How To Better Handle Authentication In API Test Automation

We need a better way to properly handle APIs authentication in our automated tests.

APIs are the cornerstone of distributed systems. They enable the composition of services to deliver more valuable experiences. While APIs can be powerful, they must ensure secured access.

Testing APIs can be a frustrating experience. We can spend more time trying to connect to the API rather than testing it. Delays in automated tests implementation are costly as slowing down the lead-time for changes.

In this article, we share a concrete way to design your tests for handling APIs authentication limiting code and duplication. At the end of the article, you will have a reusable structure for your automated tests:

  • Understand the authentication flow and data
  • Implement a reliable authentication layer
  • Create a reusable authentication block with property
  • Expand your API test automation with ease

Our first step is to understand the authentication steps.

Understand the authentication flow and data

APIs normally rely on authentication standards. It can be a simple token, OAuth, OpenID, among others. The key point is to understand the sequence of calls and the data involved.

In our case, the API uses a Bearer token. It requires an initial call, usually with credentials, to retrieve the token. Then each call requires a specific token within the header to accept the calls.

 Figure 1: The user impersonation to connect apps with OAuth 2.0 and JWT, Confluence.

In the case of a REST API, the steps involved are as follows:

  1. Creates a JWT assertion with the shared secret and the oauthClientId, and then POSTs it to the authorization server.
  2. Authorization server returns an OAuth 2.0 access token.
  3. App uses the access token to perform actions as a user.

Let’s see how to implement these steps.

Implement a reliable authentication layer

Testing APIs is more technical than for a web or mobile application. The authentication implementation can be clarified by looking at the API documentation or talking with the developer if needed.

The first difficulty in test automation is to perform the initial call and keep the token for the following calls. The right way to achieve that in Cerberus Testing is to perform the initial call and store the token inside a Property.

 Figure 2: How to call the API and store the token inside a property, Cerberus Testing.

The API being in REST/JSON, we can use the simple locator of “$.access_token” available in the answer to retrieve it. That way, each time this test runs, an instance of the token will be stored.

The next step is to implement a reusable block for all our tests.

Create a reusable authentication block with property

The API call requires the bearer token within the header. Hence, we have to configure the token within the service library of Cerberus. For other protocols, we would need to configure parameters at the test actions level.

Cerberus Testing enable to dynamically set and retrieve properties. Hence we just have to use the % delimiter to identify a property within other elements. In our case, the property to set in the header is “%access_token%”.

Figure 3: The configuration of API call header for a Bearer token, Cerberus Testing.

The Bearer standard requires the word “Bearer”, explaining its presence before the property. We can use this configuration in any test we want. In this example, we perform a POST to a specific endpoint to initiate a transaction using the token.

This structure is replicable for all our tests using the library.

Expand your API test automation with ease

Steps contain the actions and controls of the automated test inside Cerberus Testing. Each step can be part of a library and becomes available in other tests while being locked for edition.

In our case, we added the “Get Authentication” step inside our library. That enables us to create as many tests as we want using the same structure. 

Figure 4: The use of the library to expand tests with reusable steps, Cerberus Testing.

That way, we can implement our functional tests. The tests just require a template structure, and we have only one place to change in the case of authentication changes.

You can rely on the same technique for different authentication protocols and even SOAP or GraphQL APIs. There is no time to lose, hence the value of a framework.

Stop Coding, Start Testing here.

Leave a comment

Your email address will not be published. Required fields are marked *

Cerberus-Testing Terms Of Service

Website Terms and Conditions of Use

1. Terms

By accessing this Website, accessible from, you are agreeing to be bound by these Website Terms and Conditions of Use and agree that you are responsible for the agreement with any applicable local laws. If you disagree with any of these terms, you are prohibited from accessing this site. The materials contained in this Website are protected by copyright and trade mark law. These Terms of Service has been created with the help of the Terms of Service Generator and the Privacy Policy Template.

2. Use License

Permission is granted to temporarily download one copy of the materials on Cerberus Testing's Website for personal, non-commercial transitory viewing only. This is the grant of a license, not a transfer of title, and under this license you may not:

  • modify or copy the materials;
  • use the materials for any commercial purpose or for any public display;
  • attempt to reverse engineer any software contained on Cerberus Testing's Website;
  • remove any copyright or other proprietary notations from the materials; or
  • transferring the materials to another person or "mirror" the materials on any other server.

This will let Cerberus Testing to terminate upon violations of any of these restrictions. Upon termination, your viewing right will also be terminated and you should destroy any downloaded materials in your possession whether it is printed or electronic format.

3. Disclaimer

All the materials on Cerberus Testing’s Website are provided "as is". Cerberus Testing makes no warranties, may it be expressed or implied, therefore negates all other warranties. Furthermore, Cerberus Testing does not make any representations concerning the accuracy or reliability of the use of the materials on its Website or otherwise relating to such materials or any sites linked to this Website.

4. Limitations

Cerberus Testing or its suppliers will not be hold accountable for any damages that will arise with the use or inability to use the materials on Cerberus Testing’s Website, even if Cerberus Testing or an authorize representative of this Website has been notified, orally or written, of the possibility of such damage. Some jurisdiction does not allow limitations on implied warranties or limitations of liability for incidental damages, these limitations may not apply to you.

5. Revisions and Errata

The materials appearing on Cerberus Testing’s Website may include technical, typographical, or photographic errors. Cerberus Testing will not promise that any of the materials in this Website are accurate, complete, or current. Cerberus Testing may change the materials contained on its Website at any time without notice. Cerberus Testing does not make any commitment to update the materials.

6. Links

Cerberus Testing has not reviewed all of the sites linked to its Website and is not responsible for the contents of any such linked site. The presence of any link does not imply endorsement by Cerberus Testing of the site. The use of any linked website is at the user’s own risk.

7. Site Terms of Use Modifications

Cerberus Testing may revise these Terms of Use for its Website at any time without prior notice. By using this Website, you are agreeing to be bound by the current version of these Terms and Conditions of Use.

8. Your Privacy

Please read our Privacy Policy.

9. Governing Law

Any claim related to Cerberus Testing's Website shall be governed by the laws of fr without regards to its conflict of law provisions.

Thank you for your interest in cerberus,

In order to proceed with your SaaS we need some in order to confirm your instances accesses.

Please provide accurate contacts to secure the process.

You can cancel any time the subscription, please read Terms of Use.