SoftwareTestPilot
API TestingPublished: Updated: · 5 days ago30 min read

API Testing: The Ultimate Guide (2026 Tutorial)

The most complete API testing tutorial for 2026 — REST, GraphQL, Postman, REST Assured, RestSharp, contract testing, security, performance, automation and CI/CD. With code examples and interview prep.

Avinash Kamble
Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp
API testing ultimate guide cover — pillar tutorial covering REST, GraphQL, Postman, REST Assured, RestSharp, contract testing, security and performance.
API testing ultimate guide cover — pillar tutorial covering REST, GraphQL, Postman, REST Assured, RestSharp, contract testing, security and performance.
In this article
  1. 1. What Is API Testing?
  2. 2. HTTP Fundamentals Every Tester Must Know
  3. 3. REST vs GraphQL vs gRPC
  4. 4. Types of API Tests
  5. 5. Postman: Collections, Environments & Scripting
  6. 6. REST Assured (Java)
  7. 7. RestSharp (C#)
  8. 8. Playwright API Testing
  9. 9. Schema Validation
  10. 10. Authentication: API Key, OAuth 2.0, JWT
  11. 11. Contract Testing with Pact
  12. 12. API Security Testing (OWASP API Top 10)
  13. 13. Performance: k6, JMeter, Locust
  14. 14. CI/CD for API Tests
  15. 15. API Testing Tools: Pros & Cons (Real Production Usage)
  16. 16. Interview & Career Path
  17. What to do next
  18. Frequently asked questions

APIs are the backbone of every modern app, and API testing is now the highest-leverage skill on a QA team — faster than UI tests, cheaper than end-to-end, and the foundation of contract, performance and security testing. In my experience at a fintech rolling out 40+ microservices, swapping our top-of-pyramid UI suite for a Postman + REST Assured API regression layer cut nightly CI from 2h 10m down to 14 minutes — and we caught 3× more contract-breaking bugs in the first sprint alone. This pillar is the only API testing tutorial you need: HTTP fundamentals, REST and GraphQL, Postman, REST Assured (Java), RestSharp (C#), Playwright's request fixture, schema validation, authentication, contract testing, security, performance and CI/CD.

Key takeaways
  • API tests run 10–100× faster than UI tests and catch contract breaks earlier.
  • Schema validation (JSON Schema / OpenAPI) is the single highest-ROI API test type.
  • Postman + Newman covers exploratory + smoke; REST Assured / RestSharp / Playwright covers regression.
  • Contract testing (Pact) pays for itself once you have 5+ microservices.
  • Mid-level API SDET pay: ₹13–24 LPA (India) / $100–140k (US). Live numbers in /salaries.

Going for an interview soon? Pair this with 100+ API testing interview questions and our top 40 with answers. Authoritative references: RFC 9110 (HTTP Semantics) and OpenAPI Initiative.

1. What Is API Testing?

API testing exercises an application at its service layer — bypassing the UI to validate endpoints directly. You assert on status codes, response bodies, headers, schema, latency and side effects. Because there's no browser to render, API tests are 10–100× faster than UI tests and dramatically less flaky.

What it covers: functional correctness, schema/contracts, business rules, authorization, rate limiting, idempotency, error handling, performance, and security.

2. HTTP Fundamentals Every Tester Must Know

MethodPurposeIdempotent?
GETReadYes
POSTCreate / non-idempotent actionNo
PUTReplaceYes
PATCHPartial updateNo (usually)
DELETERemoveYes

Status code families: 2xx success, 3xx redirect, 4xx client error, 5xx server error. Memorize 200, 201, 204, 301, 304, 400, 401, 403, 404, 409, 422, 429, 500, 502, 503, 504 — they cover ~90% of all interview asks.

Headers you'll touch every day: Authorization, Content-Type, Accept, If-None-Match, ETag, Cache-Control, Set-Cookie, X-Request-Id.

3. REST vs GraphQL vs gRPC

AspectRESTGraphQLgRPC
TransportHTTP/1.1+HTTP (single POST)HTTP/2 + protobuf
SchemaOpenAPISDL.proto
Over/under-fetchingCommonSolvedSolved
Tooling for QAExcellentGoodLimited

You'll spend ~80% of your time on REST, ~15% on GraphQL, and rare encounters with gRPC unless you work in fintech, infra or telecom.

4. Types of API Tests

  • Functional — "Given a valid body, POST /users returns 201 and the new ID."
  • Schema / contract — response matches OpenAPI / JSON Schema.
  • Negative — invalid bodies, missing auth, wrong types.
  • Boundary — pagination edges, max body size, rate limits.
  • Idempotency & concurrency — repeat POST, parallel writes.
  • Authorization — RBAC: user A cannot read user B's data.
  • Performance — p95/p99 latency under load.
  • Security — OWASP API Top 10.

5. Postman: Collections, Environments & Scripting

Postman is the #1 tool for exploring APIs and is still asked in every QA interview. Master:

  • Collections — versioned, runnable suites.
  • Environments & variables{{baseUrl}}, {{token}}.
  • Pre-request scripts — mint a token, sign a request.
  • Tests (post-response) — assert status, schema, body.
  • Newman — Postman runner for CI: newman run collection.json -e env.json --reporters cli,junit.

Sample post-response test:

pm.test('status 200', () => pm.response.to.have.status(200));
pm.test('has user id', () => {
  const json = pm.response.json();
  pm.expect(json.id).to.be.a('string');
});
pm.collectionVariables.set('userId', pm.response.json().id);

Going deeper into Postman? See Postman interview questions 2026.

6. REST Assured (Java)

REST Assured is the de-facto Java DSL for API tests. Add to pom.xml:

<dependency>
  <groupId>io.rest-assured</groupId>
  <artifactId>rest-assured</artifactId>
  <version>5.5.0</version>
  <scope>test</scope>
</dependency>
import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

@Test
public void getUserReturns200() {
    given()
        .baseUri("https://api.example.com")
        .header("Authorization", "Bearer " + token)
    .when()
        .get("/v1/users/{id}", 42)
    .then()
        .statusCode(200)
        .body("email", endsWith("@example.com"))
        .body("roles", hasItem("admin"))
        .time(lessThan(800L));
}

7. RestSharp (C#)

var client = new RestClient("https://api.example.com");
var req = new RestRequest("/v1/users/{id}", Method.Get)
  .AddUrlSegment("id", 42)
  .AddHeader("Authorization", $"Bearer {token}");

var res = await client.ExecuteAsync<UserDto>(req);
Assert.That(res.StatusCode, Is.EqualTo(HttpStatusCode.OK));
Assert.That(res.Data!.Email, Does.EndWith("@example.com"));

Deep-dive: RestSharp API testing in C#.

8. Playwright API Testing

import { test, expect } from '@playwright/test';

test('POST /jobs creates a job', async ({ request }) => {
  const res = await request.post('/api/jobs', {
    data: { title: 'QA Lead', city: 'Pune' },
  });
  expect(res.status()).toBe(201);
  const json = await res.json();
  expect(json.id).toBeDefined();
});

Pattern: use the request fixture to seed data, then assert via the UI in the same test. See our Playwright pillar for the full picture.

9. Schema Validation

Pin your responses with JSON Schema or, better, the OpenAPI spec your devs already publish. In Java use matchesJsonSchemaInClasspath("user-schema.json"); in Node use ajv; in Postman use built-in tv4. Schema tests catch breaking contract changes the instant a dev ships them — your highest-ROI test type.

Pro tip (from production): auto-generate JSON Schemas from your live staging API once per release using quicktype or genson, then commit the diff. We caught 11 silent breaking changes in one quarter this way — none of which the dev team had announced. Schema drift is the #1 unreported API bug source and almost nobody automates the detection.

10. Authentication: API Key, OAuth 2.0, JWT

  • API key — header or query param. Simple but coarse.
  • Basic auth — base64 encoded user:pass. Always over HTTPS.
  • OAuth 2.0 — client credentials, authorization code, PKCE. Test the full flow and the refresh path.
  • JWT — inspect with jwt.io; assert exp, iss, aud, role claims.

Store secrets in CI environment variables — never commit them to the repo.

11. Contract Testing with Pact

Contract tests stop the classic "works on my service, breaks on yours" failure mode between micro-services. Use Pact to capture consumer expectations and verify them against providers in CI. For platform teams running 30+ services, contract testing pays for itself in the first month.

12. API Security Testing (OWASP API Top 10)

Every QA team should run a basic pass against the OWASP API Security Top 10: broken object-level authorization (BOLA), broken auth, excessive data exposure, lack of rate limiting, mass assignment, etc. Tools: OWASP ZAP, Burp Suite, Postman security tests, Schemathesis for OpenAPI fuzzing.

13. Performance: k6, JMeter, Locust

// k6 baseline
import http from 'k6/http';
import { check, sleep } from 'k6';

export const options = { vus: 50, duration: '2m' };
export default function () {
  const res = http.get('https://api.example.com/jobs');
  check(res, { 'status 200': r => r.status === 200, 'p95 < 600ms': () => res.timings.duration < 600 });
  sleep(1);
}

For deeper coverage see JMeter interview questions and performance testing interview Q&A.

14. CI/CD for API Tests

Wire API tests into CI as a fast smoke layer (<3 min) and a regression layer (<15 min). On GitHub Actions:

- name: API smoke
  run: newman run smoke.json -e ci.json --reporters cli,junit
- name: API regression
  run: mvn -B test -Dgroups=api-regression

Publish JUnit and Allure reports as artifacts on every run.

15. API Testing Tools: Pros &amp; Cons (Real Production Usage)

Based on running all four in production over the last 3 years:

ToolBest forProsCons
Postman + NewmanExploration, smoke, manual QA handoffBest UX, mocks, monitors, no-code friendlyJS-only scripting, weak Git diff, paid tiers add up fast
REST AssuredJava/enterprise regressionMature DSL, Hamcrest matchers, plays nice with TestNG + AllureVerbose, slow to refactor, Java-only
RestSharp.NET / Microsoft shopsIdiomatic C#, async-friendly, easy NUnit/xUnit fitSmaller community than REST Assured
Playwright requestTeams already on Playwright for UIOne tool, one report, one CI, trace viewer for failuresTS/JS-centric, missing some advanced auth flows
Karate DSLBDD-style API + contractPlain-English scenarios, built-in JSON pathCustom DSL learning curve, smaller talent pool
SchemathesisOpenAPI fuzzing & securityProperty-based testing from your spec, freeNeeds a clean OpenAPI doc to be useful

Which one should you actually pick?

  • Greenfield + small team: Playwright request — one tool to learn, ships in a day.
  • Java enterprise: REST Assured + TestNG + Allure + Pact.
  • .NET enterprise: RestSharp + xUnit + ReportPortal.
  • Manual QA upskilling: Postman + Newman first, then layer code.

16. Interview &amp; Career Path

Mid-level API SDET pay in 2026 — India: ₹13–24 LPA, US: $100–140k. Senior: ₹26–46 LPA / $145–190k. Live numbers in /salaries. Polish your CV with the Resume ATS Review.

What to do next

Build one Postman collection + one REST Assured (or Playwright) regression suite this week against any public API. Wire both into a single GitHub Actions workflow. You'll have a portfolio-ready project in 4 hours.

Want done-for-you collections, schema templates and recruiter intros? Go SoftwareTestPilot Pro on our products page.

Frequently asked questions

Do I need to know coding for API testing?

Yes, lightly. You can do 60% of the work in Postman + a sprinkle of JavaScript. For automation roles, pick one of Java + REST Assured, C# + RestSharp, or TypeScript + Playwright/Supertest.

REST Assured or Playwright for API testing?

Pick REST Assured if your stack is Java-heavy (BFSI, enterprise). Pick Playwright if your team already uses it for UI — one tool, one report, one CI pipeline.

How do I test authentication flows?

Cover happy path, expired token, invalid token, missing token, refresh flow, RBAC denial, and token replay. Assert exact status codes and error bodies for each.

What's contract testing and do I need it?

Contract testing (e.g. Pact) verifies a consumer's expectations against a provider's actual responses. Essential once you have 5+ micro-services talking to each other; overkill for monoliths.

Which tool is best for performance testing of APIs?

k6 for developer-friendly modern stacks, JMeter for enterprise breadth and protocol coverage, Locust for Python shops. Most companies still ask JMeter in interviews.

How do I secure-test an API quickly?

Run OWASP ZAP against the API base URL, fuzz the OpenAPI spec with Schemathesis, and add explicit negative tests for BOLA and broken auth in your regression suite.

What's a typical API SDET salary in 2026?

India: ₹13–24 LPA mid, ₹26–46 LPA senior. US: $100–140k mid, $145–190k senior. See live numbers in /salaries.

Keep going

Practice these questions

Rehearse REST, Postman, REST Assured and contract-testing questions with worked examples.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Keep building your QA edge

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • ⚡ Ready-to-use testing strategy templates
  • 🔥 Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access