As we developed the Moesif API analytics platform, we needed to create and use many APIs. Some of these are internal APIs powering our various services, while others are external APIs such as our payments provider or authentication service. both from internal and third-party sources. Of course, we use our own API analytics on our own API to “eat your own dog food”, but we also use many other tools, many of them free. We thought we’d share some of the best ones we really liked and use often while developing and working with APIs. While this post focuses on development, expect a followup post on the best tools for delivering reliable APIs in production.
This post organizes the various tools by its use case.
Sending API Requests
Most web developers will need to send API requests at one point or another. Whether your a mobile app developer testing requests against a back end or developing and running your own service. Sure, you could just fire off a GET request by putting the URL directly in the browser, but browsers can get in the way via local caching so you really don’t know what’s hitting your server. In addition, browsers have tight security policies that prevent changing things like the Origin header or limits on URL size.
One of the most popular HTTP clients is Postman. It has a very beautiful GUI interface and very easy to use regardless if your just starting out with RESTful APIs or an expert. A history of past calls is stored so you can quickly reissue it. Postman even includes some nice touches such as auto completing standard HTTP headers and supporting and rendering a variety of payloads from JSON, to HTML, to even multipart.
If you prefer command line based tools, cURL is very quick. cURL is included in most *nix distributions which makes it a handy tool for anyone SSHing into remote hosts without worrying about installing custom tools. Given cURL’s widespread installation base, you can build scripts for testing and deployment dependent on cURL without worry of being locked into a single vendor.
Capturing AJAX calls in web apps
Given that an API in web apps is the interface and contract between the front end and backend, it’s useful to know which side is violating that contract when things go wrong. If you have a web app that is not loading data correctly from the backend, the first thing you’ll probably do is inspect the API request and responses for any irregularities.
Chrome Developer Tools
Most desktop browsers include some type of developer tools such as Safari’s Web Development Tools, Chrome’s DevTools, and Firefox’s Developer Tools. These tools are included with the browser by default enabling you to inspect API calls quickly.
Capturing HTTP Requests from mobile apps
Capturing API requests from non-web apps can be challenging since you don’t have the luxery of browser developer tools to inspect API calls (not including extra orchestration). Many of the solutions requires the use of a reverse or forward proxy which can intercept and record the HTTP traffic.
Charles Proxy is a very popular free tool, but it’s’ not hosted in the cloud. You’ll have to install the software and install and run it on your own machine. Charles Proxy works by routing all your local machines traffic through it as a HTTP proxy. You can also open up a port on your computer and configure your iPhone or Android device to route its traffic through Charles. Just remember to disable the proxy in your smartphone’s settings when you stop Charles on your computer. Otherwise, your phone won’t be able to connect to the internet. Because all web traffic will be routed through Charles, you can leverage filters to only record requests to a particular domain or host. View Configuring Charles for more info. SSL certificates can cause additional complications as the proxy would need to be a man-in-the-middle and break the SSL tunnel. You could install the Charles SSL certificate on your device.
SandroProxy is like Charles for Android. It can be useful if your debugging on the go and don’t have a desktop and LAN available. You can also connect it to Chrome Dev Tools.
Fiddler is similar to Charles in that it sets up a proxy on your local machine. You have to download and install the software.
Replaying captured API requests.
Repaying captured requests enables you to reproduce the same traffic that was created previously. This could be useful to replaying on a different host (such as replaying a production traffic pattern on your local dev machine) or to verify that a fix is corrected.
Postman Interceptor offers a way to capture API calls and replay them. However, Postman Interceptor can only capture the HTTP request data. It cannot capture the HTTP response. The primary focus is for replaying the requests rather than recording for debug.
Sharing API request data
If you are working with a team, you often want to share captured HTTP traces with rest of your team, or enable them to replay a scenario without having to mock up the API requests by hand.
While you could open Chrome Developer’s Tools and copy and paste the data in it to share with your team, it’s cumbersome to do so.
A free tool build by us that we are shamelessly promoting. The Api Capture Chrome extension captures all the AJAX calls from an arbitrary website which is then stored in a cloud service apirequest.io. The service creates a shared workspace that can be shared with others for 30 days via a obfuscated URL. Kind of like sharing a Google Doc link.
Often you need mock API server if you are writing client-side code to be tested against an API. However, sometimes that API service is not even developed yet or complicated to get up and running. In these cases, you can use a mock server which at the core relays some predefined JSON back to the requester.
JSON Server is an open source moch server that you can clone and run it on your machine.
If you prefer not to run your own mock server locally, you can use the hosted service, such as JSON placeholder.
Mocking different HTTP responses
JSON Server and JSON placeholder APIs calls always response with 200 OK. If you want to test how your client handles different HTTP error responses, you can set up a more elaborate mock server that can offer such flexibility.
httpbin from Runscope offers both a hosted service on their website, or you can clone their open source repo and run your own service. httpbin offers mock endpoints for everything from gzip encoded responses to binary data like photos.
Like httpbin, mocky.io is open source and also has a hosted version.
Mocky is quite a bit more flexible than the previous tools in that it allows for any arbitrary response body and status code. Important if you need some specific JSON to be returned to your client. It also supports a wide variety of Content-Type’s such as text/xml, multipart, and HTML. In addition, you can setup a predefined delay such as
?mocky-delay=100ms. This is great to test timeout condition or when adding loading indicator to a website.
If you are developing a webhook to handle callbacks from third party API or service, then you will need to enable those cloud services to invoke the API you are running on your local machine if you want to debug locally unless you want to go through the expense and potential security issues by opening up ports on your machine and obtaining a static IP. These tunneling services relay the requests onto your localhost without requiring you to open a port.
ngrok is one of the most popular ones. The host name is temporary and randomly generated, but they do have paid service if you want a permanent host name. For most use cases, the free version is adequate. To use ngrok, all you need to do is replace the webhook URL with the one provided by ngrok and then run the local agent.
Code Beautify’s JSON viewer that can pretty print, convert JSON to XML and CSV, among other things.
JSON Lint is a JSON validator and reformatter.
JSON Generator creates randomly generated JSON that is valid or based on a schema you can upload. This can be helpful for generating a lot of test data.
If your working with an API that uses JSON Web Tokens for authentication you’ll need to quick way to base64 decode and view the token contents. JWT.io is a free service by Auth0 that does exactly that.
For more information on how JWT’s work and how JWT’s compare to opaque tokens, checkout our guide on Authentication and Authorization on RESTful APIs.
There are quite few Paid performance testing services out there, and make sense since there is a lot more work involved to set up performance testing. So free services tend to involve more work, and especially for hosted services, it can be resource intensive.
Apache Jmeter is an open source tool for load testing your API.
Loader.io is a tool to perform load testing on an API and can generate a lot of traffic quickly.
Many APIs, especially private ones that power single page apps leverage Cross Origin Resource Sharing to securely make AJAX calls to a different domain.
Chrome Extension for CORS. Our own extension created by Moesif that is used by over 17,000 users every week. It can be used to circumvent or change CORS restrictions for local testing and debug.
If we are missing your favorite tool that helps make working with APIs better, then feel free to comment below with your suggestions or opinions.
Look for a follow up post for useful tools once the API is in production use. Moesif has an API analytics platform that can be useful once your API is live. Feel free to give it a try.