API monitoring: JMeter for posting data with random generated key


What is API monitoring?


Web APIs are the defined interfaces through which interactions happen between an enterprise and applications that use its assets. An API approach is an architectural approach that revolves around providing programmable interfaces to a set of services to different applications serving different types of consumers. When used in the context of web development, an API is typically defined as a set of Hypertext Transfer Protocol (HTTP) request messages, along with a definition of the structure of response messages, which is usually in an XML or JSON format. If you are using Web APIs you should be sure that your API calls are always working. It means that you should monitor them. If you have constant API call you can easily monitor it with uptime monitoring. With help of uptime monitoring you can easily check availability and response time of your API call from more than 30 locations both with POST and GET methods.



What is random generated keys?


Random generated keys or security tokens are used to gain access to an electronically restricted resource. It is used in addition to or in place of a password. It acts like an electronic key to access something.

And what to do if your API call must include some random generated key or value?

Yes! Defiantly you must use JMeter.  JMeter is like a web browser but without JavaScript and UI elements. Now we will see how to create JMeter scripts step by step for posting data with a random generated key.



How to create JMeter scripts step by step for posting data with random generated key



JMeter is an open source program which you can download from Apache official page. First of all, we should understand what we need. Let’s consider that we have many franchise dealers who do some sailing for us. Our dealers use web interfaces which send API calls with JSON format from back-end for creating orders in our system. These API calls include different attributes regarding orders: e.g. customer name, age, product information and some token value. This token value is being used for security reasons. It means that every time when the dealer wants to place the order he has to get the token value from another page or URL and put it in an appropriate filed.


In this case we have to send two requests from JMeter. One is “GET” request which will get the page from where the token value will be generated and the second is “PUT” request, which will put all required data for creating the order in our system.


At the first step you should add “Thread Group”.  For doing that after opening JMeter right click on “Test Plan”-> Add -> Threads and press on “Thread Group”. In case of testing on multiuser  mode with JMeter you can increase quantity of users any time from “Thread Group” fields.


Adding “Thread Group” in JMeter






After adding “Thread Group” you can configure quantity of users and iterations. From “Thread Properties” you can set:


  • Thread name
  • Number of Threads (quantity of users)
  • Ramp-up Period (time period in which your test should be done)
  • Loop Count (quantity of iterations which you want to execute)


“Thread Group” properties



Then we must add two http requests: “GET” and “POST”. For that you must right click on “Thread Group” -> Add -> Sampler -> and then choose HTTP Request. In order to be able to export the token value from the “GET” request response you must create regular expression. For that you must right click on HTTP Request->Add -> Post Processor and choose Regular Expression Extractor. In favor of making the script structure more informative we can rename “HTTP Request” to “HTTP GET” and our “Regular Expression Extractor” to “Extract token value”. Also you need to add another http request for “POST” request.


HTTP GET and POST requests


GET request response example:


{“tokenvalue”: “eyJqdGkiOiJkYjA5OGYxZS0zMzRmLTQ0MjktYTI1Ni”, “Valid”: 1200, “isWrong”: false, “sessionID”: “f65db5db8e4034cf6”}


In our example we see that after executing GET request in response body we receive json message in which “tokenvalue” is our token that has “eyJqdGkiOiJkYjA5OGYxZS0zMzRmLTQ0MjktYTI1Ni” value.


In order to be able to save this value and use in POST request you must configure Regular Expression Extractor.


You must fill below mentioned fields:


  • Reference Name: output (this is just a name of variable in which we will save the needed information)


  • Regular Expression: {“tokenvalue”:”(.*)”, (this is our condition for getting token value)


  • Template: $1$


  • Match: 1 (this means that JMeter will take first match, in case of 0 value script will take random match, but as we have only one token value in the response “1” is OK for us)



Regular Expression Extractor fields



For configuring “POST” request you need to change method to POST and insert Body data from HTTP Post request basic settings.

Post data example: {“Custname”: “Name”, “custsurname”: “Surname”, “ProductID”: “someID”, “Discount”: “10”, “freeshipping”: true, “Dealername”:”Dealer”, “DealerID”: “12541”, “Tokenvalue”: “${output}”,}



POST request example


As in our example the “POST” request is using JSON format we must add HTTP Header Manager. In header manager you can add any http header which is needed for processing the request. In our example we need to have “content-type” with “application/json” value.


Adding “HTTP Header Manager” for POST request



You can add “View Results Tree” listener for checking results. To fulfill that again right click on “Thread Group” and go to Add -> Listener -> View Results Tree.


After executing the script, you can click on “View Results Tree” listener and look at your test results.


How setup JMeter monitor


For 24/7 constantly monitoring you can set up JMeter monitor.


You can simply sing in to your Monitis dashboard or sing up if you don’t have account yet.


After sing in from main menu go to Monitors -> Application Monitors -> JMeter. To avoid possible abuse of the service, JMeter scripts added by in-trial users will be reviewed by Monitis Tech Support within 24 hours before they are allowed to run. If no threat detected, the script will be enabled from server side. Otherwise, the scripts will stay blocked and you will receive an email.

You might also like