API Testing

Functional | Automation | Performance | Compliance | Security | Identity | Zero Trust | Custom

Functional Testing

Validate the functional behavior of API endpoints with client input simulations. Quality criteria rules provide validation and regression testing of API behavior. Tests can be run on-demand or automated.

Regression Testing

Create behavior baselines and run regression tests to determine if any breakage or change of behavior occurs. Includes JSON and XML Diff capability.

OpenAPI Testing

Supports latest OpenAPI standards for automatically parsing OpenAPI documents and building test cases for all of the defined functions.

Data Privacy Testing

Test encryption and decryption of JSON, XML, REST, and SOAP message patterns.

Fuzz Testing

Dynamic mutation engine intelligently generates input fuzzing and measures responses against criteria rules. Security tests provide risk posture and vulnerability profile reporting.

MFA and SSO Testing

Test authentication schemes including OAuth, SAML, PKI, Basic Auth, Amazon Auth, and Kerberos. Verify SSO tokens and cookies.

AWS Cloud API Testing

Built-in support for AWSv4 signatures to authenticate to and test Amazon AWS APIs.

Performance Testing

Simulate load from multiple virtual clients to measure and validate the performance criteria of the target APIs. Dynamic security and identity provide real world simulated inputs.

Download SOAPSonar Datasheet

Product Features

Project Management

Built-in project management features allow for import and export of project data. The test data and rules are stored in portable project files which can be moved around for shared environment testing and also versioned using any source control tools.

Success Criteria Rules

Validating API behavior is simplified by creating expected behavior rules using the success criteria rule framework. Quickly enable functional and performance testing to detect and report API expected behavior.

Test Automation

Drive inputs and response analysis using dynamic data from File, Excel, or Database tables. Can be used for functional API validation or with virtual client performance testing. Supports data source splitting and synchronization across data sources.

Regression Testing

Embedded behavior variance engine provides XDiff technology to automatically detect behavior variances and regression between API tests and API versions. Capture API baseline behavior and then run regression tests to detect and report any regression of functionality or expected behavior.

PKI and Security

Built-in PKI engine for TLS, Digital Signature generation, and Encryption. Supports direct access to X.509 keys from Windows, Java keystore and dynamic SmartCard readers. Also support dynamic PKI for run-time specified PKI when API tests move from one environment to another.

Automatic Message Generation

OpenAPI and WSDL schema parsing with automatic JSON and XML generation. Enables simplified message generation by providing schema from OpenAPI, WSDL or stand-alone XSD schema. Messages can then be created via graphical form editor and resulting messages automatically created.


Protocol identity generation for Basic Auth, SSL X509 Auth, and NTLM. Message based identity generation for SAML, OAuth, Amazon AWSv4, X509, and Kerberos Identity Tokens

Test Reports

Detailed reports for results based on type of test performed including Functional, Performance, Compliance, and Vulnerability reports. Export formats XML, DOC, XLS, PDF, RTF, and RPT.

Test Variables

Variable substitution in message headers, message body, tasks, identity credentials. Dynamic X.509 aliases for PKI. Runtime variable, global variables, context functions, and automation variables.

Virtual Users

Virtual users provide real-time dynamic loading clients which simultaneously load the API and capture statistics for throughput, latency, and TPS. Scenarios include ramp-up, ramp-down, and weighted scenarios.

Flexible Test Types

Built-in types include OpenAPI, JSON, SOAP, XML, REST, Batch, WS-Trust, and Custom test variants. Any testing types can be linked together for testing of functional flows and test dependencies for asynchronous and synchronous testing.

Vulnerability and Zero Trust

Security testing with patented dynamic XSD mutation creates automatic parameter fuzzing. Vulnerability assessment of the target API includes risk assessment and risk mitigation reporting with configurable rule framework.