SoftwareTestPilot
300 API Testing Q&A

300 API Testing Interview Questions & Answers (1970)

A definitive bank of 300 real API Testing interview questions with senior-level answers. Covers REST fundamentals, HTTP, Postman, Rest Assured, schema validation, contract testing, GraphQL, security, performance, and CI/CD — for freshers through SDET architects.

  • 48 min read
  • Difficulty: Mixed (Easy → Hard)
  • Freshers → 10+ yrs
  • Updated June 1970
  • Avinash Kamble

1. API Testing Fundamentals

Medium Very Common 1 min read

Q1.What is API testing?

API testing is a type of software testing where APIs are tested directly to verify functionality, reliability, performance, and security. Instead of testing only the user interface, testers send requests to API endpoints and validate responses, status codes, headers, payloads, and business rules. API testing is important because APIs connect frontend applications, backend services, mobile apps, and third-party integrations. See API testing.

Easy Very Common 1 min read

Q2.What is an API?

An API, or Application Programming Interface, is a set of rules that allows different software systems to communicate with each other. In web applications, APIs expose endpoints that clients can call to create, read, update, or delete data. For example, a mobile app may call a login API to authenticate a user and receive a token.

Easy Very Common 1 min read

Q3.Why is API testing important?

API testing is important because many business rules live in the backend, not just the UI. It helps find defects earlier, validates integrations, improves test coverage, and is usually faster than UI testing. API tests also help verify security, data integrity, error handling, and service reliability.

Easy Very Common 1 min read

Q4.What are the main benefits of API testing?

The main benefits are faster execution, early defect detection, stable automation, better coverage of business logic, easier validation of negative scenarios, and reduced dependency on UI availability. API tests are also useful for regression testing, microservices testing, and CI/CD pipelines.

Easy Very Common 1 min read

Q5.How is API testing different from UI testing?

API testing validates backend services directly by sending requests and checking responses. UI testing validates application behavior through the user interface. API tests are usually faster and less flaky, while UI tests are better for validating complete user journeys and visual behavior.

Easy Very Common 1 min read

Q6.What are common types of API testing?

Common types include functional testing, integration testing, contract testing, security testing, performance testing, load testing, reliability testing, negative testing, schema validation, data validation, and end-to-end API workflow testing.

Easy Very Common 1 min read

Q7.What is REST API testing?

REST API testing verifies APIs that follow REST architectural principles. It involves testing resources, HTTP methods, status codes, request bodies, response bodies, headers, authentication, authorization, idempotency, pagination, filtering, sorting, and error handling.

Easy Very Common 1 min read

Q8.What is SOAP API testing?

SOAP API testing verifies APIs based on the SOAP protocol. SOAP uses XML messages and often relies on WSDL definitions. SOAP APIs are common in enterprise and legacy systems. Testing usually includes XML schema validation, request envelopes, response envelopes, fault handling, and service contracts.

Easy Very Common 1 min read

Q9.What is the difference between REST and SOAP?

REST is an architectural style that usually uses JSON over HTTP and is lightweight. SOAP is a protocol that uses XML and has strict standards for messaging, security, and contracts. REST is common in modern web and mobile applications, while SOAP is still used in banking, telecom, and enterprise systems.

Easy Very Common 1 min read

Q10.What is an endpoint?

An endpoint is a specific URL where an API resource or operation is available. For example, /api/users may be an endpoint for retrieving or creating users. Testers validate endpoints by sending requests and checking whether the API returns the expected response.

Easy Very Common 1 min read

Q11.What is a resource in REST?

A resource is an entity exposed by a REST API, such as user, order, product, invoice, or booking. Resources are usually represented using URLs. For example, /users/101 represents a specific user resource.

Easy Very Common 1 min read

Q12.What is a request in API testing?

A request is the message sent by the client to the API server. It usually includes an HTTP method, URL, headers, query parameters, path parameters, request body, and authentication details. The quality of request data directly affects the test coverage.

Easy Very Common 1 min read

Q13.What is a response in API testing?

A response is the message returned by the API server after processing a request. It usually contains a status code, headers, response body, cookies, and sometimes metadata. Testers validate the response to confirm whether the API behaved correctly.

Easy Very Common 1 min read

Q14.What is a payload?

A payload is the actual data sent in a request body or received in a response body. In REST APIs, payloads are commonly JSON. For example, when creating a user, the payload may contain name, email, role, and password fields.

Easy Very Common 1 min read

Q15.What is JSON?

JSON stands for JavaScript Object Notation. It is a lightweight data format commonly used in REST APIs. JSON is easy to read, language-independent, and supports objects, arrays, strings, numbers, booleans, and null values.

Easy Very Common 1 min read

Q16.What is XML?

XML stands for Extensible Markup Language. It is a structured data format often used in SOAP APIs and legacy integrations. XML uses tags to represent data and supports schema validation through XSD.

Easy Very Common 1 min read

Q17.What is API documentation?

API documentation describes how to use an API. It usually includes endpoints, methods, authentication, request parameters, request examples, response examples, error codes, and schemas. Good documentation helps testers design better test cases.

Easy Very Common 1 min read

Q18.What is Swagger?

Swagger is a set of tools used to design, document, and test APIs based on the OpenAPI specification. Swagger UI provides interactive API documentation where users can view endpoints, parameters, schemas, and try API requests. See OpenAPI specification.

Easy Very Common 1 min read

Q19.What is OpenAPI?

OpenAPI is a specification for describing REST APIs in a standard machine-readable format. It defines endpoints, methods, parameters, request bodies, responses, security schemes, and schemas. Testers use OpenAPI files for documentation, contract testing, and test generation. See OpenAPI.

Easy Very Common 1 min read

Q20.What is Postman?

Postman is a popular API testing tool used to send requests, validate responses, manage environments, create collections, write test scripts, and run API tests manually or automatically. It is widely used by QA engineers, developers, and SDETs. See Postman.

Easy Very Common 1 min read

Q21.What is Rest Assured?

Rest Assured is a Java library used for API automation testing. It provides a readable syntax for sending HTTP requests and validating responses. It is commonly used with TestNG, JUnit, Maven, Gradle, and CI/CD pipelines. See Rest Assured.

Easy Very Common 1 min read

Q22.What is API automation testing?

API automation testing means writing automated scripts or collections to test APIs repeatedly. It validates status codes, response bodies, headers, schemas, authentication, business logic, and negative scenarios without manual execution.

Easy Very Common 1 min read

Q23.What is a test environment in API testing?

A test environment is a controlled setup where APIs are tested. It may include backend services, databases, test data, authentication systems, mock services, and third-party integrations. Common environments include dev, QA, staging, and production-like environments.

Easy Very Common 1 min read

Q24.What skills are required for API testing?

API testers should understand HTTP, REST, JSON, status codes, authentication, authorization, databases, Postman, automation tools, test design, negative testing, security basics, and CI/CD. SDET roles also require coding skills in Java, Python, JavaScript, or TypeScript.

Easy Very Common 1 min read

Q25.What should freshers learn first in API testing?

Freshers should start with HTTP methods, status codes, headers, query parameters, path parameters, JSON payloads, Postman collections, authentication basics, positive and negative test cases, and basic response assertions. After that, they can learn automation with Rest Assured, Playwright, or Python requests.

Confidence check

If you can confidently answer the API Testing Fundamentals questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

2. HTTP, REST, Methods, and Status Codes

Easy Very Common 1 min read

Q26.What is HTTP?

HTTP stands for HyperText Transfer Protocol. It is the protocol used for communication between clients and servers on the web. APIs commonly use HTTP to exchange requests and responses using methods like GET, POST, PUT, PATCH, and DELETE. See HTTP.

Easy Very Common 1 min read

Q27.What is HTTPS?

HTTPS is the secure version of HTTP. It uses TLS encryption to protect data during transmission. API testing should verify that sensitive APIs use HTTPS so credentials, tokens, and personal data are not exposed.

Easy Very Common 1 min read

Q28.What are HTTP methods?

HTTP methods define the action to be performed on a resource. Common methods are GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. Testers must understand method behavior to validate APIs correctly.

Easy Very Common 1 min read

Q29.What is GET method?

GET is used to retrieve data from a server. It should not modify server state. GET requests are usually idempotent and safe. In testing, validate status code, response body, headers, filters, sorting, pagination, and authorization.

Easy Very Common 1 min read

Q30.What is POST method?

POST is used to create a new resource or trigger an operation. It usually sends data in the request body. POST is not always idempotent, so sending the same request multiple times may create duplicate records unless idempotency is implemented.

Easy Very Common 1 min read

Q31.What is PUT method?

PUT is used to replace an entire resource or create it at a known URL. It is generally idempotent, meaning repeating the same request should produce the same final result. Testers should verify full replacement behavior.

Easy Very Common 1 min read

Q32.What is PATCH method?

PATCH is used to partially update a resource. Unlike PUT, PATCH sends only the fields that need to change. Testers should verify partial updates, unchanged fields, validation errors, and behavior with invalid patch operations.

Easy Very Common 1 min read

Q33.What is DELETE method?

DELETE is used to remove a resource. It should usually be idempotent, meaning deleting the same resource multiple times should not create unexpected side effects. Testers should verify successful deletion and behavior when deleting a nonexistent resource.

Easy Very Common 1 min read

Q34.What is HEAD method?

HEAD is similar to GET but returns only response headers without the response body. It is useful for checking resource availability, metadata, caching headers, and content length without downloading the full response.

Easy Very Common 1 min read

Q35.What is OPTIONS method?

OPTIONS returns the HTTP methods supported by a resource. It is also used in CORS preflight requests. Testing OPTIONS helps verify allowed methods and cross-origin behavior.

Easy Very Common 1 min read

Q36.What is a safe HTTP method?

A safe method does not modify server state. GET, HEAD, and OPTIONS are considered safe. However, testers should still verify that GET endpoints do not accidentally create, update, or delete data.

Easy Very Common 1 min read

Q37.What is an idempotent method?

An idempotent method produces the same result even if called multiple times. GET, PUT, DELETE, HEAD, and OPTIONS are generally idempotent. POST is usually not idempotent unless designed with idempotency keys.

Easy Very Common 1 min read

Q38.What is the difference between safe and idempotent?

Safe means the method should not change server state. Idempotent means repeating the request produces the same final result. For example, DELETE is idempotent but not safe because it changes state by deleting a resource.

Easy Very Common 1 min read

Q39.What are HTTP status codes?

HTTP status codes are three-digit numbers returned by the server to indicate request results. They are grouped into 1xx informational, 2xx success, 3xx redirection, 4xx client errors, and 5xx server errors.

Easy Very Common 1 min read

Q40.What does 200 OK mean?

200 OK means the request was successful. It is commonly returned for successful GET, PUT, PATCH, or DELETE operations when the response includes a body. Testers should still validate the response body, not only the status code.

Easy Very Common 1 min read

Q41.What does 201 Created mean?

201 Created means a resource was successfully created. It is commonly returned after POST requests. The response may include the created resource and a Location header pointing to the new resource.

Easy Very Common 1 min read

Q42.What does 202 Accepted mean?

202 Accepted means the request was accepted for processing but processing is not complete yet. It is common for asynchronous operations. Testers should verify job status endpoints, polling behavior, and final outcome.

Easy Very Common 1 min read

Q43.What does 204 No Content mean?

204 No Content means the request succeeded but the server returned no response body. It is commonly used for successful DELETE or update operations. Testers should verify that the body is empty.

Easy Very Common 1 min read

Q44.What does 301 Moved Permanently mean?

301 means the resource has permanently moved to a new URL. API clients should update references. Testers validate the Location header and ensure redirection does not break clients.

Easy Very Common 1 min read

Q45.What does 302 Found mean?

302 means the resource is temporarily available at another URL. It is commonly used in redirects. API testing should verify whether clients are expected to follow the redirect or handle it manually.

Easy Very Common 1 min read

Q46.What does 304 Not Modified mean?

304 means the cached version of the resource is still valid. It is related to caching headers like ETag and If-None-Match. Testers use it to validate caching behavior.

Easy Very Common 1 min read

Q47.What does 400 Bad Request mean?

400 means the server could not process the request due to invalid syntax, missing fields, invalid data types, or malformed payload. Testers should verify clear error messages and validation details.

Easy Very Common 1 min read

Q48.What does 401 Unauthorized mean?

401 means authentication is missing, invalid, or expired. Despite the name, it usually means the user is not authenticated. Testers should verify missing token, invalid token, expired token, and malformed token cases.

Easy Very Common 1 min read

Q49.What does 403 Forbidden mean?

403 means the user is authenticated but does not have permission to access the resource. Testers should verify role-based access, ownership rules, and direct endpoint access restrictions.

Easy Very Common 1 min read

Q50.What does 404 Not Found mean?

404 means the requested resource or endpoint does not exist. Testers should validate nonexistent IDs, wrong URLs, deleted resources, and whether the error response is consistent.

Easy Very Common 1 min read

Q51.What does 405 Method Not Allowed mean?

405 means the endpoint exists but does not support the HTTP method used. For example, sending DELETE to a read-only endpoint may return 405. Testers should verify allowed methods and response headers.

Easy Very Common 1 min read

Q52.What does 409 Conflict mean?

409 means the request conflicts with the current resource state. It is common for duplicate records, version conflicts, or concurrent updates. Testers should validate conflict scenarios and error messages.

Easy Very Common 1 min read

Q53.What does 422 Unprocessable Entity mean?

422 means the request is syntactically correct but semantically invalid. It is common for validation errors, such as invalid email format or business rule violations. Testers should validate field-level error responses.

Easy Very Common 1 min read

Q54.What does 429 Too Many Requests mean?

429 means the client has exceeded rate limits. Testers should verify rate limit thresholds, Retry-After headers, error messages, and behavior after the rate limit window resets.

Easy Very Common 1 min read

Q55.What does 500 Internal Server Error mean?

500 means the server encountered an unexpected error. APIs should avoid exposing sensitive stack traces. Testers should report 500 errors with request data, correlation IDs, logs, and steps to reproduce.

Confidence check

If you can confidently answer the HTTP, REST, Methods, and Status Codes questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

3. Requests, Responses, Headers, Parameters, and Payloads

Easy Very Common 1 min read

Q56.What are request headers?

Request headers provide metadata about the request. Examples include Content-Type, Authorization, Accept, User-Agent, and correlation IDs. Headers help servers understand request format, authentication, and client expectations.

Easy Very Common 1 min read

Q57.What are response headers?

Response headers provide metadata about the response. Examples include Content-Type, Cache-Control, Set-Cookie, ETag, Location, and security headers. Testers validate headers for correctness, caching, security, and client compatibility.

Easy Very Common 1 min read

Q58.What is Content-Type?

Content-Type tells the server or client the format of the request or response body. Common values are application/json, application/xml, multipart/form-data, and application/x-www-form-urlencoded. Incorrect Content-Type can cause parsing errors.

Easy Very Common 1 min read

Q59.What is Accept header?

The Accept header tells the server which response formats the client can handle. For example, Accept: application/json asks the server to return JSON. Testing Accept headers helps verify content negotiation.

Easy Very Common 1 min read

Q60.What is Authorization header?

The Authorization header carries credentials or tokens required to access protected APIs. Common formats include Bearer tokens, Basic auth, and API keys. Testers validate valid, missing, expired, and malformed authorization values.

Easy Very Common 1 min read

Q61.What are query parameters?

Query parameters are key-value pairs added after a question mark in the URL. Example: /users?page=1&limit=10. They are commonly used for filtering, sorting, searching, and pagination.

Easy Very Common 1 min read

Q62.What are path parameters?

Path parameters are dynamic values inside the URL path. Example: /users/{id}. In /users/101, 101 is the path parameter. Testers validate valid IDs, invalid IDs, unauthorized IDs, and nonexistent resources.

Easy Very Common 1 min read

Q63.What is the difference between query and path parameters?

Path parameters identify a specific resource, while query parameters modify or filter the request. For example, /users/101 identifies user 101, while /users?role=admin filters users by role.

Easy Very Common 1 min read

Q64.What is a request body?

A request body contains data sent to the API, usually for POST, PUT, or PATCH requests. It can be JSON, XML, form data, or binary data. Testers validate required fields, optional fields, data types, and boundary values.

Easy Very Common 1 min read

Q65.What is a response body?

A response body contains data returned by the API. It may include a resource, list of resources, error object, metadata, pagination details, or status message. Testers validate structure, values, and business rules.

Easy Very Common 1 min read

Q66.What is form-data?

form-data is used to send key-value pairs and files in multipart requests. It is commonly used for file uploads. Testers validate file type, file size, required fields, and upload failure scenarios.

Easy Very Common 1 min read

Q67.What is x-www-form-urlencoded?

application/x-www-form-urlencoded sends form data as URL-encoded key-value pairs. It is commonly used in older forms and OAuth token requests. Testers verify correct encoding and server parsing.

Easy Very Common 1 min read

Q68.What is multipart/form-data?

multipart/form-data is used when a request contains files or mixed content. Each part has its own headers and content. API tests should validate file upload success, invalid formats, large files, and missing file cases.

Easy Very Common 1 min read

Q69.What is a cookie in API testing?

A cookie stores session or tracking information sent by the server and returned by the client in later requests. API testing may validate Set-Cookie headers, session handling, secure flags, HttpOnly flags, and expiration.

Easy Very Common 1 min read

Q70.What is an ETag?

An ETag is a response header used for caching and concurrency control. Clients can send If-None-Match to check whether a resource changed. Testers validate 304 responses and update conflict behavior.

Easy Very Common 1 min read

Q71.What is Cache-Control?

Cache-Control defines how responses should be cached. APIs may use no-cache, no-store, max-age, or private. Testers verify caching behavior especially for sensitive data and frequently accessed resources.

Easy Very Common 1 min read

Q72.What is a correlation ID?

A correlation ID is a unique identifier used to trace a request across services. It is useful in microservices debugging. Testers should capture correlation IDs when reporting API defects.

Easy Very Common 1 min read

Q73.What is a request timeout?

A request timeout is the maximum time a client waits for a response. API tests should validate that APIs respond within expected time limits and that clients handle timeout errors gracefully.

Easy Very Common 1 min read

Q74.What is response time?

Response time is the time taken by an API to respond to a request. It is a key performance metric. Testers may set response time assertions for smoke, regression, and performance testing.

Easy Very Common 1 min read

Q75.What is pagination in API testing?

Pagination splits large data into smaller pages. Testers validate page number, page size, next/previous links, cursor tokens, total count, sorting stability, and edge cases like empty or last pages.

Easy Very Common 1 min read

Q76.What is sorting in API testing?

Sorting controls the order of returned records. Testers verify ascending, descending, default sorting, invalid sort fields, multiple sort fields, and consistency across paginated results.

Easy Very Common 1 min read

Q77.What is filtering in API testing?

Filtering returns records that match specific conditions. Testers validate single filters, combined filters, invalid filters, empty results, case sensitivity, and filter behavior with pagination.

Easy Very Common 1 min read

Q78.What is searching in API testing?

Searching allows clients to find resources using keywords or criteria. Testers verify exact match, partial match, case-insensitive search, special characters, no results, and performance for large datasets.

Easy Very Common 1 min read

Q79.What is a request payload example?

A request payload for creating a user may look like this: ```json { "name": "QA User", "email": "qa@example.com", "role": "tester" } ``` Testers validate required fields, data formats, and whether the created resource matches the payload.

Easy Very Common 1 min read

Q80.What is an error response body?

An error response body explains why a request failed. A good error response includes status, error code, message, field-level validation details, and correlation ID. Testers verify that errors are clear and do not expose sensitive information.

Confidence check

If you can confidently answer the Requests, Responses, Headers, Parameters, and Payloads questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

4. API Test Design and Test Cases

Easy Very Common 1 min read

Q81.How do you design API test cases?

Start from API documentation, requirements, business rules, and user workflows. Cover positive cases, negative cases, boundary values, authentication, authorization, schema validation, data validation, error handling, and performance expectations. Good API test design focuses on risk and business impact.

Easy Very Common 1 min read

Q82.What are positive API test cases?

Positive test cases verify expected behavior with valid inputs. For example, creating a user with all required valid fields should return 201 Created and the correct user details. Positive tests confirm the happy path works.

Easy Very Common 1 min read

Q83.What are negative API test cases?

Negative test cases verify how the API behaves with invalid, missing, unauthorized, or unexpected inputs. Examples include missing required fields, invalid token, wrong data type, duplicate records, and invalid IDs. Negative testing improves API robustness.

Easy Very Common 1 min read

Q84.What is boundary value testing in APIs?

Boundary value testing checks values at the edges of allowed ranges. For example, if username length must be 3 to 50 characters, test 2, 3, 50, and 51 characters. Boundary tests often reveal validation defects.

Easy Very Common 1 min read

Q85.What is equivalence partitioning in API testing?

Equivalence partitioning divides input data into valid and invalid groups. One or a few representative values from each group are tested. This reduces test count while maintaining meaningful coverage.

Easy Very Common 1 min read

Q86.What is data validation in API testing?

Data validation verifies that API responses contain correct values, formats, calculations, and relationships. For example, an order total should equal item price plus tax minus discount. It goes beyond checking status code.

Easy Very Common 1 min read

Q87.What is schema validation?

Schema validation verifies the structure of a response, including required fields, data types, nested objects, arrays, and allowed values. It helps catch breaking API changes early. See JSON Schema.

Easy Very Common 1 min read

Q88.What is business rule validation?

Business rule validation checks whether the API follows product rules. For example, an inactive user should not be able to place an order. These validations are often more important than simple status checks.

Easy Very Common 1 min read

Q89.What is end-to-end API workflow testing?

End-to-end API workflow testing validates a sequence of API calls representing a business process. For example, create user, login, add product to cart, place order, make payment, and verify order status.

Easy Very Common 1 min read

Q90.What is CRUD testing?

CRUD testing validates Create, Read, Update, and Delete operations for a resource. For example, create a user, retrieve it, update it, verify updates, delete it, and confirm it no longer exists.

Easy Very Common 1 min read

Q91.How do you test create API?

Validate required fields, optional fields, duplicate creation, invalid data, response code, response body, database state, headers, and whether the created resource can be retrieved later.

Easy Very Common 1 min read

Q92.How do you test read API?

Validate retrieval by valid ID, invalid ID, nonexistent ID, unauthorized access, response schema, response values, filters, sorting, pagination, and performance for large datasets.

Easy Very Common 1 min read

Q93.How do you test update API?

Validate full update, partial update, invalid fields, missing required fields, unauthorized update, concurrent update, version conflict, and whether unchanged fields remain correct.

Easy Very Common 1 min read

Q94.How do you test delete API?

Validate successful deletion, deletion of nonexistent records, repeated delete request, unauthorized delete, soft delete behavior, dependent resource constraints, and whether deleted records are inaccessible.

Easy Very Common 1 min read

Q95.What is soft delete?

Soft delete means a resource is marked as deleted but not physically removed from the database. Testers verify that it no longer appears in normal APIs but may still exist for audit or recovery purposes.

Easy Very Common 1 min read

Q96.How do you test duplicate records?

Send create requests with duplicate unique fields like email, username, or order number. The API should return an appropriate error such as 409 Conflict or 422 validation error.

Easy Very Common 1 min read

Q97.How do you test required fields?

Remove required fields from the payload and verify the API returns a clear validation error. Also test null, empty string, whitespace, and wrong data type where applicable.

Easy Very Common 1 min read

Q98.How do you test optional fields?

Send requests with and without optional fields. Verify default values, null handling, omitted fields, and whether optional values are stored and returned correctly.

Easy Very Common 1 min read

Q99.How do you test invalid data types?

Send wrong data types, such as string instead of number or boolean instead of object. The API should reject invalid data with a clear validation response, not fail with 500.

Medium Very Common 1 min read

Q100.How do you test special characters?

Send special characters, emojis, HTML tags, SQL-like strings, and Unicode values in supported text fields. Verify correct storage, encoding, response display, and security handling. CTA after Q100: Ready to practice these API Testing answers in a real interview format? Try AI Mock Interview → /ai-mock-interview Start Free → /login Related: Selenium interview questions.

Easy Very Common 1 min read

Q101.How do you test large payloads?

Send payloads near and above allowed size limits. Verify accepted maximum size, rejection of oversized requests, response time, and error messages. Large payload testing helps prevent performance and memory issues.

Easy Very Common 1 min read

Q102.How do you test empty response scenarios?

Create or query conditions where no records exist. Verify the API returns an empty array, appropriate metadata, and correct status code. Avoid APIs returning null unexpectedly unless documented.

Easy Very Common 1 min read

Q103.How do you test pagination edge cases?

Test first page, last page, page beyond last, page size zero, maximum page size, negative page number, invalid cursor, and sorting consistency. Pagination defects are common in large datasets. See contract testing.

Easy Very Common 1 min read

Q104.How do you prioritize API test cases?

Prioritize critical business flows, high-risk endpoints, authentication, payment or financial APIs, frequently used endpoints, integration points, and APIs with recent changes. Smoke tests should cover core availability and major workflows.

Easy Very Common 1 min read

Q105.What makes a good API test case?

A good API test case has clear purpose, controlled data, expected status code, schema validation, business validation, negative coverage where needed, and cleanup. It should be repeatable, independent, and easy to debug.

Confidence check

If you can confidently answer the API Test Design and Test Cases questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

5. Authentication, Authorization, and API Security

Easy Very Common 1 min read

Q106.What is authentication in API testing?

Authentication verifies the identity of the client or user calling the API. Common authentication methods include Basic Auth, Bearer tokens, API keys, OAuth 2.0, JWT, and session cookies. Testers validate valid, invalid, missing, and expired credentials.

Easy Very Common 1 min read

Q107.What is authorization in API testing?

Authorization verifies whether an authenticated user has permission to perform an action or access a resource. For example, a normal user may view their own profile but should not access admin APIs.

Easy Very Common 1 min read

Q108.What is the difference between authentication and authorization?

Authentication answers “Who are you?” while authorization answers “What are you allowed to do?” A user can be authenticated but still forbidden from accessing a resource. This commonly results in 403 Forbidden.

Easy Very Common 1 min read

Q109.What is Basic Authentication?

Basic Authentication sends username and password encoded in Base64 in the Authorization header. It should only be used over HTTPS because Base64 is not encryption. Testers validate valid credentials, invalid credentials, and missing credentials.

Easy Very Common 1 min read

Q110.What is Bearer Token authentication?

Bearer Token authentication uses a token in the Authorization header. Example: Authorization: Bearer <token>. Anyone with the token can access protected resources, so tokens must be protected and expired properly.

Easy Very Common 1 min read

Q111.What is an API key?

An API key is a unique key used to identify and authorize an application or client. It may be sent in headers, query parameters, or request body. Header-based API keys are generally preferred over query parameters.

Easy Very Common 1 min read

Q112.What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows applications to access resources on behalf of users without sharing passwords. It uses access tokens, refresh tokens, scopes, clients, and authorization flows.

Easy Very Common 1 min read

Q113.What is JWT?

JWT stands for JSON Web Token. It is a compact token format containing claims such as user ID, role, issuer, audience, and expiration. JWTs are commonly used for stateless authentication in APIs.

Easy Very Common 1 min read

Q114.What are JWT claims?

JWT claims are pieces of information inside the token payload. Common claims include sub, iss, aud, exp, iat, and roles. Testers validate claims for correctness and security.

Easy Very Common 1 min read

Q115.What is token expiry?

Token expiry defines how long a token is valid. APIs should reject expired tokens with 401 Unauthorized. Testers validate expired token behavior and refresh token flows.

Easy Very Common 1 min read

Q116.What is a refresh token?

A refresh token is used to obtain a new access token without asking the user to log in again. It usually has a longer lifetime than an access token and must be stored securely. Reference: OWASP API Security Top 10.

Easy Very Common 1 min read

Q117.What are OAuth scopes?

Scopes define what access a token provides. For example, read:orders may allow reading orders, while write:orders allows creating or updating orders. Testers validate scope-based access control.

Easy Very Common 1 min read

Q118.How do you test missing authentication?

Call protected APIs without credentials. The API should return 401 Unauthorized with a clear error response. It should not expose sensitive data or return 500.

Easy Very Common 1 min read

Q119.How do you test invalid tokens?

Send malformed, random, tampered, or expired tokens. The API should reject them with 401 Unauthorized. Testers should also verify that tampered JWTs are not accepted. See Newman.

Easy Common 1 min read

Q120.How do you test insufficient permissions?

Use a valid token for a user who lacks required permissions. The API should return 403 Forbidden. Also verify that the response does not reveal unauthorized data.

Easy Common 1 min read

Q121.What is role-based access control?

Role-based access control, or RBAC, grants permissions based on roles such as admin, manager, or user. API tests should verify allowed and denied operations for each role.

Easy Common 1 min read

Q122.What is object-level authorization?

Object-level authorization ensures users can access only resources they own or are allowed to access. For example, user A should not access user B’s invoice by changing the ID in the URL.

Easy Common 1 min read

Q123.What is BOLA?

BOLA stands for Broken Object Level Authorization. It occurs when APIs fail to check whether a user is allowed to access a specific object. It is one of the most serious API security risks.

Easy Common 1 min read

Q124.What is rate limiting?

Rate limiting restricts how many requests a client can make in a time window. It protects APIs from abuse and overload. Testers verify limits, 429 responses, Retry-After headers, and recovery after reset.

Easy Common 1 min read

Q125.What is input validation in API security?

Input validation ensures user input follows expected format, type, length, and allowed values. It prevents attacks such as SQL injection, script injection, command injection, and malformed data processing.

Easy Common 1 min read

Q126.What is SQL injection in APIs?

SQL injection occurs when user input is improperly included in SQL queries. Testers may send SQL-like payloads to verify that the API safely handles input and does not expose database errors.

Easy Common 1 min read

Q127.What is XSS in API testing?

Cross-site scripting can occur when APIs store or return unsafe HTML or JavaScript that later executes in a browser. API testers should verify proper encoding and sanitization of user-generated content.

Easy Common 1 min read

Q128.What is sensitive data exposure?

Sensitive data exposure happens when APIs return passwords, tokens, personal data, internal IDs, stack traces, or secrets unnecessarily. Testers should inspect responses and logs for exposed sensitive information.

Easy Common 1 min read

Q129.What security headers are important for APIs?

Important headers include Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, Cache-Control, and CORS-related headers. API-specific security depends on application context.

Easy Common 1 min read

Q130.What is CORS?

CORS stands for Cross-Origin Resource Sharing. It controls whether browsers allow a frontend from one origin to call APIs on another origin. Testers validate allowed origins, methods, headers, and preflight behavior.

Easy Common 1 min read

Q131.What is CSRF?

CSRF stands for Cross-Site Request Forgery. It tricks an authenticated user into sending unwanted requests. APIs using cookies for authentication should implement CSRF protection for state-changing operations.

Easy Common 1 min read

Q132.What is replay attack?

A replay attack occurs when an attacker reuses a valid request or token. APIs can prevent it using timestamps, nonces, token expiry, and idempotency keys. Testers validate protection for sensitive operations.

Easy Common 1 min read

Q133.What is an idempotency key?

An idempotency key is a unique value sent with a request to prevent duplicate processing. It is common in payment APIs. If the same key is reused, the API should return the original result instead of creating duplicates.

Easy Common 1 min read

Q134.How do you test API security as a QA engineer?

Test authentication, authorization, input validation, sensitive data exposure, rate limiting, CORS, HTTPS enforcement, object-level access, and error handling. For deeper security testing, follow OWASP API Security guidance.

Easy Common 1 min read

Q135.What is the difference between 401 and 403?

401 means the user is not authenticated or the token is invalid. 403 means the user is authenticated but does not have permission. Correct distinction helps clients respond properly and improves API security clarity.

Confidence check

If you can confidently answer the Authentication, Authorization, and API Security questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

6. Postman, Newman, and API Testing Tools

Easy Common 1 min read

Q136.What is a Postman collection?

A Postman collection is a group of API requests organized together. It can include folders, tests, scripts, variables, examples, and documentation. Collections are useful for manual testing, automation, and sharing API workflows.

Easy Common 1 min read

Q137.What is a Postman environment?

A Postman environment stores variables such as base URL, token, username, and API key. Environments allow the same collection to run against dev, QA, staging, or production by switching variable values.

Easy Common 1 min read

Q138.What are Postman variables?

Postman variables store reusable values. Types include global, collection, environment, local, and data variables. Variables make requests dynamic and prevent hardcoding repeated values.

Easy Common 1 min read

Q139.What are pre-request scripts in Postman?

Pre-request scripts run before a request is sent. They are used to generate timestamps, signatures, random data, tokens, or dynamic headers. They help prepare requests automatically.

Easy Common 1 min read

Q140.What are tests in Postman?

Tests are JavaScript scripts that run after a response is received. They validate status codes, response body, headers, response time, and business rules. Postman tests turn manual requests into automated checks.

Easy Common 1 min read

Q141.How do you validate status code in Postman?

Use pm.test with pm.response.to.have.status(). Example: ```js pm.test("Status is 200", function () { pm.response.to.have.status(200); }); ``` This confirms that the API returned the expected status code.

Easy Common 1 min read

Q142.How do you validate JSON response in Postman?

Parse the response using pm.response.json() and assert fields. Example: ```js const body = pm.response.json(); pm.expect(body.email).to.eql("qa@example.com"); ``` This validates actual response data, not just status.

Easy Common 1 min read

Q143.How do you save a token in Postman?

After login, parse the token from the response and store it in an environment variable: ```js const body = pm.response.json(); pm.environment.set("token", body.accessToken); ``` Then use {{token}} in the Authorization header.

Easy Common 1 min read

Q144.What is collection runner in Postman?

Collection runner executes multiple requests in a collection. It supports iterations, test data files, environment selection, and result summaries. It is useful for regression testing and workflow validation.

Easy Common 1 min read

Q145.What is Newman?

Newman is Postman’s command-line collection runner. It allows Postman collections to run in CI/CD pipelines. Newman can generate CLI, JSON, HTML, and JUnit-style reports through reporters.

Easy Common 1 min read

Q146.How do you run a Postman collection using Newman?

Use the command: ```bash newman run collection.json -e environment.json ``` This runs the collection with the selected environment. Additional options can generate reports and pass data files.

Easy Common 1 min read

Q147.How do you run data-driven tests in Postman?

Use collection runner or Newman with CSV or JSON data files. Variables from the data file can be referenced in requests using {{variableName}}. This is useful for testing multiple input combinations.

Easy Common 1 min read

Q148.What are global variables in Postman?

Global variables are available across all collections and environments in a workspace. They should be used carefully because they can create conflicts. Environment or collection variables are usually safer.

Easy Common 1 min read

Q149.What are collection variables?

Collection variables are scoped to a specific collection. They are useful for values shared across requests in that collection, such as base paths, default headers, or common IDs.

Easy Common 1 min read

Q150.What is pm object in Postman?

pm is the Postman JavaScript API object used in scripts. It provides methods for reading responses, setting variables, sending requests, writing tests, and accessing environment data. Related: Playwright interview questions.

Easy Common 1 min read

Q151.How do you chain requests in Postman?

Extract data from one response and store it as a variable, then use that variable in later requests. For example, create a user, save userId, then use userId to update or delete the user.

Easy Common 1 min read

Q152.How do you handle dynamic data in Postman?

Use pre-request scripts, {{$randomEmail}}, {{$guid}}, timestamps, or custom JavaScript to generate unique data. Dynamic data prevents duplicate conflicts during repeated runs.

Easy Common 1 min read

Q153.How do you test response time in Postman?

Use pm.expect(pm.response.responseTime).to.be.below(1000). This validates that the API responds within the expected threshold. Response time checks are useful in smoke tests but are not a replacement for performance testing.

Easy Common 1 min read

Q154.How do you validate response headers in Postman?

Use pm.response.headers.get("Header-Name") and assert the value. For example, validate Content-Type is application/json or verify security headers are present.

Easy Common 1 min read

Q155.What are Postman monitors?

Postman monitors run collections on a schedule from Postman’s cloud. They help check API availability and correctness over time. They are useful for lightweight monitoring but not a full replacement for enterprise observability.

Easy Common 1 min read

Q156.What are Postman mocks?

Postman mock servers return predefined responses for requests. They help frontend teams work before backend APIs are ready and allow testers to simulate different response scenarios.

Easy Common 1 min read

Q157.What is the difference between Postman and Swagger?

Swagger mainly documents and describes APIs using OpenAPI, while Postman is used to send requests, automate tests, manage collections, and run workflows. Both can complement each other in API testing.

Easy Common 1 min read

Q158.What are limitations of Postman?

Postman is excellent for manual and collection-based testing, but complex framework design, advanced coding patterns, large-scale test architecture, and deep CI integration may be better handled with code-based frameworks like Rest Assured or pytest.

Easy Common 1 min read

Q159.How do you organize Postman collections?

Use folders by feature or resource, consistent request names, reusable variables, clear test scripts, environment files, and documentation. Avoid putting unrelated APIs in one large unstructured collection.

Easy Common 1 min read

Q160.What makes a good Postman API test?

A good Postman test validates status code, response schema, important fields, headers, response time, and business rules. It should use variables instead of hardcoding and should be runnable through Newman in CI.

Confidence check

If you can confidently answer the Postman, Newman, and API Testing Tools questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

7. API Automation Frameworks

Easy Common 1 min read

Q161.What is API automation framework?

An API automation framework is a structured set of tools, code, utilities, test data, assertions, configuration, and reports used to automate API testing. It improves maintainability, reusability, and CI/CD execution.

Easy Common 1 min read

Q162.What are common tools for API automation?

Common tools include Rest Assured, Postman/Newman, Playwright request API, SuperTest, pytest with requests, Karate, Cypress API requests, JMeter, K6, and custom HTTP clients. Tool choice depends on language, team skills, and project needs.

Easy Common 1 min read

Q163.Why use Rest Assured for API testing?

Rest Assured is popular in Java projects because it has readable syntax, strong assertion support, JSON/XML parsing, authentication support, and good integration with TestNG, JUnit, Maven, Gradle, and CI/CD.

Easy Common 1 min read

Q164.Write a basic Rest Assured GET test.

Example: ```java given() .baseUri("https://api.example.com") .when() .get("/users/1") .then() .statusCode(200) .body("id", equalTo(1)); ``` This validates both status code and response body.

Easy Common 1 min read

Q165.How do you send a POST request in Rest Assured?

Use body() with contentType(). Example: ```java given() .contentType("application/json") .body("{\"name\":\"QA User\"}") .when() .post("/users") .then() .statusCode(201); ``` In real frameworks, use POJOs or maps instead of raw strings.

Easy Common 1 min read

Q166.What is given-when-then in Rest Assured?

given defines request setup, when defines the action, and then defines assertions. This style improves readability and matches behavior-driven testing structure.

Easy Common 1 min read

Q167.How do you validate JSON fields in Rest Assured?

Use body with JSON path expressions. Example: .body("data.email", equalTo("qa@example.com")). This allows validation of nested fields, arrays, and values.

Easy Common 1 min read

Q168.How do you extract values in Rest Assured?

Use extract().path() or extract().response(). For example, extract a created user ID and use it in later requests. Extraction supports API workflow testing.

Easy Common 1 min read

Q169.How do you handle authentication in Rest Assured?

Rest Assured supports Basic Auth, OAuth, Bearer tokens, headers, cookies, and filters. Commonly, testers generate a token using login API and pass it in Authorization header.

Easy Common 1 min read

Q170.How do you validate response schema in Java API automation?

Use JSON Schema Validator with Rest Assured. Store schema files in test resources and validate response using matchesJsonSchemaInClasspath. This catches structural API changes.

Easy Common 1 min read

Q171.What is pytest requests API testing?

In Python, the requests library with pytest is commonly used for API testing. It supports simple HTTP calls, fixtures, assertions, parameterization, and integration with CI.

Easy Common 1 min read

Q172.Write a basic Python API test.

Example: ```python import requests def test_get_user(): response = requests.get("https://api.example.com/users/1") assert response.status_code == 200 assert response.json()["id"] == 1 ``` This is simple and effective for Python-based API automation.

Easy Common 1 min read

Q173.What is Playwright API testing?

Playwright provides APIRequestContext and the request fixture for API testing. It can test APIs directly and combine API setup with UI tests. It is useful for teams already using Playwright for browser automation.

Easy Common 1 min read

Q174.Write a basic Playwright API test.

Example: ```ts import { test, expect } from '@playwright/test'; test('get user', async ({ request }) => { const response = await request.get('/api/users/1'); expect(response.status()).toBe(200); const body = await response.json(); expect(body.id).toBe(1); }); ``` This uses Playwright’s request fixture.

Easy Common 1 min read

Q175.What is SuperTest?

SuperTest is a Node.js library used to test HTTP APIs, especially Express applications. It is useful for backend integration tests and can run without starting a full external server in some setups.

Easy Common 1 min read

Q176.What is Karate framework?

Karate is an API testing framework that uses a readable DSL. It supports REST, SOAP, GraphQL, mocks, assertions, data-driven testing, and performance testing through Gatling integration. It is useful for teams that prefer less Java coding.

Easy Common 1 min read

Q177.How do you design an API automation framework folder structure?

A good structure includes tests, clients, endpoints, models, test data, schemas, utilities, config, reports, and environment files. Clear separation helps scale the framework as APIs grow.

Easy Common 1 min read

Q178.What is an API client class?

An API client class wraps reusable request methods for a resource or service. For example, UserClient may contain createUser, getUser, updateUser, and deleteUser methods. It reduces duplicate request code.

Easy Common 1 min read

Q179.What are POJOs in API automation?

POJOs are Plain Old Java Objects used to represent request and response bodies in Java. They improve type safety, readability, and serialization/deserialization in Rest Assured frameworks.

Easy Common 1 min read

Q180.What is serialization?

Serialization converts an object into a format like JSON or XML for sending in a request body. For example, a Java object can be serialized into JSON using Jackson or Gson.

Easy Common 1 min read

Q181.What is deserialization?

Deserialization converts JSON or XML responses into programming language objects. It helps validate responses using object fields instead of raw JSON path strings.

Easy Common 1 min read

Q182.What are reusable assertions?

Reusable assertions are common validation methods used across tests. For example, validateSuccessResponse, validateErrorResponse, or validatePagination. They improve consistency and reduce duplicate code.

Easy Common 1 min read

Q183.How do you manage base URL in API automation?

Store base URL in configuration files or environment variables. Avoid hardcoding URLs in tests. This allows the same tests to run against dev, QA, staging, or production-like environments.

Easy Common 1 min read

Q184.How do you manage tokens in automation?

Generate tokens during setup or use secure CI secrets. Store tokens only in runtime variables, not source code. Refresh tokens when needed and avoid logging sensitive values.

Easy Common 1 min read

Q185.What are test fixtures in API automation?

Fixtures provide reusable setup and teardown for tests, such as creating data, generating tokens, initializing clients, or cleaning resources. Pytest and Playwright have built-in fixture concepts.

Easy Common 1 min read

Q186.How do you perform data-driven API testing in code?

Use parameterized tests with arrays, JSON files, CSV files, or test data providers. Each data row runs the same test logic with different inputs and expected outputs.

Easy Common 1 min read

Q187.What reports are useful for API automation?

Useful reports include HTML, JUnit XML, Allure, JSON, and CI dashboards. Reports should show endpoint, test name, status, error message, request/response details, and execution time.

Easy Common 1 min read

Q188.How do you handle failed API tests?

Log request method, URL, headers without secrets, payload, status code, response body, correlation ID, and environment. Good failure logs reduce debugging time.

Easy Common 1 min read

Q189.What should not be logged in API tests?

Do not log passwords, access tokens, refresh tokens, API keys, personal data, or sensitive business data. Mask sensitive values before writing logs.

Easy Common 1 min read

Q190.What are best practices for API automation frameworks?

Use clean structure, reusable clients, schema validation, environment configs, secure secret management, meaningful assertions, independent tests, cleanup, CI integration, and clear reporting. Avoid hardcoded data and test dependencies.

Confidence check

If you can confidently answer the API Automation Frameworks questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

8. Schema Validation, Contract Testing, and OpenAPI

Easy Common 1 min read

Q191.What is JSON schema validation?

JSON schema validation checks whether a JSON response follows an expected structure, data types, required fields, formats, and allowed values. It helps detect breaking changes even when status code is still 200.

Easy Common 1 min read

Q192.Why is schema validation important?

Schema validation ensures API consumers receive data in the expected format. It catches missing fields, renamed fields, wrong types, and unexpected structural changes early in testing or CI.

Easy Common 1 min read

Q193.What is contract testing?

Contract testing verifies that the agreement between API provider and consumer is honored. It checks expected requests and responses without requiring full end-to-end environments. It is useful in microservices.

Easy Common 1 min read

Q194.What is consumer-driven contract testing?

Consumer-driven contract testing means consumers define their expectations, and providers verify they can satisfy those expectations. Pact is a common tool for this approach.

Easy Common 1 min read

Q195.What is Pact?

Pact is a contract testing tool that helps verify interactions between service consumers and providers. It allows teams to detect breaking API changes before deployment.

Easy Common 1 min read

Q196.How is contract testing different from integration testing?

Contract testing verifies the message agreement between services, often using mocks and provider verification. Integration testing runs real services together to verify actual interaction. Contract tests are faster and more focused.

Easy Common 1 min read

Q197.What is OpenAPI validation?

OpenAPI validation checks whether API requests and responses match the OpenAPI specification. It can validate paths, methods, parameters, schemas, status codes, and security definitions.

Easy Common 1 min read

Q198.How can OpenAPI help testers?

OpenAPI helps testers understand endpoints, generate test cases, validate schemas, create mocks, identify missing documentation, and automate contract checks. It improves collaboration between developers and QA.

Easy Common 1 min read

Q199.What is backward compatibility in APIs?

Backward compatibility means changes do not break existing clients. Adding optional fields is usually backward compatible, while removing fields, renaming fields, or changing data types can break clients.

Medium Common 1 min read

Q200.What are breaking API changes?

Breaking changes include removing fields, changing field types, changing required fields, modifying status codes unexpectedly, changing authentication behavior, or removing endpoints. Contract tests help catch them. CTA after Q200: Ready to practice these API Testing answers in a real interview format? Try AI Mock Interview → /ai-mock-interview Start Free → /login Related: SQL interview questions.

Easy Common 1 min read

Q201.What is versioning in APIs?

API versioning allows changes without breaking existing clients. Common strategies include URL versioning like /v1/users, header versioning, or media type versioning. Testers verify behavior across supported versions.

Easy Common 1 min read

Q202.How do you test API versioning?

Test old and new versions for expected behavior, backward compatibility, deprecation warnings, documentation accuracy, and migration paths. Ensure clients using older versions are not unexpectedly broken.

Easy Common 1 min read

Q203.What is schema drift?

Schema drift happens when actual API responses differ from documented or expected schemas. It can break consumers. Automated schema validation helps detect drift early.

Easy Common 1 min read

Q204.What is a mock server?

A mock server simulates API responses without using the real backend. It is useful when APIs are not ready, third-party systems are unstable, or rare scenarios are difficult to reproduce.

Easy Common 1 min read

Q205.What is service virtualization?

Service virtualization simulates dependent services with more advanced behavior than simple mocks. It can mimic delays, errors, stateful responses, and complex integration behavior for testing.

Easy Common 1 min read

Q206.What is contract-first API development?

Contract-first development means defining the API contract before implementation. Teams agree on OpenAPI or similar specs first, then develop and test against the contract. This improves collaboration and reduces rework.

Easy Common 1 min read

Q207.What is schema-first testing?

Schema-first testing means validating APIs against predefined schemas early and consistently. It helps testers detect structural issues before complex business validations.

Easy Common 1 min read

Q208.How do you validate error response schema?

Define a standard error schema with fields like code, message, details, timestamp, and correlationId. Validate that all error responses follow this structure across endpoints.

Easy Common 1 min read

Q209.What are common schema validation mistakes?

Common mistakes include validating only required fields, ignoring nested objects, not validating arrays, allowing additional unexpected fields, and not updating schemas when requirements change.

Easy Common 1 min read

Q210.Should schema validation replace functional testing?

No. Schema validation checks structure, while functional testing checks behavior and business rules. Both are needed for reliable API quality.

Easy Common 1 min read

Q211.What is OpenAPI code generation?

OpenAPI code generation creates clients, server stubs, or models from an OpenAPI spec. Testers may use generated clients for automation, but generated code still needs meaningful assertions.

Easy Common 1 min read

Q212.How do you test deprecated APIs?

Verify deprecation headers, documentation, backward compatibility, warning messages, and planned removal behavior. Deprecated APIs should still work as promised until their retirement date.

Easy Common 1 min read

Q213.What is API governance?

API governance defines standards for design, security, documentation, versioning, error handling, and lifecycle management. Testing helps enforce governance by validating APIs against agreed standards.

Easy Common 1 min read

Q214.How do you validate enums in API responses?

Check that fields contain only allowed values defined by schema or requirements. Also test invalid enum values in requests and verify proper validation errors.

Easy Common 1 min read

Q215.How do you validate nested JSON responses?

Use JSON path, object mapping, or schema validation to check nested fields, arrays, and relationships. Validate both structure and important business values.

Confidence check

If you can confidently answer the Schema Validation, Contract Testing, and OpenAPI questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

9. Test Data, Databases, Mocking, and Service Virtualization

Easy Common 1 min read

Q216.Why is test data important in API testing?

API tests depend heavily on data. Good test data ensures repeatability, independence, and accurate validation. Poor data management causes flaky tests, false failures, and environment pollution.

Easy Common 1 min read

Q217.What is test data setup?

Test data setup creates required records before a test runs. It can be done through APIs, database scripts, fixtures, seed data, or mocks. API-based setup is often the safest and fastest approach.

Easy Common 1 min read

Q218.What is test data cleanup?

Cleanup removes or resets test-created data after execution. It prevents duplicate conflicts and environment pollution. Cleanup should be idempotent and safe even if a test fails.

Easy Common 1 min read

Q219.What is seed data?

Seed data is predefined stable data loaded into an environment. Examples include roles, permissions, countries, categories, and test users. Tests can rely on seed data if it is controlled and versioned.

Easy Common 1 min read

Q220.What is dynamic test data?

Dynamic test data is generated during test execution, such as unique emails, IDs, names, or timestamps. It prevents conflicts when tests run repeatedly or in parallel.

Easy Common 1 min read

Q221.How do you create unique API test data?

Use UUIDs, timestamps, random suffixes, or worker-specific identifiers. For example, qa_user_20260619_001@example.com. Unique data helps avoid duplicate record failures. Reference: GraphQL documentation.

Easy Common 1 min read

Q222.How do you manage test data in parallel execution?

Use isolated users, unique records, worker-specific data, and cleanup by test identifiers. Avoid shared mutable data because parallel tests can update or delete each other’s records.

Easy Common 1 min read

Q223.When should you use database validation?

Use database validation when response alone is not enough to verify persistence or backend state. However, avoid overusing database checks because they can couple tests tightly to implementation details.

Easy Common 1 min read

Q224.What are risks of direct database testing?

Direct database testing may bypass business logic, create fragile tests, expose schema changes, and require sensitive access. Prefer API-based validation unless database verification is necessary.

Easy Occasional 1 min read

Q225.What is database seeding?

Database seeding loads predefined data before tests. It helps create known conditions for API tests. Seed data should be stable, documented, and resettable.

Easy Occasional 1 min read

Q226.How do you test APIs with dependent data?

Create dependencies through setup APIs or fixtures. For example, create a customer before creating an order. Avoid relying on manually created data that may change or disappear.

Easy Occasional 1 min read

Q227.What is mocking in API testing?

Mocking replaces a real dependency with a controlled fake response. It helps test unavailable services, rare error states, third-party failures, and frontend development before backend readiness.

Easy Occasional 1 min read

Q228.What is stubbing?

Stubbing provides predefined responses for specific requests. It is simpler than full service virtualization and useful for predictable scenarios. Stubs usually do not contain complex business logic.

Easy Occasional 1 min read

Q229.What is the difference between mock and stub?

A stub returns predefined data, while a mock can also verify interactions and expectations. In practice, the terms are often used loosely, but mocks are more behavior-focused.

Easy Occasional 1 min read

Q230.When should APIs be mocked?

Mock APIs when a dependency is unstable, unavailable, costly, slow, difficult to control, or belongs to a third party. Do not mock everything because real integration coverage is still needed.

Easy Occasional 1 min read

Q231.What is WireMock?

WireMock is a tool for mocking HTTP APIs. It can return predefined responses, match requests, simulate delays, and verify interactions. It is commonly used in integration and contract-style testing.

Easy Occasional 1 min read

Q232.How do you test third-party API integrations?

Use mocks for most regression tests and sandbox environments for limited integration tests. Validate request format, authentication, retry behavior, error handling, and mapping of third-party responses.

Easy Occasional 1 min read

Q233.How do you test file upload APIs?

Test valid files, invalid file types, empty files, large files, missing file field, metadata, virus scan behavior, and response validation. Also verify storage or retrieval if applicable.

Easy Occasional 1 min read

Q234.How do you test file download APIs?

Validate status code, Content-Type, Content-Disposition, file name, file size, file content, authorization, and behavior for missing files. For large files, verify streaming and timeout handling.

Easy Occasional 1 min read

Q235.How do you test APIs that send emails?

Use test email inboxes, mock email providers, mail capture tools, or API access to email logs in lower environments. Avoid relying on real external email delivery for automated regression.

Easy Occasional 1 min read

Q236.How do you test APIs that send SMS?

Use test provider sandboxes, mocks, static OTPs, or internal message retrieval APIs. Real SMS delivery is slow, costly, and unreliable for automated tests.

Easy Occasional 1 min read

Q237.How do you test payment APIs?

Use sandbox payment gateways, test cards, idempotency keys, webhook validation, failure scenarios, refunds, partial captures, and duplicate request handling. Never use real payment credentials in test automation.

Easy Occasional 1 min read

Q238.How do you test APIs with time-dependent behavior?

Control time using test configuration, mock clocks if supported, or use predictable test windows. Validate timezone handling, expiry, scheduled jobs, and date boundaries carefully.

Easy Occasional 1 min read

Q239.How do you handle flaky data issues?

Identify shared data, missing cleanup, environment changes, duplicate records, and parallel conflicts. Fix by using unique data, isolated users, better setup APIs, and cleanup routines.

Easy Occasional 1 min read

Q240.What are test data anti-patterns?

Anti-patterns include hardcoded shared users, no cleanup, dependency on manual data, production data usage, tests requiring specific execution order, and direct database changes without rollback.

Confidence check

If you can confidently answer the Test Data, Databases, Mocking, and Service Virtualization questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

10. GraphQL, Microservices, Async APIs, and Webhooks

Easy Occasional 1 min read

Q241.What is GraphQL?

GraphQL is a query language for APIs where clients request exactly the data they need. Unlike REST, GraphQL usually uses a single endpoint and supports queries, mutations, subscriptions, schemas, and resolvers.

Easy Occasional 1 min read

Q242.How is GraphQL testing different from REST API testing?

REST testing focuses on multiple endpoints, methods, and status codes. GraphQL testing focuses on queries, mutations, variables, schema validation, field-level authorization, errors array, and response data structure.

Easy Occasional 1 min read

Q243.What is a GraphQL query?

A GraphQL query is used to fetch data. Testers validate requested fields, nested objects, variables, response data, missing fields, and authorization rules.

Easy Occasional 1 min read

Q244.What is a GraphQL mutation?

A mutation modifies data, such as creating or updating a record. Testers validate input variables, response fields, database changes, authorization, validation errors, and rollback behavior if needed.

Easy Occasional 1 min read

Q245.What are GraphQL variables?

Variables are dynamic values passed to GraphQL queries or mutations. They make operations reusable and safer than string concatenation. Testers validate required variables, optional variables, invalid types, and boundary values.

Easy Occasional 1 min read

Q246.What is GraphQL schema?

The schema defines available types, fields, queries, mutations, and relationships. Testers use the schema to design tests and detect breaking changes.

Easy Occasional 1 min read

Q247.What is GraphQL introspection?

Introspection allows clients to query the GraphQL schema. It is useful for tooling and documentation. In production, teams may restrict introspection for security reasons.

Easy Occasional 1 min read

Q248.How do you test GraphQL authorization?

Validate field-level and operation-level access. A user may be allowed to access a query but not certain sensitive fields. Testers should check both data and errors.

Easy Occasional 1 min read

Q249.What are common GraphQL error scenarios?

Common scenarios include missing required variables, invalid types, unauthorized fields, resolver failures, partial responses, query depth limit errors, and validation errors.

Easy Occasional 1 min read

Q250.What is a partial response in GraphQL?

GraphQL can return both data and errors in the same response. Testers should validate not only HTTP status but also the errors array and whether partial data is acceptable. Related: QA Practice Hub.

Easy Occasional 1 min read

Q251.What is a microservice?

A microservice is a small independently deployable service responsible for a specific business capability. APIs connect microservices. Testing microservices requires contract testing, integration testing, mocks, and observability.

Easy Occasional 1 min read

Q252.What are challenges in microservices API testing?

Challenges include many dependencies, asynchronous communication, distributed data, versioning, contract changes, environment instability, observability, and debugging across services.

Easy Occasional 1 min read

Q253.How do you test APIs in microservices architecture?

Use a mix of unit tests, contract tests, service tests, integration tests, end-to-end tests, and monitoring. Avoid relying only on full end-to-end tests because they are slower and more brittle.

Easy Occasional 1 min read

Q254.What is asynchronous API processing?

Asynchronous processing means the API accepts a request and processes it later. It may return 202 Accepted and provide a job ID or status endpoint. Testers validate polling, callbacks, queues, and final state.

Easy Occasional 1 min read

Q255.How do you test 202 Accepted APIs?

Validate initial 202 response, job ID, status endpoint, state transitions, timeout behavior, failure states, and final result. Use polling with sensible timeouts instead of hard waits.

Easy Occasional 1 min read

Q256.What is a webhook?

A webhook is an HTTP callback sent by one system to another when an event occurs. For example, a payment provider may send a payment_success webhook to an application.

Easy Occasional 1 min read

Q257.How do you test webhooks?

Test event payload, signature verification, retries, duplicate events, ordering, failure handling, idempotency, and security. Use mock receivers or local tunneling tools in lower environments.

Easy Occasional 1 min read

Q258.What is event-driven architecture?

Event-driven architecture uses events to communicate changes between systems. Testing requires validating event publishing, consuming, ordering, retries, dead-letter queues, and eventual consistency.

Easy Occasional 1 min read

Q259.What is eventual consistency?

Eventual consistency means data may not be immediately consistent across systems but becomes consistent after some time. Tests should use polling and verify final state rather than expecting instant updates.

Easy Occasional 1 min read

Q260.How do you test message queues?

Publish messages, verify consumption, validate payload, check retries, dead-letter handling, ordering, duplicate handling, and idempotency. Tools depend on Kafka, RabbitMQ, SQS, or other queue systems.

Easy Occasional 1 min read

Q261.What is Kafka testing?

Kafka testing validates producers, consumers, topics, message schemas, offsets, ordering, retries, and failure handling. It often requires test containers, embedded Kafka, or controlled test topics.

Easy Occasional 1 min read

Q262.What is gRPC?

gRPC is a high-performance RPC framework that uses Protocol Buffers. It is common in microservices. Testing gRPC involves validating service methods, request/response messages, status codes, deadlines, and metadata.

Easy Occasional 1 min read

Q263.How is gRPC testing different from REST testing?

gRPC uses protobuf messages and RPC methods instead of JSON over REST endpoints. Testers validate proto contracts, method responses, deadlines, metadata, streaming, and gRPC-specific status codes.

Easy Occasional 1 min read

Q264.What are API gateways?

API gateways route requests to backend services and handle authentication, rate limiting, logging, caching, routing, and transformation. Testers validate gateway rules, security, routing, and error handling.

Easy Occasional 1 min read

Q265.What is service discovery?

Service discovery allows services to find and communicate with each other dynamically. Testing service discovery directly is usually infrastructure-focused, but API testers may see failures caused by routing or unavailable services.

Confidence check

If you can confidently answer the GraphQL, Microservices, Async APIs, and Webhooks questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

11. Performance, Reliability, CI/CD, and Monitoring

Easy Occasional 1 min read

Q266.What is API performance testing?

API performance testing measures response time, throughput, latency, error rate, and resource usage under expected and peak load. It helps ensure APIs meet performance requirements.

Easy Occasional 1 min read

Q267.What is load testing?

Load testing checks API behavior under expected user or request volume. It validates whether the API can handle normal traffic with acceptable response times and error rates.

Easy Occasional 1 min read

Q268.What is stress testing?

Stress testing pushes APIs beyond expected limits to find breaking points. It helps understand system capacity, failure behavior, and recovery ability.

Easy Occasional 1 min read

Q269.What is spike testing?

Spike testing suddenly increases API traffic to observe how the system handles rapid load changes. It is useful for systems affected by campaigns, flash sales, or sudden user activity.

Easy Occasional 1 min read

Q270.What is soak testing?

Soak testing runs APIs under sustained load for a long time. It helps detect memory leaks, resource exhaustion, connection leaks, and performance degradation over time.

Easy Occasional 1 min read

Q271.What is latency?

Latency is the delay before a response starts or completes. Low latency is important for user experience and system responsiveness. Testers measure latency across endpoints and network conditions.

Easy Occasional 1 min read

Q272.What is throughput?

Throughput is the number of requests processed in a given time, such as requests per second. Performance tests validate whether throughput meets expected business needs.

Easy Occasional 1 min read

Q273.What is error rate?

Error rate is the percentage of failed requests during testing or monitoring. High error rates may indicate server instability, timeout issues, rate limits, or dependency failures.

Easy Occasional 1 min read

Q274.What tools are used for API performance testing?

Common tools include JMeter, K6, Gatling, Locust, Postman performance features, and cloud-based load testing tools. Tool choice depends on scripting needs, reporting, protocol support, and team skills.

Easy Occasional 1 min read

Q275.What is API reliability testing?

Reliability testing validates whether APIs behave consistently over time and under different conditions. It includes retry behavior, timeout handling, dependency failures, rate limits, and graceful degradation.

Easy Occasional 1 min read

Q276.What is API monitoring?

API monitoring continuously checks availability, response time, status codes, and correctness of production or staging APIs. Monitoring helps detect incidents quickly after deployment.

Easy Occasional 1 min read

Q277.What is a synthetic API check?

A synthetic check is a scheduled test that calls an API like a client would. It validates availability and basic behavior from different locations or environments.

Easy Occasional 1 min read

Q278.How do you integrate API tests in CI/CD?

Run API tests after deployment to test environments, publish reports, fail builds on critical failures, manage secrets securely, and use smoke/regression tags. API tests are excellent for fast pipeline feedback.

Easy Occasional 1 min read

Q279.What is smoke API testing?

Smoke API testing is a small set of critical tests that verify core API availability and major business flows. It runs quickly after builds or deployments.

Easy Occasional 1 min read

Q280.What is regression API testing?

Regression API testing verifies that existing API behavior still works after changes. It includes positive, negative, schema, security, and workflow tests for important endpoints.

Easy Occasional 1 min read

Q281.How do you handle flaky API tests in CI?

Analyze logs, environment availability, data conflicts, dependency failures, timeouts, and parallel issues. Add retries only for known transient issues, and fix root causes instead of hiding failures.

Easy Occasional 1 min read

Q282.What is retry logic in API clients?

Retry logic automatically repeats failed requests for transient errors like 502, 503, 504, or network timeouts. Tests should verify retry limits, backoff strategy, and no duplicate side effects.

Easy Occasional 1 min read

Q283.What is circuit breaker pattern?

Circuit breaker prevents repeated calls to a failing service. It opens after failures and recovers later. API tests may validate fallback responses and recovery behavior in resilience testing.

Easy Occasional 1 min read

Q284.What metrics are important for APIs?

Important metrics include response time, latency, throughput, error rate, availability, CPU, memory, database time, dependency latency, and rate-limit usage. These metrics help evaluate API health.

Easy Occasional 1 min read

Q285.How do you report API performance issues?

Include endpoint, request method, payload, environment, response times, percentiles, error rate, load level, timestamps, correlation IDs, and comparison with expected SLA. Clear evidence helps developers identify bottlenecks.

Confidence check

If you can confidently answer the Performance, Reliability, CI/CD, and Monitoring questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

12. Advanced Scenario-Based API Testing Questions

Easy Occasional 1 min read

Q286.How would you test a login API?

Test valid login, invalid password, nonexistent user, locked account, inactive account, missing fields, SQL injection strings, rate limiting, token generation, token expiry, refresh token behavior, and whether sensitive data is excluded from responses.

Easy Occasional 1 min read

Q287.How would you test a payment API?

Test successful payment, declined card, insufficient funds, invalid card, duplicate request, idempotency key, timeout, refund, partial refund, webhook events, currency validation, and security of payment data.

Easy Occasional 1 min read

Q288.How would you test an order creation API?

Test valid order, missing items, invalid product ID, out-of-stock product, price mismatch, discount calculation, tax calculation, unauthorized user, duplicate order, and retrieval of created order.

Easy Occasional 1 min read

Q289.How would you test a user registration API?

Test valid registration, duplicate email, invalid email, weak password, missing required fields, maximum length fields, email verification, default role assignment, and whether password is hashed and never returned.

Easy Occasional 1 min read

Q290.How would you test a search API?

Test exact match, partial match, case sensitivity, special characters, empty search, no results, pagination, sorting, filters, response time, and relevance of returned results.

Easy Occasional 1 min read

Q291.How would you test pagination in a production API?

Validate page size limits, first page, last page, invalid page, cursor behavior, stable sorting, duplicate prevention, total count accuracy, and performance for large datasets. Also test pagination with filters and sorting together.

Easy Occasional 1 min read

Q292.How would you test role-based APIs?

Create users with different roles and test allowed and denied operations. Verify both endpoint access and object-level access. Also test direct URL manipulation and unauthorized resource IDs.

Easy Occasional 1 min read

Q293.How would you test API backward compatibility?

Compare old and new versions, validate existing fields and status codes, run contract tests, check deprecation rules, and verify old clients can still consume responses without changes.

Easy Occasional 1 min read

Q294.How would you test an API that depends on a third-party service?

Mock the third-party service for regression tests and use sandbox testing for limited integration coverage. Validate success, timeout, retry, error mapping, authentication failure, and fallback behavior.

Easy Occasional 1 min read

Q295.How would you debug an API returning 500?

Reproduce with exact request, check payload, headers, authentication, environment, logs, correlation ID, database state, and dependency status. Report the issue with full request/response details while masking secrets.

Easy Occasional 1 min read

Q296.How would you reduce API test execution time?

Run tests in parallel, split smoke and regression suites, use API setup instead of UI setup, avoid unnecessary waits, reuse authentication setup carefully, reduce duplicate tests, and run only impacted tests in CI.

Easy Occasional 1 min read

Q297.How would you design an enterprise API automation framework?

Use reusable API clients, environment configs, secure secrets, schema validation, test data builders, contract checks, reporting, logging, CI integration, tagging, parallel execution, and clear coding standards. Keep tests independent and maintainable.

Easy Occasional 1 min read

Q298.How would you decide what to automate at API level?

Automate stable, high-value, repeatable, business-critical API scenarios. Prioritize authentication, payments, orders, data validation, integrations, and regression-prone endpoints. Avoid automating unstable or one-time exploratory scenarios too early.

Easy Occasional 1 min read

Q299.What should a senior QA say about API testing strategy?

A senior QA should explain the test pyramid, risk-based coverage, API/UI balance, contract testing, security checks, performance testing, CI integration, test data strategy, and observability. The focus should be business confidence, not only tool usage.

Medium Occasional 1 min read

Q300.What roadmap would you suggest for learning API testing?

Start with HTTP, REST, JSON, status codes, and Postman. Then learn authentication, authorization, test case design, schema validation, and negative testing. After that, learn automation using Rest Assured, Playwright, or Python requests, followed by contract testing, CI/CD, security, and performance basics. After Q300, add this FAQ section: Related: AI Mock Interview.

Confidence check

If you can confidently answer the Advanced Scenario-Based API Testing Questions questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

Quick revision

  1. Q1: What is API testing — API testing is a type of software testing where APIs are tested directly to verify functionality, reliability, performance, and security.
  2. Q2: What is an API — An API, or Application Programming Interface, is a set of rules that allows different software systems to communicate with each other.
  3. Q3: Why is API testing important — API testing is important because many business rules live in the backend, not just the UI.
  4. Q4: What are the main benefits of API testing — The main benefits are faster execution, early defect detection, stable automation, better coverage of business logic, easier validation of negative scenarios, and reduced dependenc
  5. Q5: How is API testing different from UI testing — API testing validates backend services directly by sending requests and checking responses.

Frequently asked questions

Yes. API testing is excellent for freshers because it teaches backend validation, HTTP basics, request/response handling, and test design. Freshers should start with Postman, REST, JSON, status codes, and basic authentication.

Postman is best for beginners and manual API testing interviews. Rest Assured is commonly expected in Java automation roles. Playwright API testing, pytest requests, and Karate are also useful depending on the company’s tech stack.

The most asked topics are REST, HTTP methods, status codes, headers, authentication, authorization, Postman, JSON validation, schema validation, negative testing, pagination, rate limiting, and API automation frameworks.

For manual QA roles, basic Postman scripting may be enough. For SDET and automation roles, coding is usually required in Java, Python, JavaScript, or TypeScript.

Web service testing is a subset of API testing focused on services over a network, often REST or SOAP. API testing is broader and can include REST, SOAP, GraphQL, gRPC, libraries, and internal service interfaces.

Postman is enough for learning, manual testing, and collection-based automation. For large enterprise automation, code-based frameworks may provide better maintainability, version control, CI integration, and reusable architecture.

Basic API testing can be learned in 7 to 10 days. For interview-ready automation skills, 3 to 4 weeks of practice is better, especially if learning Rest Assured, schema validation, CI/CD, and security concepts.

Practice by testing real APIs, writing Postman collections, automating with Rest Assured or Playwright, validating schemas, testing negative scenarios, and explaining your test strategy in mock interviews.

Was this article helpful?

Cluster · API Testing

More from REST API Testing

REST fundamentals — verbs, status codes, contracts.

Pillar guide · 18 articles
More in this cluster

Key takeaways

  • Master the fundamentals before tackling advanced API Testing scenarios.
  • Always explain trade-offs — interviewers reward judgement, not memorisation.
  • Use real project examples; generic answers blend in.
  • Practice answers out loud — written prep doesn't transfer to live rounds.
  • Revise the 30-second cheat sheet the night before your interview.
  • Keep one strong scenario story ready for every section above.

These Questions Are Just the Start

Get 1000+ more with detailed model answers in our QA Interview Preparation Kit. Covers manual testing, automation, API, SQL, Selenium, Playwright, and framework concepts — everything asked in real QA interviews.

Get Interview Kit — ₹1,045

API testing jobs hiring now

Live, indexable API Testing openings — updated daily in Jobs Radar.

Browse all QA jobs on Jobs Radar

Loading current openings…

Home