SlideShare a Scribd company logo
Welcome!
• We’ll use postman for some of our examples. If you would like to follow along,
download postman now. www.getpostman.com.
• Feel free to pair with someone!
• We’ll provide collections at the end of our talk.
• Follow @apidemo_carter onTwitter!
JoEllen Carter / Lisa Crispin
Overview
• What is an API?
• History of API growth
• Current API landscape
• HowAPIs work, including some hands-on demos
• Strategies and tools for testing an API
• API Stories
What is an
Application
Programming
Interface?
!!!
Interfaces
• Touch
• Voice
• Sight
API
Your
application The world !!!
2000 2002 2004 2006 2008
Why RESTful?
• REST: Representational state transfer
• Uniform and predefined set of stateless
operations
• People can “just know things” about an API
that’s RESTful
How does an
Application Programming
Interface
Work?
RPC SOAP HTTP HTTPS CoAP …
HTTPRequest
URL
Method
Headers
Body
URL
https://api.twitter.com/1.1/statuses/update.json?status=testing
{base url} / {version} / {endpoint} ? {query parameters}
GET
• Get some data about an object or
‘resource’
POST • Create a new resource
PUT • Update a resource
DELETE • Delete a resource
Methods
Headers
• Headers are key/value combinations that specify
additional information about the request
• Some common request headers are:
• Content-type
• Authentication
• Accept
• Origin
Body
• Data to send with the
request – usually for a
POST or PUT
• Data format – xml,
json, etc. - is specified
by the content-type
header
{
"location": {
"lat": -33.8669710,
"lng": 151.1958750
},
"accuracy": 50,
"name": "Google Shoes!",
"phone_number": "(02) 9374
4000",
"address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia",
"types": ["shoe_store"],
"website":
"http://www.google.com.au/",
"language": "en-AU"
}
What about cookies?
• Restful API requests should be self-reliant
• Cookies are session-dependent, so not
independent
• Using cookies to store data means your
API is not Restful
Authentication
• Insecure - Authorization token in url
• https://api.darksky.net/forecast/{{token}}
/39.9026420,-105.0905190
• https://maps.googleapis.com/maps/api/p
lace/nearbysearch/json?key={{googlema
psKey}}
• Basic
• Username:password are concatenated
and encoded
• Sent in Authorization header
Authentication - Oauth
• Oauth1/2 - https://oauth.net/
Service Provider
Authentication - JWT
JSON WebToken https://jwt.io/ - an open standard (RFC 7519)
that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object
• Header – type of token (JWT) and hashing (signing) algorithm
• Payload – contains ‘claims’, or information about the user
• Signature = signature from header-specified algorithm using
encoded Header + encoded payload + secret
Let’s try a GET now…
• We’ll hit the dark sky api to get our current
weather
HTTPResponse
URL
Status Code
Headers
Body
OK200
Bad Request400
Forbidden403
Not Found404
Internal Server Error500
Service Unavailable503
GatewayTimeout504
Common
Status
Codes
Let’s try a POST now…
• We’ll post a tweet from #MHA2017
How do we
test
API’s?
Security
• Basic
• Authentication tokens are valid/present
• Account boundaries are not violated
• SSL is enforced/warned when not present
• Hacker-in-training
• Injection points – headers, parameters, body
• Recording tools – what is exposed/available
• White Hat hacker - OWASP
• Rest Security Cheat Sheet
• OWASP top 10 security vulnerabilities – new
section on Under-protected APIs
Functional
• Basic
• Correct status codes are generated for invalid
inputs
• Request/response bodies contain the correct
content type and schema
• Backwards-compatibility for public APIs -
previous tests continue to pass or breaking
changes are clearly documented – aka
regression testing
• Advanced
• Join API requests together to mirror application
functionality
Exploratory
• Identify the variable bits - things that can/will/might
change
• Requests –
• Method
• Mix/match endpoints
• Parameters
• Headers, especially content type
• ContentType
• Size, Depth - images, json/xml nesting
• Timing & Frequency – what happens with caching?
Heuristics
• Apply Heuristics to the variables
• Zero, One, Many
• Some, None,All
• Beginning, Middle, End
• Too Many,Too Few
• Relative Position, i.e. content
Automation
• Part of your CI/CD pipeline
• Part of development process since tests can be
run in both local and pre-production
environments
• Performance
• Combine tests with monitoring
• Tools
• Postman
• Command line runner that can be integrated
into your CI
• Developer adoption is high
• Runscope
• Powerful code snippets
Supporting an API
Tracker API, rewritten in 2012-13
• Our own client software uses public API, same as customers
• With some private endpoints
• Leading practices: RESTful, JSON in & out,
• Versioning
• Only changes are additions
• Promote new endpoints through various stages
• “edge” version
• Metadata-driven
• Reference doc generated from metadata and unit test outputs
Long-term results
• Few support requests
• Thanks to comprehensive unit tests, comprehensive doc & examples
• Comprehensive doc for devs to introduce new endpoints
• Many new endpoints added
• Mostly without pain – one backwards compatibility issue
• Postman regression tests run in CI in addition to unit tests
• Include performance checks
Questions? Stories?
Take-aways
• APIs are the engine behind the apps we
use every day
• APIs are an integral part of our agile
processes - APIs make apps more testable,
and can be tested!
• APIs add value to your product - maybe
your company/product/team needs an
API?
• You’ve learned some terms about RESTful
web services – go forth and learn more!
Links
• ProgrammableWeb
• API Security Testing
• OWASPTop 10 Project
• List of HTTP Header fields
• Varonis - Introduction to Oauth
• Oauth.net
• Understanding rest and rpc

More Related Content

What's hot

API Testing Presentations.pptx
API Testing Presentations.pptxAPI Testing Presentations.pptx
API Testing Presentations.pptxManmitSalunke
 
Postman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenarioPostman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenarioHYS Enterprise
 
API Test Automation
API Test Automation API Test Automation
API Test Automation SQALab
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?BugRaptors
 
Postman 101 & Office Hours
Postman 101 & Office HoursPostman 101 & Office Hours
Postman 101 & Office HoursPostman
 
Postman Introduction
Postman IntroductionPostman Introduction
Postman IntroductionRahul Agarwal
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
4 Major Advantages of API Testing
4 Major Advantages of API Testing4 Major Advantages of API Testing
4 Major Advantages of API TestingQASource
 
Postman: An Introduction for Developers
Postman: An Introduction for DevelopersPostman: An Introduction for Developers
Postman: An Introduction for DevelopersPostman
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API TestingBruno Pedro
 
Postman Webinar: “Continuous Testing with Postman”
Postman Webinar: “Continuous Testing with Postman”Postman Webinar: “Continuous Testing with Postman”
Postman Webinar: “Continuous Testing with Postman”Postman
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testingb4usolution .
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGSiddharth Sharma
 

What's hot (20)

API Testing Presentations.pptx
API Testing Presentations.pptxAPI Testing Presentations.pptx
API Testing Presentations.pptx
 
API Testing
API TestingAPI Testing
API Testing
 
Postman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenarioPostman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenario
 
API Test Automation
API Test Automation API Test Automation
API Test Automation
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?
 
Test api
Test apiTest api
Test api
 
Api testing
Api testingApi testing
Api testing
 
Postman 101 & Office Hours
Postman 101 & Office HoursPostman 101 & Office Hours
Postman 101 & Office Hours
 
Postman
PostmanPostman
Postman
 
Postman Introduction
Postman IntroductionPostman Introduction
Postman Introduction
 
API TESTING
API TESTINGAPI TESTING
API TESTING
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 
4 Major Advantages of API Testing
4 Major Advantages of API Testing4 Major Advantages of API Testing
4 Major Advantages of API Testing
 
Postman: An Introduction for Developers
Postman: An Introduction for DevelopersPostman: An Introduction for Developers
Postman: An Introduction for Developers
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API Testing
 
POSTMAN.pptx
POSTMAN.pptxPOSTMAN.pptx
POSTMAN.pptx
 
Postman Webinar: “Continuous Testing with Postman”
Postman Webinar: “Continuous Testing with Postman”Postman Webinar: “Continuous Testing with Postman”
Postman Webinar: “Continuous Testing with Postman”
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNG
 
Belajar Postman test runner
Belajar Postman test runnerBelajar Postman test runner
Belajar Postman test runner
 

Similar to Api fundamentals

Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
RESTFul Tools For Lazy Experts - CFSummit 2016
RESTFul Tools For Lazy Experts - CFSummit 2016RESTFul Tools For Lazy Experts - CFSummit 2016
RESTFul Tools For Lazy Experts - CFSummit 2016Ortus Solutions, Corp
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеSQALab
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
Webservices: The RESTful Approach
Webservices: The RESTful ApproachWebservices: The RESTful Approach
Webservices: The RESTful ApproachMushfekur Rahman
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxapidays
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Coding 100-session-slides
Coding 100-session-slidesCoding 100-session-slides
Coding 100-session-slidesCisco DevNet
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
WordPress Rest API
WordPress Rest APIWordPress Rest API
WordPress Rest APIBrian Layman
 

Similar to Api fundamentals (20)

Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
 
RESTFul Tools For Lazy Experts - CFSummit 2016
RESTFul Tools For Lazy Experts - CFSummit 2016RESTFul Tools For Lazy Experts - CFSummit 2016
RESTFul Tools For Lazy Experts - CFSummit 2016
 
Rest ful tools for lazy experts
Rest ful tools for lazy expertsRest ful tools for lazy experts
Rest ful tools for lazy experts
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
Api crash
Api crashApi crash
Api crash
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Webservices: The RESTful Approach
Webservices: The RESTful ApproachWebservices: The RESTful Approach
Webservices: The RESTful Approach
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptx
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Coding 100-session-slides
Coding 100-session-slidesCoding 100-session-slides
Coding 100-session-slides
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJS
 
WordPress Rest API
WordPress Rest APIWordPress Rest API
WordPress Rest API
 

More from AgileDenver

MHA2018 - BDD is JIT - Jeff Langr
MHA2018 - BDD is JIT - Jeff LangrMHA2018 - BDD is JIT - Jeff Langr
MHA2018 - BDD is JIT - Jeff LangrAgileDenver
 
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...AgileDenver
 
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...AgileDenver
 
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde StallmannMHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde StallmannAgileDenver
 
MHA2018 - Rebuilding Trust through Transparency - Meg Ward
MHA2018 - Rebuilding Trust through Transparency - Meg WardMHA2018 - Rebuilding Trust through Transparency - Meg Ward
MHA2018 - Rebuilding Trust through Transparency - Meg WardAgileDenver
 
MHA2018 - The Experimentation Mindset - Doc Norton
MHA2018 - The Experimentation Mindset - Doc NortonMHA2018 - The Experimentation Mindset - Doc Norton
MHA2018 - The Experimentation Mindset - Doc NortonAgileDenver
 
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...AgileDenver
 
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...AgileDenver
 
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika LenzMHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika LenzAgileDenver
 
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad SwansonMHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad SwansonAgileDenver
 
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...AgileDenver
 
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...AgileDenver
 
MHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
MHA2018 - When will it be done - Probabilistic Predictions - Prateek SinghMHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
MHA2018 - When will it be done - Probabilistic Predictions - Prateek SinghAgileDenver
 
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark WaiteMHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark WaiteAgileDenver
 
MHA2018 - Jen Krieger - Getting Started with Kanban
MHA2018 - Jen Krieger - Getting Started with KanbanMHA2018 - Jen Krieger - Getting Started with Kanban
MHA2018 - Jen Krieger - Getting Started with KanbanAgileDenver
 
MHA2018 - The Immunity to Change - How to discover individual or team resista...
MHA2018 - The Immunity to Change - How to discover individual or team resista...MHA2018 - The Immunity to Change - How to discover individual or team resista...
MHA2018 - The Immunity to Change - How to discover individual or team resista...AgileDenver
 
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...AgileDenver
 
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...AgileDenver
 
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...AgileDenver
 
MHA2018 - Introduction to Observational Coaching - Daniel Lynn
MHA2018 - Introduction to Observational Coaching - Daniel LynnMHA2018 - Introduction to Observational Coaching - Daniel Lynn
MHA2018 - Introduction to Observational Coaching - Daniel LynnAgileDenver
 

More from AgileDenver (20)

MHA2018 - BDD is JIT - Jeff Langr
MHA2018 - BDD is JIT - Jeff LangrMHA2018 - BDD is JIT - Jeff Langr
MHA2018 - BDD is JIT - Jeff Langr
 
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
MHA2018 - How the Marine Corps Creates High-Performing Teams - Andrew McKnigh...
 
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
MHA2018 - Your Agile Adoption is Going to Fail (and you're gonna fall right o...
 
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde StallmannMHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
MHA2018 - 3 Minute Improv Games to Improve Your Teams - Wayde Stallmann
 
MHA2018 - Rebuilding Trust through Transparency - Meg Ward
MHA2018 - Rebuilding Trust through Transparency - Meg WardMHA2018 - Rebuilding Trust through Transparency - Meg Ward
MHA2018 - Rebuilding Trust through Transparency - Meg Ward
 
MHA2018 - The Experimentation Mindset - Doc Norton
MHA2018 - The Experimentation Mindset - Doc NortonMHA2018 - The Experimentation Mindset - Doc Norton
MHA2018 - The Experimentation Mindset - Doc Norton
 
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
MHA2018 - Only Responsible Leaders Can Collaborate in a High-Functioning Team...
 
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
MHA2018 - Herbie - understanding and applying WiP limits effectively - John Y...
 
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika LenzMHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
MHA2018 - It's a "self-organizing" team -- how can I help them? - Erika Lenz
 
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad SwansonMHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
MHA2018 - Validate It Before You Build It: The Experiment Canvas - Brad Swanson
 
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
MHA2018 - How Agile Coaching Practices Can Be Used in Schools To Get Students...
 
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
MHA2018 - Going with the Flow: Adapting Scrum Practices for Marketing - Andre...
 
MHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
MHA2018 - When will it be done - Probabilistic Predictions - Prateek SinghMHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
MHA2018 - When will it be done - Probabilistic Predictions - Prateek Singh
 
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark WaiteMHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
MHA2018 - Docker and Jenkins Pipeline for Continuous integration - Mark Waite
 
MHA2018 - Jen Krieger - Getting Started with Kanban
MHA2018 - Jen Krieger - Getting Started with KanbanMHA2018 - Jen Krieger - Getting Started with Kanban
MHA2018 - Jen Krieger - Getting Started with Kanban
 
MHA2018 - The Immunity to Change - How to discover individual or team resista...
MHA2018 - The Immunity to Change - How to discover individual or team resista...MHA2018 - The Immunity to Change - How to discover individual or team resista...
MHA2018 - The Immunity to Change - How to discover individual or team resista...
 
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
MHA2018 - How Agile connects to the Social Nature of a High-Performance Workp...
 
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
MHA2018 - Workbook Breaking Out of The Rut-rospective: Finding Activities to ...
 
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
MHA2018 - Breaking Out of The Rut-rospective: Finding Activities to Engage Yo...
 
MHA2018 - Introduction to Observational Coaching - Daniel Lynn
MHA2018 - Introduction to Observational Coaching - Daniel LynnMHA2018 - Introduction to Observational Coaching - Daniel Lynn
MHA2018 - Introduction to Observational Coaching - Daniel Lynn
 

Recently uploaded

Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckHajeJanKamps
 
The Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdfThe Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdfinsightssuccess2
 
USA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfUSA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfsuperbizness1227
 
The Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfThe Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfMont Surfaces
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)linciy03
 
Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.smalmahmud11
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Rahul Bedi
 
Evolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdfEvolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdfGutaMengesha1
 
How to Maintain Healthy Life style.pptx
How to Maintain  Healthy Life style.pptxHow to Maintain  Healthy Life style.pptx
How to Maintain Healthy Life style.pptxrdishurana
 
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastInstBlast Marketing
 
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical Trials
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical TrialsSalesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical Trials
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical TrialsFEXLE
 
Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datassDilipParmar63
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corp.
 
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | ShajaraLuxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | ShajaraShajara Artificial Plants
 
IPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceIPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceDragon Dream Bar
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportDubai Multi Commodity Centre
 
Copyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowCopyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowMiriam Robeson
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdfzukhrafshabbir
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Associationseri bangash
 
Creative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsCreative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsSlidesAI
 

Recently uploaded (20)

Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deck
 
The Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdfThe Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdf
 
USA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfUSA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdf
 
The Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfThe Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdf
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)
 
Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
 
Evolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdfEvolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdf
 
How to Maintain Healthy Life style.pptx
How to Maintain  Healthy Life style.pptxHow to Maintain  Healthy Life style.pptx
How to Maintain Healthy Life style.pptx
 
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
 
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical Trials
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical TrialsSalesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical Trials
Salesforce in Life Sciences - Best Ways to Leverage The CRM for Clinical Trials
 
Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datass
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | ShajaraLuxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
 
IPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceIPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best Service
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
 
Copyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowCopyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to Know
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdf
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Association
 
Creative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsCreative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team Presentations
 

Api fundamentals

  • 1. Welcome! • We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com. • Feel free to pair with someone! • We’ll provide collections at the end of our talk. • Follow @apidemo_carter onTwitter!
  • 2. JoEllen Carter / Lisa Crispin
  • 3. Overview • What is an API? • History of API growth • Current API landscape • HowAPIs work, including some hands-on demos • Strategies and tools for testing an API • API Stories
  • 5. !!!
  • 7.
  • 9. 2000 2002 2004 2006 2008
  • 10.
  • 11. Why RESTful? • REST: Representational state transfer • Uniform and predefined set of stateless operations • People can “just know things” about an API that’s RESTful
  • 12.
  • 13. How does an Application Programming Interface Work?
  • 14. RPC SOAP HTTP HTTPS CoAP …
  • 17. GET • Get some data about an object or ‘resource’ POST • Create a new resource PUT • Update a resource DELETE • Delete a resource Methods
  • 18. Headers • Headers are key/value combinations that specify additional information about the request • Some common request headers are: • Content-type • Authentication • Accept • Origin
  • 19. Body • Data to send with the request – usually for a POST or PUT • Data format – xml, json, etc. - is specified by the content-type header { "location": { "lat": -33.8669710, "lng": 151.1958750 }, "accuracy": 50, "name": "Google Shoes!", "phone_number": "(02) 9374 4000", "address": "48 Pirrama Road, Pyrmont, NSW 2009, Australia", "types": ["shoe_store"], "website": "http://www.google.com.au/", "language": "en-AU" }
  • 20. What about cookies? • Restful API requests should be self-reliant • Cookies are session-dependent, so not independent • Using cookies to store data means your API is not Restful
  • 21. Authentication • Insecure - Authorization token in url • https://api.darksky.net/forecast/{{token}} /39.9026420,-105.0905190 • https://maps.googleapis.com/maps/api/p lace/nearbysearch/json?key={{googlema psKey}} • Basic • Username:password are concatenated and encoded • Sent in Authorization header
  • 22. Authentication - Oauth • Oauth1/2 - https://oauth.net/ Service Provider
  • 23.
  • 24. Authentication - JWT JSON WebToken https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object • Header – type of token (JWT) and hashing (signing) algorithm • Payload – contains ‘claims’, or information about the user • Signature = signature from header-specified algorithm using encoded Header + encoded payload + secret
  • 25. Let’s try a GET now… • We’ll hit the dark sky api to get our current weather
  • 27. OK200 Bad Request400 Forbidden403 Not Found404 Internal Server Error500 Service Unavailable503 GatewayTimeout504 Common Status Codes
  • 28. Let’s try a POST now… • We’ll post a tweet from #MHA2017
  • 30. Security • Basic • Authentication tokens are valid/present • Account boundaries are not violated • SSL is enforced/warned when not present • Hacker-in-training • Injection points – headers, parameters, body • Recording tools – what is exposed/available • White Hat hacker - OWASP • Rest Security Cheat Sheet • OWASP top 10 security vulnerabilities – new section on Under-protected APIs
  • 31. Functional • Basic • Correct status codes are generated for invalid inputs • Request/response bodies contain the correct content type and schema • Backwards-compatibility for public APIs - previous tests continue to pass or breaking changes are clearly documented – aka regression testing • Advanced • Join API requests together to mirror application functionality
  • 32. Exploratory • Identify the variable bits - things that can/will/might change • Requests – • Method • Mix/match endpoints • Parameters • Headers, especially content type • ContentType • Size, Depth - images, json/xml nesting • Timing & Frequency – what happens with caching?
  • 33. Heuristics • Apply Heuristics to the variables • Zero, One, Many • Some, None,All • Beginning, Middle, End • Too Many,Too Few • Relative Position, i.e. content
  • 34. Automation • Part of your CI/CD pipeline • Part of development process since tests can be run in both local and pre-production environments • Performance • Combine tests with monitoring • Tools • Postman • Command line runner that can be integrated into your CI • Developer adoption is high • Runscope • Powerful code snippets
  • 35. Supporting an API Tracker API, rewritten in 2012-13 • Our own client software uses public API, same as customers • With some private endpoints • Leading practices: RESTful, JSON in & out, • Versioning • Only changes are additions • Promote new endpoints through various stages • “edge” version • Metadata-driven • Reference doc generated from metadata and unit test outputs
  • 36. Long-term results • Few support requests • Thanks to comprehensive unit tests, comprehensive doc & examples • Comprehensive doc for devs to introduce new endpoints • Many new endpoints added • Mostly without pain – one backwards compatibility issue • Postman regression tests run in CI in addition to unit tests • Include performance checks
  • 38. Take-aways • APIs are the engine behind the apps we use every day • APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested! • APIs add value to your product - maybe your company/product/team needs an API? • You’ve learned some terms about RESTful web services – go forth and learn more!
  • 39. Links • ProgrammableWeb • API Security Testing • OWASPTop 10 Project • List of HTTP Header fields • Varonis - Introduction to Oauth • Oauth.net • Understanding rest and rpc