SoftwareTestPilot
API TestingPublished: Updated: · 5 days ago30 min read

Postman API Testing: Beginner to Advanced (2026)

The 2026 complete Postman API testing tutorial. Step-by-step from first request to collections, environments, scripting, data-driven testing, Newman CLI, mock servers, monitors, and CI/CD.

Avinash Kamble
Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp
Postman API Testing 2026 — 3D book cover with the Postman logo on a dark navy gradient.
Postman API Testing 2026 — 3D book cover with the Postman logo on a dark navy gradient.
In this article
  1. 1. Why Postman in 2026
  2. 2. Install and Set Up Postman
  3. 3. Your First API Request
  4. 4. Collections — Organizing Your Tests
  5. 5. Environments and Variables
  6. 6. Test Scripts — The Heart of Postman
  7. 7. Pre-request Scripts
  8. 8. Data-Driven Testing
  9. 9. Authentication Patterns
  10. 10. Newman CLI for CI/CD
  11. 11. Mock Servers
  12. 12. Monitors — Scheduled API Tests
  13. 13. Advanced Patterns
  14. 14. Postman Best Practices for 2026
  15. 15. Author Bio & Next Steps
  16. Frequently asked questions

What you'll master: By the end of this Postman tutorial you will be able to design a complete API test suite in Postman — collections, environments, variables, scripting, data-driven testing, mock servers, monitors, Newman CLI for CI/CD, and advanced patterns for auth, contract testing, and performance smoke.

1. Why Postman in 2026

Postman is the most widely used API client and testing tool on Earth. It started as a Chrome extension in 2012 and grew into a full platform that 30+ million developers use daily.

In 2026, Postman dominates API testing for three reasons:

  1. Best developer experience — beautiful UI, fast iteration, generous free tier
  2. Full lifecycle — design (OpenAPI import), debug, test, mock, monitor, document, publish
  3. CI/CD friendly — Newman CLI runs any collection in any pipeline

When to choose Postman over alternatives

Use caseBest tool
Exploratory testing and prototypingPostman
Shared team collectionsPostman
CI/CD with HTML reportsPostman (via Newman)
Java code-first automationREST Assured
Polyglot UI + APIPlaywright
Contract testingPact
Performance testingk6 or JMeter

For a broader comparison, see our API testing tutorial.

🚀 Practise live. Rehearse Postman + API rounds with our AI mock interview, and review the API testing interview questions.

2. Install and Set Up Postman

Desktop app (recommended)

Download from postman.com/downloads. Available for Windows, macOS, and Linux.

Web app

Visit go.postman.com — no install needed. Limited compared to the desktop app (no native app, no proxy, no Interceptor).

Sign in

A free Postman account is required to save collections, environments, and run monitors. Personal plan is free; team plans start at $9/user/month.

Create a workspace

Workspaces organize collections. Create one per project:

Workspaces
├── Acme Production
│   ├── Auth API
│   ├── Payments API
│   └── Users API
└── Learning Lab
    └── Public APIs

3. Your First API Request

We'll use JSONPlaceholder — a free fake API.

GET request

  1. Click + New → HTTP Request
  2. Set method to GET
  3. URL: https://jsonplaceholder.typicode.com/users/1
  4. Click Send

You should see 200 OK, ~200ms, and a JSON body with id, name, email.

POST request

Method: POST
URL: https://jsonplaceholder.typicode.com/users
Headers: Content-Type: application/json
Body (raw, JSON):
{
  "name": "Alice Johnson",
  "email": "alice@example.com",
  "role": "admin"
}

JSONPlaceholder returns a fake response with id: 11.

Inspect the response

The response viewer shows Body (Pretty/Raw/Preview), Headers, Cookies, Test Results, and response time/size. See our API testing tutorial for REST fundamentals.

4. Collections — Organizing Your Tests

A collection is a folder of related requests. Save your first request to a collection (Users API), then add more:

  • GET /users — list
  • GET /users/:id — read one
  • POST /users — create
  • PUT /users/:id — update
  • DELETE /users/:id — delete

Folders

Users API
├── Auth
│   ├── POST /login
│   └── POST /refresh-token
├── Users
│   ├── GET /users
│   ├── GET /users/:id
│   ├── POST /users
│   ├── PUT /users/:id
│   └── DELETE /users/:id
└── Admin
    └── POST /admin/users

Collection-level scripts

Attach scripts that run before/after every request in the collection:

  • Pre-request: generate timestamps, compute hashes, refresh tokens
  • Test: common assertions across all requests

5. Environments and Variables

Variables make collections portable across dev, staging, and production.

Create an environment

VARIABLE         | INITIAL VALUE               | CURRENT VALUE
base_url         | https://staging.example.com | https://staging.example.com
admin_email      | admin@example.com           | admin@example.com
admin_password   | Sup3rSecret!                | Sup3rSecret!
auth_token       |                             | (set by test)

Use variables in requests

{{base_url}}/users/{{user_id}}

Variable scopes (priority order)

  1. Local — only this request
  2. Data — from CSV/JSON during Runner
  3. Environment — current environment
  4. Collection — collection-level
  5. Global — workspace-level

Switching environments

pm.environment.set("auth_token", response.json().token);
pm.environment.unset("auth_token");

Initial vs current value

  • Initial — synced to the cloud, shared with teammates
  • Current — local-only, not synced (good for secrets)

⚠️ Never commit secrets to initial values. Use current values or environment secrets.

6. Test Scripts — The Heart of Postman

The Tests tab runs JavaScript after every request. Use the built-in pm API to make assertions.

Basic assertions

pm.test("Status is 200", () => {
    pm.expect(pm.response.code).to.equal(200);
});

pm.test("Response time under 500ms", () => {
    pm.expect(pm.response.responseTime).to.be.below(500);
});

pm.test("Response has user id", () => {
    const json = pm.response.json();
    pm.expect(json).to.have.property('id');
});

pm.test("User email matches", () => {
    pm.expect(pm.response.json().email).to.equal('admin@example.com');
});

pm.test("Returns 10 users", () => {
    pm.expect(pm.response.json()).to.have.lengthOf(10);
});

Schema validation (built-in)

const schema = {
    type: "object",
    required: ["id", "name", "email"],
    properties: {
        id: { type: "integer" },
        name: { type: "string" },
        email: { type: "string", format: "email" }
    }
};

pm.test("Schema matches", () => {
    pm.expect(pm.response.json()).to.matchJsonSchema(schema);
});

Chaining requests

// In POST /login Tests
pm.test("Login returns token", () => {
    const json = pm.response.json();
    pm.expect(json.token).to.exist;
    pm.environment.set("auth_token", json.token);
});

// In GET /users headers:
// Authorization: Bearer {{auth_token}}

7. Pre-request Scripts

Pre-request scripts run before the request is sent. Use them for timestamps, signatures (HMAC, OAuth), random data, and token refresh.

Random email + timestamp

pm.environment.set("timestamp", Date.now());
const random = Math.random().toString(36).substring(7);
pm.environment.set("random_email", `test_${random}@example.com`);

HMAC signature

const crypto = require('crypto-js');
const payload = JSON.stringify(pm.request.body);
const secret = pm.environment.get("api_secret");
const signature = crypto.HmacSHA256(payload, secret).toString();
pm.request.headers.add({ key: 'X-Signature', value: signature });

Refresh OAuth token

if (!pm.environment.get("oauth_token") || Date.now() > pm.environment.get("token_expiry")) {
    pm.sendRequest({
        url: pm.environment.get("oauth_url"),
        method: 'POST',
        header: { 'Content-Type': 'application/x-www-form-urlencoded' },
        body: {
            mode: 'urlencoded',
            urlencoded: [
                { key: 'grant_type', value: 'client_credentials' },
                { key: 'client_id', value: pm.environment.get("client_id") },
                { key: 'client_secret', value: pm.environment.get("client_secret") }
            ]
        }
    }, (err, res) => {
        const json = res.json();
        pm.environment.set("oauth_token", json.access_token);
        pm.environment.set("token_expiry", Date.now() + (json.expires_in * 1000) - 60000);
    });
}

8. Data-Driven Testing

Run the same request against many data sets using the Collection Runner and a CSV or JSON file.

Step 1 — Parameterize

URL: {{base_url}}/users/{{user_id}}
Body: { "email": "{{email}}", "role": "{{role}}" }

Step 2 — Data file

user_id,email,role,expected_status
1,admin@example.com,admin,200
2,viewer@example.com,viewer,200
3,guest@example.com,guest,200
999,nonexistent@example.com,viewer,404

Step 3 — Run

Click Runner → select collection → select data file → Run. Postman executes the request once per row.

Step 4 — Assert against data

pm.test("Status matches expected", () => {
    const expected = pm.iterationData.get("expected_status");
    pm.expect(pm.response.code).to.equal(parseInt(expected));
});

Tips: CSV is simplest; JSON supports nested structures. Use pm.iterationData.get("key") to read the current row.

9. Authentication Patterns

Bearer Token

Authorization → Bearer Token → Token: {{auth_token}}

Basic Auth

Username: admin
Password: Sup3rSecret!

API Key

Key: X-API-Key
Value: {{api_key}}
Add to: Header (or Query Params)

OAuth 2.0

Grant Type: Authorization Code (or Client Credentials)
Auth URL: https://auth.example.com/oauth/authorize
Access Token URL: https://auth.example.com/oauth/token
Client ID: {{client_id}}
Client Secret: {{client_secret}}
Scope: read write

Click Get New Access Token — Postman opens consent in a popup, captures the token, and uses it for subsequent requests.

10. Newman CLI for CI/CD

Newman is the CLI version of Postman. Run any collection in any pipeline.

Install & run

npm install -g newman

newman run users-api.postman_collection.json \
    -e staging.postman_environment.json \
    --reporters cli,html \
    --reporter-html-export newman-report.html

Common flags

FlagPurpose
-eEnvironment file
-dData file (CSV/JSON)
-rReporter (cli, html, json, junit)
--bailStop on first failure
--timeout-requestPer-request timeout
--delay-requestDelay between requests
--folderRun only a specific folder

GitHub Actions

name: Postman API Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npm install -g newman
      - run: |
          newman run api-tests/Users.postman_collection.json \
              -e api-tests/Staging.postman_environment.json \
              -d api-tests/users.csv \
              --reporters cli,junit,html \
              --reporter-junit-export results/newman.xml \
              --reporter-html-export results/report.html
      - uses: actions/upload-artifact@v4
        if: ${{ !cancelled() }}
        with:
          name: newman-results
          path: results/

GitLab CI

api-tests:
  image: node:20
  script:
    - npm install -g newman
    - newman run api-tests/Users.postman_collection.json
  artifacts:
    when: always
    paths: [newman-report.html]

11. Mock Servers

Postman mock servers simulate your API before it's built — perfect for frontend teams working in parallel.

Create a mock

  1. Right-click a collection → Mock collection
  2. Choose a name and environment
  3. Postman generates a mock URL: https://<uuid>.mock.pstmn.io/users/1

Add example responses

For each request, open Examples+ Add Example, send the request, and save the response. Postman returns this as the mock response.

Use the mock from your frontend

fetch('https://<uuid>.mock.pstmn.io/users/1')
    .then(r => r.json())
    .then(user => console.log(user));

Mocks support environment variables, so you can switch between "happy" and "error" responses by changing one variable.

12. Monitors — Scheduled API Tests

Monitors run a collection on a schedule and alert you when it fails.

Create a monitor

  1. Right-click a collection → Monitor collection
  2. Name: Production health check
  3. Schedule: every 5 minutes (or hourly, daily, weekly)
  4. Region: closest to your API
  5. Click Create

Use cases

  • Production smoke — every 5 minutes hit critical endpoints
  • Staging monitoring — hourly full regression
  • SLA compliance — daily response-time assertions

Monitors can post to Slack, Microsoft Teams, PagerDuty, Datadog, and webhooks.

13. Advanced Patterns

Contract testing with OpenAPI

  1. Import your OpenAPI spec: Import → Link or upload file
  2. Postman generates a collection from the spec
  3. Add tests to verify each endpoint matches the contract

Visualize response data

const template = `
<table>
    <tr><th>ID</th><th>Name</th><th>Email</th></tr>
    {{#each response}}
    <tr><td>{{id}}</td><td>{{name}}</td><td>{{email}}</td></tr>
    {{/each}}
</table>
`;

pm.visualizer.set(template, pm.response.json());

Reusable collection scripts

// Runs before every request in this collection
const timestamp = Date.now();
pm.environment.set("request_timestamp", timestamp);

Workflows

Right-click a collection → Run collection with workflows. Drag requests to define order, add conditionals (run B only if A succeeded; repeat C until X).

14. Postman Best Practices for 2026

Do

  • Use collections to organize by API or feature
  • Use environments to separate dev/staging/prod
  • Use variables for everything that changes between runs
  • Use pre-request scripts for auth refresh and dynamic data
  • Use test scripts for assertions, not just response logging
  • Use Newman in CI for every collection
  • Use monitors for production smoke testing
  • Use mock servers for frontend-in-parallel development
  • Version your collections (Postman v10+ supports Git sync)

Don't

  • Don't hardcode URLs or credentials
  • Don't commit API keys to initial values
  • Don't write tests without assertions (logging ≠ testing)
  • Don't ignore flaky tests — diagnose and fix
  • Don't skip schema validation — it's the cheapest contract check
  • Don't use Postman as a replacement for code-based automation when you need 1000s of tests

15. Author Bio & Next Steps

About the author: The SoftwareTestPilot Editorial Team is a group of QA practitioners with 40+ years of combined experience. We've built 100+ Postman collections for fintech, SaaS, and healthcare APIs and run them in CI/CD pipelines serving 50+ engineering teams.

Continue Your Postman Journey

Frequently asked questions

Is Postman free?

Yes — the desktop app and personal workspace are free. Team features start at $9/user/month. The free tier is generous enough for individual use.

Is Postman better than REST Assured?

For exploration and shared collections, yes. For Java code-first automation at scale, REST Assured is more maintainable. Most teams use both.

Can Postman replace Swagger / OpenAPI?

Postman can import OpenAPI specs and generate collections. It complements OpenAPI rather than replacing it.

What is Newman?

Newman is the CLI version of Postman. Run any Postman collection from the command line or in CI/CD pipelines.

How do I run Postman tests in CI/CD?

Use Newman in your pipeline. It supports GitHub Actions, GitLab CI, Jenkins, CircleCI, and any shell-capable environment.

What is a mock server in Postman?

A mock server simulates your API before it's built. Frontend teams can use the mock while the backend is being developed.

How do I share a Postman collection with my team?

Use a workspace with team members added, or use a Run-in-Postman button in documentation, or sync to Git and version-control alongside code.

How do I test OAuth in Postman?

Use the built-in OAuth 2.0 helper in the Authorization tab. It handles authorization code, client credentials, password, and implicit flows.

Can Postman test GraphQL?

Yes — set method to POST, URL to the GraphQL endpoint, and put the query/variables in the body. Tests work the same as for REST.

What's the difference between Postman and Insomnia?

Postman has a larger ecosystem, more features, and a bigger free tier. Insomnia is lighter, more developer-focused, and free + paid for teams. Both are excellent.

Keep going

Practice these questions

Rehearse REST, Postman, REST Assured and contract-testing questions with worked examples.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Keep building your QA edge

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • ⚡ Ready-to-use testing strategy templates
  • 🔥 Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access