solutions
7 min read
Master API testing with functional, performance, and security strategies. Learn testing best practices with real examples and tools for building reliable APIs.
Proper testing catches problems before they reach production, validates your API contract, and builds confidence in your system.
Let's explore the three essential pillars of API testing: functional testing to verify correctness, performance testing to ensure scalability, and security testing to protect against vulnerabilities.
Functional testing confirms that your API behaves according to its specifications. This means checking that endpoints return expected responses, handle errors gracefully, and maintain consistent behavior across different scenarios.
Structure your testing efforts using the testing pyramid:
This approach focuses most of its effort on reliable unit tests while ensuring the system functions properly.
Unit tests verify that your core business logic works correctly. For an API like the AI Prompt Enhancer, unit tests check that:
describe('Prompt Enhancement Service', () => {
it('should return enhanced prompts longer than input', async () => {
const result = await enhancePrompt({
originalPrompt: 'Write about APIs'
});
expect(result.length).toBeGreaterThan('Write about APIs'.length);
expect(result).toContain('WRITING GUIDANCE');
});
it('should reject empty inputs appropriately', async () => {
await expect(enhancePrompt({ originalPrompt: '' }))
.rejects
.toThrow('Invalid or missing original prompt');
});
});When testing functions that call external services, use mocking to avoid slow, expensive, or unreliable external calls during testing.
Integration tests verify that your endpoints work correctly when all components interact.
This is where tools like Aspen by Treblle become incredibly useful for API testing workflows.
Aspen provides a native macOS app that lets you test APIs locally without requiring logins or sending data to external servers. Its zero-trust approach means your sensitive API keys and test data stay on your machine.
Aspen's AI assistant Alfred makes it particularly valuable. It can automatically generate test cases and integration code from your API responses. When you test an endpoint manually in Aspen, Alfred learns from the response structure and can create data models, OpenAPI specifications, and even integration code in multiple programming languages.
Aspen's collections feature helps teams working with complex APIs organize and share test cases.
You can export collections to share with team members or create expiring links to share specific tests with external developers, all while keeping your data local and secure.
E2E tests verify complete user workflows by simulating how clients use your API. These tests might cover scenarios like:
describe('Complete Prompt Workflow', () => {
let promptId;
it('should create, retrieve, update, and delete a prompt', async () => {
// Create
const createResponse = await request(app)
.post('/v1/prompts')
.set('Authorization', `Bearer ${token}`)
.send({ text: 'Original prompt' });
promptId = createResponse.body.id;
expect(createResponse.status).toBe(200);
// Retrieve
const getResponse = await request(app)
.get(`/v1/prompts/${promptId}`)
.set('Authorization', `Bearer ${token}`);
expect(getResponse.body.originalText).toBe('Original prompt');
// Update
const updateResponse = await request(app)
.put(`/v1/prompts/${promptId}`)
.set('Authorization', `Bearer ${token}`)
.send({ text: 'Updated prompt' });
expect(updateResponse.body.originalText).toBe('Updated prompt');
// Delete
await request(app)
.delete(`/v1/prompts/${promptId}`)
.set('Authorization', `Bearer ${token}`)
.expect(204);
});
});Performance testing reveals how your API behaves under load and helps identify bottlenecks before they impact users. Many developers skip this step, only to face problems when their API gains popularity.
Without performance testing, you won't know:
K6 provides an excellent platform for API load testing. Here's a practical load test for an API:
import http from 'k6/http';
import { check } from 'k6';
export const options = {
stages: [
{ duration: '30s', target: 10 }, // Ramp up
{ duration: '2m', target: 20 }, // Stay at 20 users
{ duration: '30s', target: 0 }, // Ramp down
],
thresholds: {
http_req_duration: ['p(95)<2000'], // 95% under 2s
http_req_failed: ['rate<0.01'], // Less than 1% failures
},
};
export default function () {
const response = http.post('https://api.example.com/v1/prompts',
JSON.stringify({ text: 'Test prompt for load testing' }),
{ headers: { 'Authorization': `Bearer ${__ENV.API_TOKEN}` }}
);
check(response, {
'status is 200': (r) => r.status === 200,
'response time < 2000ms': (r) => r.timings.duration < 2000,
'has enhanced text': (r) => JSON.parse(r.body).enhancedText !== undefined,
});
}This test simulates realistic usage patterns and defines success criteria. If your API fails these thresholds, you need to optimize it before production deployment.
Common performance issues in APIs include:
For APIs that call external services, implement:
Security testing identifies weaknesses that attackers could exploit. APIs are attractive targets because they often expose sensitive data and business logic.
Verify that your authentication system works correctly:
describe('Authentication Security', () => {
it('should reject requests without tokens', async () => {
const response = await request(app)
.post('/v1/prompts')
.send({ text: 'Test prompt' });
expect(response.status).toBe(401);
expect(response.body.error.code).toBe('missing_token');
});
it('should reject invalid tokens', async () => {
const response = await request(app)
.post('/v1/prompts')
.set('Authorization', 'Bearer invalid_token')
.send({ text: 'Test prompt' });
expect(response.status).toBe(403);
});
it('should handle timing attacks safely', async () => {
// Test with different key lengths to ensure constant-time comparison
const shortKeyTime = await timeRequest('short');
const longKeyTime = await timeRequest('a'.repeat(100));
// Time difference should be minimal for proper constant-time comparison
expect(Math.abs(shortKeyTime - longKeyTime)).toBeLessThan(50);
});
});Test that your API properly validates and sanitizes all inputs:
describe('Input Validation Security', () => {
it('should prevent XSS attacks', async () => {
const maliciousScript = '<script>alert("XSS")</script>';
const response = await request(app)
.post('/v1/prompts')
.set('Authorization', `Bearer ${validToken}`)
.send({ text: maliciousScript });
expect(response.status).toBe(200);
expect(response.body.enhancedText).not.toContain('<script>');
});
it('should reject oversized payloads', async () => {
const longString = 'a'.repeat(10000);
const response = await request(app)
.post('/v1/prompts')
.set('Authorization', `Bearer ${validToken}`)
.send({ text: longString });
expect(response.status).toBe(413);
});
});Verify that your rate limiting protects against abuse:
describe('Rate Limiting', () => {
it('should limit excessive requests', async () => {
const requests = Array(25).fill().map(() =>
request(app)
.post('/v1/prompts')
.set('Authorization', `Bearer ${validToken}`)
.send({ text: 'Test prompt' })
);
const responses = await Promise.all(requests);
const rateLimitedResponses = responses.filter(r => r.status === 429);
expect(rateLimitedResponses.length).toBeGreaterThan(0);
});
it('should include rate limit headers', async () => {
const response = await request(app)
.post('/v1/prompts')
.set('Authorization', `Bearer ${validToken}`)
.send({ text: 'Test prompt' });
expect(response.headers).toHaveProperty('x-ratelimit-limit');
expect(response.headers).toHaveProperty('x-ratelimit-remaining');
expect(response.headers).toHaveProperty('x-ratelimit-reset');
});
});Comprehensive testing builds confidence in your API for both you and your users. It ensures your API works correctly, handles load appropriately, and protects against common vulnerabilities.
