Application Programming Interface or API is a current trend in the banking and financial industry that helps organizations in their various service lines. APIs have many benefits that result in banks creating multiple APIs to ensure their services spread across client servers to eliminate toggling between ERP platforms and banking systems. Currently, banks are using APIs for UPI collection, Reverse MIS, fetching bank statements, account balance checking, payment enquiry, opening account, and adding beneficiary, to name a few.

APIs have become an integral part of banking transactions as it simplifies the banking processes and eradicates complexities. Banks distribute complex transactions to open-source platforms to offer ease of use to the users and reduce the liability on in-house banking systems. But testing Application Programming Interface (API) is not easy. There are always initial challenges when it comes to testing APIs.

1. Lack of applicable simulator in sending requests/responses while executing API testing for open-source, commercial and more
2. Integrating multiple API testing tools
3. Impact of change, as a small alteration can impede the entire output
4. Lack of understanding of business application logic and functionality knowledge
5. Managing extensive test data
6. Feeding incorrect input values
7. Inadequate knowledge of combination parameters

Background of API testing

• Initial setup – Automation testing is necessary to ensure if APIs are sustainable to bear the performance load and pressure.
• Handling response – It relates to data formatting that ensures if APIs are capable to handle requests and responses.
• Parameter combination – Another challenge is to test all possible parameter request combinations in the APIs related to problems within specific configurations.
• Arranging API calls sequence – API calls must be arranged in the correct order to eliminate errors. A proper sequence of API calls can reduce errors. However, the challenge increases while working with multiple-threaded applications or multiple APIs.
• Validating parameters – Validating the parameters sent through APIs can be challenging for the testing team. Every parameter sent through API requests must capture the correct data type, fits within the length, and value range, and pass the validation criteria.
• Tracing system integration – It is a challenge to ensure that the API testing systems work correctly with the data tracking systems. It is crucial to monitor API performance to ensure that they bring correct responses or calls.
• Ensure security as the data is sensitive: Banks must maintain API security in many layers as data is highly sensitive and vulnerable to cyber threats. But maintaining multiple API security at different layers is challenging.

If the additional parameter is included, it exponentially increases the number of possible combinations simultaneously also increasing the challenges. Testing the multiple API integrations further intensifies these challenges.

Why API testing is complicated?

API integration in banks is spread across multiple services and channels. Banks use Application Programming Interface (API) in the areas like,

• Payment (for single or bulk payment systems like NEFT, RTGS, IMPS, UPI, & FT)
• VPA-based payment through UPI API
• Aadhaar-based payment
• Collection or refunds for collections
• Real-time validation of collection through various payment modes
• Refund back to the customer in case of non-validation of remitter
• Real-time validation of cash collection through branches
• Cash Deposit Machine (CDM) and status update

Since banks are using and implementing APIs with their already complex multiple service lines, validating multiple APIs become extremely crucial and critical.   

Banks use API to communicate between banks and client servers. It is easy to transfer data between two systems. However, banks must ensure that the API integration is seamless and secured to ensure multiple & sensitive data. API codes are mostly written in XML/JSON. API confirms that the transactions do not have to switch between the ERP platform and banking systems.

Managing multiple APIs in the banking process is extremely crucial now. Banks have included API in mainstream banking. Some of the critical transactions are done using APIs. Moreover, even without being part of banking systems, APIs can pull sensitive customer data to use it to complete transactions.

If banks are using multiple APIs simultaneously, handling calls in orders, responses, and requests will be in bulk. If the platforms remain unmanaged and unattended it will further intensify complexities leading to weak API responses and requests. Multiple API testing demands immediate attention because,

• API banking is a mainstream banking
• It handles multiple and critical transactions
• Weak APIs will disrupt the process flow in ERP platforms and banking systems
• It will ensure a smooth flow of the banking process

Are the banks doing enough to test multiple APIs?

To understand if banks are doing enough to test the multiple APIs, we must understand the critical areas of testing APIs.

The three critical areas of API testing are Unit testing, Integration testing, and UI testing. In most scenarios, both manual and automation testing co-exist, but when it is about testing multiple banking APIs, it is recommended to automate API testing wherever applicable. Let us explore the critical areas of API testing one by one.

Unit testing – It is critical to perform mock DB for more coverage on testing by covering a wide range of functional areas. Code keeps changing; hence, it is essential to write an extensive test pack. Refactoring of code must be considered while creating test cases. More test cases are automated, and developers can be confident about the software quality. All methods written in the code should be tested.

Integration testing – Integration testing is inevitable and must be performed extensively after unit testing. During the integration testing phase, we must verify

• HTTP status code
• Response Payload
• Response Headers
• API performance/response time

UI testing – UI testing is a holistic aspect to test the behavioural aspects of the entire application.  

To sum it all up, unit testing is done on a larger scale compared to UI testing. Unit testing is fast, easy, cost- & time-efficient. It promptly highlights the areas where the functionality has gone wrong.

Banks are aware of the importance of API testing and investing sufficient time & effort to extensively test the aspects. It must be consistent and must be in tune with the changes happening in the banking APIs globally.

It is essential to consider the API testing aspects. Unit and Integration testing must be considered in the mid-level range and UI testing from the business perspective to test entire applications.

Essentials of stable and secured banking APIs?

Stable APIs are those that can handle requests and responses with equal ease. At the initial API setup, it is critical to check, if the APIs are sustainable to bear the performance load and pressure. It must be capable enough to handle requests and responses during data formatting. The stable APIs should pass all possible parameter request combinations in the APIs within specific configurations.

A stable API follows correct API call orders and eliminates errors in call orders. The stable APIs capture the correct data types, fit within the length, and value range and pass the validation criteria. If there is any deviation in the parameter order, there will be an error alert. A stable API must bring correct responses and calls and work with adequate data tracking systems.

There are different types of APIs (Open APIs, Internal APIs, Partner APIs, Composite APIs, REST APIs, SOAP APIs, JSON-RPC, and XML-RPC), and it is critical to ensure API security. The security level differs in each of the APIs. For example, SOAP APIs are more secure by design compared to REST APIs. REST APIs do not have any in-built security. It depends on the API design.

It is critical to secure REST APIs while deploying, transmitting data, and interacting with clients. REST APIs also do not have an in-built error handling feature and resending data for occurred errors. The REST API security depends on how they are implemented and the selected architecture. Hence, we can conclude that not all APIs are highly secure and stable in usage. Organizations must put in a little effort to ensure the stability and security of the APIs.

Yethi’s expertise in API testing

At Yethi, we have been associated with many API testing projects. These projects were not entirely devoid of restrictions and limitations. In fact, while test execution, we have seen many such issues. Some of the challenges we have faced are a mix of Encrypted and Unencrypted APIs, multiple encryption levels and data formats, API tunnelling instability/availability, handling multiple security protocols and more.

Our approach is to access the API level and check the functionality, reliability, performance, and security of the programming interfaces. API testing uses software to send calls to the API, get output, and note down the system’s response. It concentrates on the business logic layer of the software architecture.

We offer manual and automated API testing the validate requests and responses at various API layers. Considering that Unit testing is one of the most important aspects of API testing, we follow a strategic step like Unit Testing at a unit level, Functional Testing at each endpoint fulfilment, Availability and Performance Testing, and Security Testing (VAPT), Acceptance Testing – End to End requirement testing,

We have experience in executing various types of API testing as mentioned below,

• Functionality Testing: To check if the API works and does exactly what it’s supposed to do
• Reliability Testing: To check if API can be consistently connected to and lead to consistent results
• Validation Testing: Helps verify the aspects of product, behaviour, and efficiency of an API
• Load Testing: Is performed to ensure the performance of API under both normal and at peak conditions
• UI Testing: It involves testing the user interface for the API and other integral parts
• Security Testing: To test that the API is secure against all possible external threats
• Penetration Testing: To detect vulnerabilities of an application from an attacker’s perspective
• Fuzz Testing: To test the API in terms of the limits to prepare for the “worst-case scenarios”

Our intuitive robotic test automation solution, Tenjin, is a functional test automation solution that executes API testing. It is a seamless & effective test automation tool for BA and functional testers. It is proven to be effective across API & GUI-based applications. It can seamlessly execute testing in a simulator and emulator, without having to install an API testing tool separately.

Tenjin Test Automation solution is REST and SOAP API ready. Its features like auto-learn, auto-discover and auto-execute help to learn application interface automatically, access through the path, operation, requests, and responses of different APIs and build data templates for API requests and responses. It automatically executes processes like sending requests and receiving responses. The send request command validates JSON, XML, form data, set header values, set request parameters, Auth: Basic & OAuth2. In receiving responses, it validates response headers, response body, and HTTP Status and captures & references response values.

• Tenjin learns deployment of API BOTs, learning of API under Test Interface, builds API metadata, & publishes API data template
• Design & plan test projects, document test cases, build & map test data, sequence and scheduling
• Execute via various trigger points, combine flow & data, automate API testing in multiple endpoints, & test execution report

Our experience, solution, and services can support the banks taking an approach to managing multiple APIs. We understand banks cannot go wrong testing several critical APIs. If banks have to test many banking APIs simultaneously, they can trust the domain experts and our expertise.