SlideShare a Scribd company logo

Api fundamentals

A
AgileDenver

The document provides an overview of APIs, including their definition, history, and current trends, and explains how APIs operate with hands-on demos and testing strategies. It covers various API authentication methods, testing techniques, and tools like Postman for API interaction. Additionally, the document emphasizes the integral role of APIs in app development and agile processes, highlighting their value and inviting further exploration of RESTful web services.

Business
1 of 39
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Welcome! • We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com. • Feel free to pair with someone! • We’ll provide collections at the end of our talk. • Follow @apidemo_carter onTwitter!
JoEllen Carter / Lisa Crispin
Overview • What is an API? • History of API growth • Current API landscape • HowAPIs work, including some hands-on demos • Strategies and tools for testing an API • API Stories
What is an Application Programming Interface?
!!!
Interfaces • Touch • Voice • Sight
Api fundamentals
API Your application The world !!!
2000 2002 2004 2006 2008
Api fundamentals
Why RESTful? • REST: Representational state transfer • Uniform and predefined set of stateless operations • People can “just know things” about an API that’s RESTful
Api fundamentals
How does an Application Programming Interface Work?
RPC SOAP HTTP HTTPS CoAP …
HTTPRequest URL Method Headers Body
URL https://api.twitter.com/1.1/statuses/update.json?status=testing {base url} / {version} / {endpoint} ? {query parameters}
GET • Get some data about an object or ‘resource’ POST • Create a new resource PUT • Update a resource DELETE • Delete a resource Methods
Headers • Headers are key/value combinations that specify additional information about the request • Some common request headers are: • Content-type • Authentication • Accept • Origin
Body • Data to send with the request – usually for a POST or PUT • Data format – xml, json, etc. - is specified by the content-type header { "location": { "lat": -33.8669710, "lng": 151.1958750 }, "accuracy": 50, "name": "Google Shoes!", "phone_number": "(02) 9374 4000", "address": "48 Pirrama Road, Pyrmont, NSW 2009, Australia", "types": ["shoe_store"], "website": "http://www.google.com.au/", "language": "en-AU" }
What about cookies? • Restful API requests should be self-reliant • Cookies are session-dependent, so not independent • Using cookies to store data means your API is not Restful
Authentication • Insecure - Authorization token in url • https://api.darksky.net/forecast/{{token}} /39.9026420,-105.0905190 • https://maps.googleapis.com/maps/api/p lace/nearbysearch/json?key={{googlema psKey}} • Basic • Username:password are concatenated and encoded • Sent in Authorization header
Authentication - Oauth • Oauth1/2 - https://oauth.net/ Service Provider
Api fundamentals
Authentication - JWT JSON WebToken https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object • Header – type of token (JWT) and hashing (signing) algorithm • Payload – contains ‘claims’, or information about the user • Signature = signature from header-specified algorithm using encoded Header + encoded payload + secret
Let’s try a GET now… • We’ll hit the dark sky api to get our current weather
HTTPResponse URL Status Code Headers Body
OK200 Bad Request400 Forbidden403 Not Found404 Internal Server Error500 Service Unavailable503 GatewayTimeout504 Common Status Codes
Let’s try a POST now… • We’ll post a tweet from #MHA2017
How do we test API’s?
Security • Basic • Authentication tokens are valid/present • Account boundaries are not violated • SSL is enforced/warned when not present • Hacker-in-training • Injection points – headers, parameters, body • Recording tools – what is exposed/available • White Hat hacker - OWASP • Rest Security Cheat Sheet • OWASP top 10 security vulnerabilities – new section on Under-protected APIs
Functional • Basic • Correct status codes are generated for invalid inputs • Request/response bodies contain the correct content type and schema • Backwards-compatibility for public APIs - previous tests continue to pass or breaking changes are clearly documented – aka regression testing • Advanced • Join API requests together to mirror application functionality
Exploratory • Identify the variable bits - things that can/will/might change • Requests – • Method • Mix/match endpoints • Parameters • Headers, especially content type • ContentType • Size, Depth - images, json/xml nesting • Timing & Frequency – what happens with caching?
Heuristics • Apply Heuristics to the variables • Zero, One, Many • Some, None,All • Beginning, Middle, End • Too Many,Too Few • Relative Position, i.e. content
Automation • Part of your CI/CD pipeline • Part of development process since tests can be run in both local and pre-production environments • Performance • Combine tests with monitoring • Tools • Postman • Command line runner that can be integrated into your CI • Developer adoption is high • Runscope • Powerful code snippets
Supporting an API Tracker API, rewritten in 2012-13 • Our own client software uses public API, same as customers • With some private endpoints • Leading practices: RESTful, JSON in & out, • Versioning • Only changes are additions • Promote new endpoints through various stages • “edge” version • Metadata-driven • Reference doc generated from metadata and unit test outputs
Long-term results • Few support requests • Thanks to comprehensive unit tests, comprehensive doc & examples • Comprehensive doc for devs to introduce new endpoints • Many new endpoints added • Mostly without pain – one backwards compatibility issue • Postman regression tests run in CI in addition to unit tests • Include performance checks
Questions? Stories?
Take-aways • APIs are the engine behind the apps we use every day • APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested! • APIs add value to your product - maybe your company/product/team needs an API? • You’ve learned some terms about RESTful web services – go forth and learn more!
Links • ProgrammableWeb • API Security Testing • OWASPTop 10 Project • List of HTTP Header fields • Varonis - Introduction to Oauth • Oauth.net • Understanding rest and rpc

More Related Content

What's hot (20)

PPT
Load Testing Strategy 101
iradari
 
PDF
Postman: An Introduction for Developers
Postman
 
PDF
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
PDF
Wrapper classes
Ravi_Kant_Sahu
 
PPTX
Api testing
HamzaMajid13
 
PPTX
B4USolution_API-Testing
b4usolution .
 
PPTX
Belajar Postman test runner
Fachrul Choliluddin
 
PDF
Criando uma arquitetura para seus testes de API com RestAssured
Elias Nogueira
 
PDF
4 Major Advantages of API Testing
QASource
 
PDF
Postman: An Introduction for Testers
Postman
 
PDF
API_Testing_with_Postman
Mithilesh Singh
 
PDF
TestNG - The Next Generation of Unit Testing
Bethmi Gunasekara
 
PPTX
POSTMAN.pptx
RamaKrishna970827
 
PPTX
Software testing
mkn3009
 
PPTX
TestNG
Prabhanshu Saraswat
 
PPTX
Introduction to selenium
Archana Krushnan
 
PPTX
Introduction to Spring Framework
Serhat Can
 
PPTX
introduction to python
Jincy Nelson
 
PPT
Ppt of soap ui
pkslide28
 
PPTX
TestNG Framework
Levon Apreyan
 
Load Testing Strategy 101
iradari
 
Postman: An Introduction for Developers
Postman
 
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
Wrapper classes
Ravi_Kant_Sahu
 
Api testing
HamzaMajid13
 
B4USolution_API-Testing
b4usolution .
 
Belajar Postman test runner
Fachrul Choliluddin
 
Criando uma arquitetura para seus testes de API com RestAssured
Elias Nogueira
 
4 Major Advantages of API Testing
QASource
 
Postman: An Introduction for Testers
Postman
 
API_Testing_with_Postman
Mithilesh Singh
 
TestNG - The Next Generation of Unit Testing
Bethmi Gunasekara
 
POSTMAN.pptx
RamaKrishna970827
 
Software testing
mkn3009
 
TestNG
Prabhanshu Saraswat
 
Introduction to selenium
Archana Krushnan
 
Introduction to Spring Framework
Serhat Can
 
introduction to python
Jincy Nelson
 
Ppt of soap ui
pkslide28
 
TestNG Framework
Levon Apreyan
 

Similar to Api fundamentals (20)

PDF
Api FUNdamentals #MHA2017
JoEllen Carter
 
PDF
RESTFul Tools For Lazy Experts - CFSummit 2016
Ortus Solutions, Corp
 
PDF
Rest ful tools for lazy experts
ColdFusionConference
 
PDF
Создание API, которое полюбят разработчики. Глубокое погружение
SQALab
 
PPTX
Api crash
James Wong
 
PPTX
Api crash
Young Alista
 
PPTX
Api crash
Harry Potter
 
PPTX
Api crash
Luis Goldster
 
PPTX
Api crash
Tony Nguyen
 
PPTX
Api crash
Hoang Nguyen
 
PPTX
Api crash
Fraboni Ec
 
PDF
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays
 
PDF
REST API Recommendations
Jeelani Shaik
 
PPTX
Webservices: The RESTful Approach
Mushfekur Rahman
 
PDF
Best Practices in Web Service Design
Lorna Mitchell
 
PPTX
Lessons learned on the Azure API Stewardship Journey.pptx
apidays
 
PPTX
Scaling with swagger
Tony Tam
 
PDF
Coding 100-session-slides
Cisco DevNet
 
PPTX
Rest API with Swagger and NodeJS
Luigi Saetta
 
PPTX
WordPress Rest API
Brian Layman
 
Api FUNdamentals #MHA2017
JoEllen Carter
 
RESTFul Tools For Lazy Experts - CFSummit 2016
Ortus Solutions, Corp
 
Rest ful tools for lazy experts
ColdFusionConference
 
Создание API, которое полюбят разработчики. Глубокое погружение
SQALab
 
Api crash
James Wong
 
Api crash
Young Alista
 
Api crash
Harry Potter
 
Api crash
Luis Goldster
 
Api crash
Tony Nguyen
 
Api crash
Hoang Nguyen
 
Api crash
Fraboni Ec
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays
 
REST API Recommendations
Jeelani Shaik
 
Webservices: The RESTful Approach
Mushfekur Rahman
 
Best Practices in Web Service Design
Lorna Mitchell
 
Lessons learned on the Azure API Stewardship Journey.pptx
apidays
 
Scaling with swagger
Tony Tam
 
Coding 100-session-slides
Cisco DevNet
 
Rest API with Swagger and NodeJS
Luigi Saetta
 
WordPress Rest API
Brian Layman
 
Ad

More from AgileDenver (20)

PDF
MHA2018 - BDD is JIT - Jeff Langr
AgileDenver
 
PDF
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
AgileDenver
 
PDF
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
AgileDenver
 
PDF
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
AgileDenver
 
PPTX
MHA2018 - Rebuilding Trust through Transparency - Meg Ward
AgileDenver
 
PDF
MHA2018 - The Experimentation Mindset - Doc Norton
AgileDenver
 
PDF
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
AgileDenver
 
PDF
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
AgileDenver
 
PDF
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
AgileDenver
 
PDF
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
AgileDenver
 
PDF
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
AgileDenver
 
PDF
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
AgileDenver
 
PPTX
MHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
AgileDenver
 
PPTX
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
AgileDenver
 
PDF
MHA2018 - Jen Krieger - Getting Started with Kanban
AgileDenver
 
PDF
MHA2018 - The Immunity to Change - How to discover individual or team resista...
AgileDenver
 
PDF
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
AgileDenver
 
PPTX
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
AgileDenver
 
PPTX
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
AgileDenver
 
PPTX
MHA2018 - Introduction to Observational Coaching - Daniel Lynn
AgileDenver
 
MHA2018 - BDD is JIT - Jeff Langr
AgileDenver
 
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
AgileDenver
 
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
AgileDenver
 
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
AgileDenver
 
MHA2018 - Rebuilding Trust through Transparency - Meg Ward
AgileDenver
 
MHA2018 - The Experimentation Mindset - Doc Norton
AgileDenver
 
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
AgileDenver
 
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
AgileDenver
 
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
AgileDenver
 
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
AgileDenver
 
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
AgileDenver
 
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
AgileDenver
 
MHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
AgileDenver
 
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
AgileDenver
 
MHA2018 - Jen Krieger - Getting Started with Kanban
AgileDenver
 
MHA2018 - The Immunity to Change - How to discover individual or team resista...
AgileDenver
 
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
AgileDenver
 
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
AgileDenver
 
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
AgileDenver
 
MHA2018 - Introduction to Observational Coaching - Daniel Lynn
AgileDenver
 
Ad

Recently uploaded (20)

PDF
20250703_A. Stotz All Weather Strategy - Performance review July
FINNOMENAMarketing
 
PDF
Connecting Startups to Strategic Global VC Opportunities.pdf
Google
 
PDF
"Complete Guide to the Partner Visa 2025
Zealand Immigration
 
PDF
kcb-group-plc-2024-integrated-report-and-financial-statements (3).pdf
DanielNdegwa10
 
PPTX
DECODING AI AGENTS AND WORKFLOW AUTOMATION FOR MODERN RECRUITMENT
José Kadlec
 
PDF
SUMMER SAFETY FLYER SPECIAL Q3 - 16 Pages
One Source Industrial Supplies
 
PPTX
epi editorial commitee meeting presentation
MIPLM
 
PPTX
Master and Business Administration II Next MBA
RobertoOrellana44
 
PPTX
Drive Operational Excellence with Proven Continuous Improvement Strategies
Group50 Consulting
 
PDF
Blind Spots in Business: Unearthing Hidden Challenges in Today's Organizations
Crimson Business Consulting
 
PDF
Maksym Vyshnivetskyi: Управління закупівлями (UA)
Lviv Startup Club
 
PDF
Importance of Timely Renewal of Legal Entity Identifiers.pdf
MNS Credit Management Group Pvt. Ltd.
 
PPTX
World First Cardiovascular & Thoracic CT Scanner
arineta37
 
DOCX
How to Choose the Best Dildo for Men A Complete Buying Guide.docx
Glas Toy
 
PDF
LEWIONICS SCO Company Profile UAE JULY 2025
Natalie Lewes
 
PDF
Top Farewell Gifts for Seniors Under.pdf
ThreadVibe Living
 
PDF
Factors Influencing Demand For Plumbers In Toronto GTA:
Homestars
 
PDF
Redefining Punjab’s Growth Story_ Mohit Bansal and the Human-Centric Vision o...
Mohit Bansal GMI
 
PPTX
Build Wealth & Protect Your Legacy with Indexed Universal Life Insurance
iulfinancial6
 
PDF
David Badaro Explains 5 Steps to Solving Complex Business Issues
David Badaro
 
20250703_A. Stotz All Weather Strategy - Performance review July
FINNOMENAMarketing
 
Connecting Startups to Strategic Global VC Opportunities.pdf
Google
 
"Complete Guide to the Partner Visa 2025
Zealand Immigration
 
kcb-group-plc-2024-integrated-report-and-financial-statements (3).pdf
DanielNdegwa10
 
DECODING AI AGENTS AND WORKFLOW AUTOMATION FOR MODERN RECRUITMENT
José Kadlec
 
SUMMER SAFETY FLYER SPECIAL Q3 - 16 Pages
One Source Industrial Supplies
 
epi editorial commitee meeting presentation
MIPLM
 
Master and Business Administration II Next MBA
RobertoOrellana44
 
Drive Operational Excellence with Proven Continuous Improvement Strategies
Group50 Consulting
 
Blind Spots in Business: Unearthing Hidden Challenges in Today's Organizations
Crimson Business Consulting
 
Maksym Vyshnivetskyi: Управління закупівлями (UA)
Lviv Startup Club
 
Importance of Timely Renewal of Legal Entity Identifiers.pdf
MNS Credit Management Group Pvt. Ltd.
 
World First Cardiovascular & Thoracic CT Scanner
arineta37
 
How to Choose the Best Dildo for Men A Complete Buying Guide.docx
Glas Toy
 
LEWIONICS SCO Company Profile UAE JULY 2025
Natalie Lewes
 
Top Farewell Gifts for Seniors Under.pdf
ThreadVibe Living
 
Factors Influencing Demand For Plumbers In Toronto GTA:
Homestars
 
Redefining Punjab’s Growth Story_ Mohit Bansal and the Human-Centric Vision o...
Mohit Bansal GMI
 
Build Wealth & Protect Your Legacy with Indexed Universal Life Insurance
iulfinancial6
 
David Badaro Explains 5 Steps to Solving Complex Business Issues
David Badaro
 

Api fundamentals

  • 1. Welcome! • We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com. • Feel free to pair with someone! • We’ll provide collections at the end of our talk. • Follow @apidemo_carter onTwitter!
  • 2. JoEllen Carter / Lisa Crispin
  • 3. Overview • What is an API? • History of API growth • Current API landscape • HowAPIs work, including some hands-on demos • Strategies and tools for testing an API • API Stories
  • 5. !!!
  • 9. 2000 2002 2004 2006 2008
  • 11. Why RESTful? • REST: Representational state transfer • Uniform and predefined set of stateless operations • People can “just know things” about an API that’s RESTful
  • 13. How does an Application Programming Interface Work?
  • 14. RPC SOAP HTTP HTTPS CoAP …
  • 17. GET • Get some data about an object or ‘resource’ POST • Create a new resource PUT • Update a resource DELETE • Delete a resource Methods
  • 18. Headers • Headers are key/value combinations that specify additional information about the request • Some common request headers are: • Content-type • Authentication • Accept • Origin
  • 19. Body • Data to send with the request – usually for a POST or PUT • Data format – xml, json, etc. - is specified by the content-type header { "location": { "lat": -33.8669710, "lng": 151.1958750 }, "accuracy": 50, "name": "Google Shoes!", "phone_number": "(02) 9374 4000", "address": "48 Pirrama Road, Pyrmont, NSW 2009, Australia", "types": ["shoe_store"], "website": "http://www.google.com.au/", "language": "en-AU" }
  • 20. What about cookies? • Restful API requests should be self-reliant • Cookies are session-dependent, so not independent • Using cookies to store data means your API is not Restful
  • 21. Authentication • Insecure - Authorization token in url • https://api.darksky.net/forecast/{{token}} /39.9026420,-105.0905190 • https://maps.googleapis.com/maps/api/p lace/nearbysearch/json?key={{googlema psKey}} • Basic • Username:password are concatenated and encoded • Sent in Authorization header
  • 22. Authentication - Oauth • Oauth1/2 - https://oauth.net/ Service Provider
  • 24. Authentication - JWT JSON WebToken https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object • Header – type of token (JWT) and hashing (signing) algorithm • Payload – contains ‘claims’, or information about the user • Signature = signature from header-specified algorithm using encoded Header + encoded payload + secret
  • 25. Let’s try a GET now… • We’ll hit the dark sky api to get our current weather
  • 27. OK200 Bad Request400 Forbidden403 Not Found404 Internal Server Error500 Service Unavailable503 GatewayTimeout504 Common Status Codes
  • 28. Let’s try a POST now… • We’ll post a tweet from #MHA2017
  • 30. Security • Basic • Authentication tokens are valid/present • Account boundaries are not violated • SSL is enforced/warned when not present • Hacker-in-training • Injection points – headers, parameters, body • Recording tools – what is exposed/available • White Hat hacker - OWASP • Rest Security Cheat Sheet • OWASP top 10 security vulnerabilities – new section on Under-protected APIs
  • 31. Functional • Basic • Correct status codes are generated for invalid inputs • Request/response bodies contain the correct content type and schema • Backwards-compatibility for public APIs - previous tests continue to pass or breaking changes are clearly documented – aka regression testing • Advanced • Join API requests together to mirror application functionality
  • 32. Exploratory • Identify the variable bits - things that can/will/might change • Requests – • Method • Mix/match endpoints • Parameters • Headers, especially content type • ContentType • Size, Depth - images, json/xml nesting • Timing & Frequency – what happens with caching?
  • 33. Heuristics • Apply Heuristics to the variables • Zero, One, Many • Some, None,All • Beginning, Middle, End • Too Many,Too Few • Relative Position, i.e. content
  • 34. Automation • Part of your CI/CD pipeline • Part of development process since tests can be run in both local and pre-production environments • Performance • Combine tests with monitoring • Tools • Postman • Command line runner that can be integrated into your CI • Developer adoption is high • Runscope • Powerful code snippets
  • 35. Supporting an API Tracker API, rewritten in 2012-13 • Our own client software uses public API, same as customers • With some private endpoints • Leading practices: RESTful, JSON in & out, • Versioning • Only changes are additions • Promote new endpoints through various stages • “edge” version • Metadata-driven • Reference doc generated from metadata and unit test outputs
  • 36. Long-term results • Few support requests • Thanks to comprehensive unit tests, comprehensive doc & examples • Comprehensive doc for devs to introduce new endpoints • Many new endpoints added • Mostly without pain – one backwards compatibility issue • Postman regression tests run in CI in addition to unit tests • Include performance checks
  • 38. Take-aways • APIs are the engine behind the apps we use every day • APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested! • APIs add value to your product - maybe your company/product/team needs an API? • You’ve learned some terms about RESTful web services – go forth and learn more!
  • 39. Links • ProgrammableWeb • API Security Testing • OWASPTop 10 Project • List of HTTP Header fields • Varonis - Introduction to Oauth • Oauth.net • Understanding rest and rpc