API Testing Interview Questions

Answer: API testing validates the functionality, reliability, performance, and security of Application Programming Interfaces. It ensures that different software components can communicate correctly and that data exchange is accurate. Why it matters: APIs are the backbone of modern apps, UI-independent testing, Early defect detection, Faster and more stable than UI tests.

Answer: GET: Retrieve data (read-only), POST: Submit new data (create), PUT: Update existing data (replace), PATCH: Modify part of a resource, DELETE: Remove data. Each method maps to a CRUD operation and must be tested for correct behavior and response codes.

Answer: 200 OK (Success), 201 Created (Resource created), 204 No Content (Success, no body), 400 Bad Request (Invalid input), 401 Unauthorized (Auth failed), 403 Forbidden (Access denied), 404 Not Found (Resource missing), 500 Internal Server Error (Server crash). Testing status codes ensures robust error handling and user feedback.

Answer: Authentication: Verifying identity (Login with username/password). Authorization: Verifying access rights (Can user access admin panel?). Authentication confirms who you are. Authorization confirms what you're allowed to do. APIs often use tokens (JWT, OAuth) for both.

Answer: Basic Auth: Username and password encoded in headers. Bearer Token (JWT): Encrypted token passed in headers. OAuth 2.0: Token-based, delegated access (used by Google, Facebook). API Key: Static key passed in headers or query params. Session-based: Cookie/session ID stored after login. Each method must be tested for: Token expiry, Invalid credentials, Access control, Secure transmission (HTTPS).

Answer: Path Parameter: /users/{id} - Identifies specific resource. Query Parameter: /users?id=123 - Filters or modifies request. Path parameters are part of the endpoint and required. Query parameters are optional and used for filtering, sorting, pagination. Test both for: Valid/invalid values, Encoding issues, Injection vulnerabilities.

Answer: An endpoint is a specific URL where an API can be accessed. It represents a resource or action. Example: GET /products → fetch all products, POST /orders → create a new order. Each endpoint must be tested for: Correct method, Response structure, Error handling, Security.

Answer: Headers carry metadata about the request. Common Headers: Content-Type: application/json, Authorization: Bearer <token>, Accept: application/xml, User-Agent: PostmanRuntime. Headers affect how the server processes the request. Test for: Missing headers, Incorrect formats, Header injection.

Answer: Steps: 1) Understand the endpoint and method, 2) Set headers (e.g., Content-Type, Authorization), 3) Add query/path parameters, 4) Provide request body (for POST/PUT), 5) Send request and observe response, 6) Validate status code, response time, and body, 7) Log defects for mismatches. Postman also supports collections, environments, and test scripts for advanced testing.

Answer: Test by sending invalid or edge-case inputs: Missing required fields, Invalid data types, Unauthorized access, Unsupported methods, Large payloads. Check that the API returns: Correct status codes (e.g., 400, 401, 500), Meaningful error messages, No sensitive data leaks, Consistent response format.