TestArchitect Corner: Authentication Methods in API Testing

These are the popular authentication methods in TestArchitect

Authentication in API testing is usually a complicated subject for both developers and testers since it requires extensive knowledge on various types of security protocols and encryption algorithms.

With that said, almost all API consumers must authenticate themselves before being granted certain privileges, such as provisioning a mobile device on the cloud or creating a new database record. This article will explain some of the most popular authentication methods and how you can work through them using TestArchitect.

What is authentication in web service testing?

Normally, a web service needs to know to whom it’s providing the service. Thus the API consumers must authenticate themselves—proving that “they are who they say they are” via various authentication methods.

A good authentication method protects the sensitive information exchanged between the client and the server. That means any malicious attackers sniffing the messages must not be able to decrypt them and get the credential of the client.

Authentication also helps the service provider classify the client and set the right permission for them (authorization). Furthermore, in the world of cloud, it helps the service provider keep track of the client’s usage to properly bill them.

Popular Authentication Methods

There are many ways to authenticate in API testing including both standard and non-standard methods. Some services creatively invent their own peculiar method or implement a variation of a popular one. Thus, when we test an API, we must be well aware of the authentication methods the API under test is using. However, technically speaking, the data used for authentication can only reside in these 3 places:

  • HTTP request’s headers
    e.g. basic authentication method with username/password, Digest, OAuth…
  • HTTP request’s body
    e.g. form authentication
  • HTTP request’s URL
    e.g. API key

We’ll focus on the most common methods which are OAuth 2.0 and API key.

API key

API key was used from the first days of web API. It’s simple and easy to use but not very secured. Developers usually choose API key when the API is not business-critical and convenience trumps security concerns, such as an API to only read weather data. Since API key exists plainly in the http messages exchanged between the client and the web service (e.g. http headers, URL), anyone sniffing the messages can obtain the API key and take advantage of it.

Systems such as YouTube or AWS require their API consumers to authenticate using an API key. They usually keep track of the user’s usage history and the number of API calls. You cannot abuse the service by calling its API indefinitely. Usually they put a limit on the number of API calls per minute.

In this example, we’ll create a script to get a list of videos associated with a specified video (caption tracks) from YouTube then verify the returned number of associated videos. For more information of this REST resource, check out this page.

  • The first step is obtaining an API key from Google (available here)
    NOTE: If you’re testing your in-house web service, you should contact the developer team to retrieve an API key for testing purpose.
  • Next, we open TestArchitect and author a test case as below

#Initial: This part sets the precondition of the test case. In this case, “I” creates a variable to store the API key.

#Test case: Verify the number of associated video.

Then we send the request and handle for response result. The body of the response is a JSON string so we’re using JsonPath to query out the “item.size()” chunk. The number of associated videos of this particular video is expected to be “11”.

OAuth 2.0

OAuth 2.0 is another mature authentication method widely adopted by giant web service providers, such as Google, and Facebook.

OAuth 2.0 is the best choice for identifying personal user accounts and granting proper permissions. It requires physical confirmation from the user such as 2-step authentication to get an access token. OAuth is very secured for accessing sensitive data and services. However, disadvantages include difficulties in implementation, and that it is harder to use.

In the below example, we’ll upload an image to http://api.imgur.com with OAuth 2.0.

  • To work with OAuth 2.0, we must first get the access token string. This step is different for each web service. You can manually perform this step or automate it via the web UI. Good news is it only needs to be done once.
    Imgur.com has detailed instruction on how to obtain an access token here.
  • The next step is calling the web API with the correct authentication information. Since we want to upload an image, the http method of choice is POST. The REST end point of interest is https://api.imgur.com/3/image. For more information about this end point, check out this documentation.

#Initial: This part is used to set the precondition of the test case. In this case, we create a high level action “get token” to get the token string via UI with steps:

  • Request a token by opening the correct URL on a web browser
  • Confirm with the correct username and password via GUI automation
  • Parse the redirect URL to get the desirable token

#Test case: Upload an image and verify the returned code

At first, we create an http request and then add authentication information to that http request by line #23.

Note: The schema should be correct. We use “OAuth 2.0” in this example.

  • The rest of the test case is to configure the necessary information required by the API and send the http request. For more information, see the REST end point’s description above.
  • Note: We can add an expected code to the “send http request” action or we can parse the returned value in “result” variable by the “parse http response” action. Ultimately, this test case only passes if the returned code is 200.


These are only two common examples representing countless ways to authenticate an API consumer in the web service testing world. We can safely conclude that authentication comes in all shapes and sizes. But the key takeaway point is: you need to understand your API under test. For each API, we’ll have to deal with one or even many authentication methods. However, don’t feel overwhelmed just yet. Like we have discussed, it all comes down to attaching the authentication information to an http request. Codeless testing is easy but only after we grasp the ropes of it.


Khai Tran is the Product Owner of the Automation team of LogiGear’s product TestArchitect. He is very passionate about test automation and strives to better himself as a manager, and the development community as a whole.

Get TestArchitect Team Free

Khai Tran
Khai Tran is the Product Owner of the Automation team of LogiGear’s product TestArchitect. He is very passionate about test automation and strives to better himself as a manager, and the development community as a whole.
Thuc Nguyen
Thuc Nguyen has been leading the product teams at LogiGear in delivering quality Test Automation solutions to LogiGear’s customers and services clients. Thuc has a great passion for helping organizations transform their Test Automation, Continuous Delivery and DevOps practices, as well as empowering testers of all technical levels to thrive in complex enterprise environments.
Thuc Nguyen on Linkedin

The Related Post

An overview of web service testing solutions for traditional or non-technical testers. Much has been written on the technical execution of API tests, yet there are gaps in the details of what tests to design and how to design them. The articles tend to either get too technical too fast, or are too vague and ...
API testing has long been misunderstood as well-confined in the territory of developers. It’s natural to think that we must write code to test our code. However, it doesn’t have to be that way anymore. Business testers who have deep domain knowledge are now able to take on the challenges of API testing without coding. ...
 Understanding the pieces of the web service testing puzzle can make testing easier For people wanting a broader understanding of more pieces in the web service testing puzzle, here is a breakdown of the various possible components of an API.
APIs are the unsung hero of our connected world We live in an exciting age of intelligence, where progress moves at the speed of imagination. We are connected to the world and one another like never before. API (Application Programming Interface) is the unsung hero of our connected world. Here’s everything you need to know ...
Summary Remember that Agile is not an SDLC. Neither are Scrum and XP for that matter. Instead, these are frameworks for projects; they are built from practices (for example, XP has 12 core practices). Scrum and XP advocates will freely recommend that you pick a few practices to implement, then keep what works and discard ...
Lack of information and access to information isn’t an issue with web services. Web service documentation is widely available. Overview     One of the major persistent complaints from people who test is lack of information and lack of access to information. Luckily this is not the case with web services. If in the rare case with ...
A case-study using: Java, REST Assured, Postman, Tracks, Curl and HTTP Proxies This is the first book review I have written on my site. So of course I had to choose a great book that was relevant to my niche. Alan Richardson’s book on Automating & Testing a REST API fits the bill perfectly. I am a big ...
An approach to secure maintainability and scalability for API testing projects One of the most important tasks in API testing is designing the input data whose quantum could explode due to the combination of a vast number of arguments. An experienced tester will inevitably figure out the advantages of the pairwise method in efficiently picking ...
Social APIs are omnipresent and create special cases for testing. If you understand API testing, especially web service type APIs, testing social APIs is easy to grasp. The use of social APIs makes them a special case. They are omnipresent and very well understood. What this means is you need to have a good understanding ...
Here are some books you might find useful when developing your web services API testing strategy. The Art of Application Performance Testing by Ian Molyneaux — This book was just released and I found it an outstanding conceptual overview of performance testing a web based application. The book does a great job of reviewing the ...
API testing is different from GUI testing, but it doesn’t take long to master. What is an API? API is an acronym for Application Programming Interface. It enables communication and data exchange between two separate software systems. A software system implementing an API contains functions/subroutines which can be executed by another software system.

Leave a Reply

Your email address will not be published.

Stay in the loop with the lastest
software testing news