top of page

API testing Interview Questions 

What is an API?

  • An Application Program Interface (API) 

  • Takes requests and tells a system what you want to do and then returns the response back to you

  • Specifies how software components should interact with each other using set of definitions and protocols.

  • Consists a set of routines/functions, protocols, and tools for building software applications.

  • Makes easier to develop a program by providing all the building blocks in one place. 

E.g., Weather app
shows daily weather updates 
Basically it talks” to the weather bureau's software system (contains daily weather data) via APIs 

What is an API Endpoint?
An API Endpoint is the URL for a server or a service which provides the location of a resource on the server.
Base URL/resource/Path parameter(or)Query parameter

What does a resource mean in an API endpoint?

A resource is a data set that an API allows you to work with, and which is accessible via endpoints. 
What is Postman?
A Client tool to work with APIs to send requests get response back. 

What is Collection in Postman?
A top level folder like structure
Categorize requests logically or Organize the requests in a folder

what is Header in Postman?
Exists in both request and response
Consists metadata about the request as a key and value pair

What is Content Type in Postman? 
Exists in both request and response
In request header: to specify what kind of data we are sending to the server 
In response header: what was the content type we got as response 

Difference between XML and JSON


XML [Extensible Markup Language]is document-oriented 
Provide display properties 
Does not supports array
Requires more code
More human readable 
More secured than JSON


JSON is data-oriented
Does not provide display properties
Supports array
Requires less code
More human readable 
Less secured than XML

Tools For Developing An API

  • Apigee

  • Hoppscotch

  • Insomnia

  • Sandbox

  • API Serverless Architecture

  • GitHub

  • Postman

  • Swagger

  • API-Platform

  • Auth0

  • ClearBlade

Tools for API Testing

  • SoapUI

  • LoadView

  • Hurl

  • HTTPie

  • Dredd

  • Postman

Various HTTP methods



Why do you need an API?
Simplifies Development by allowing one application to be used by another
Provides an Abstraction for Technical Details
Platform independence & maintenance
Makes easier integration of backend data and applications

Why API testing?
API testing is performed to ensure that APIs are reliable, secure, and performant

Which types of testing is done in API ?
Functional testing  
To test if API is working as expected and that it returns the correct data for the given input
Integration testing
To test if the developed API is working properly with other APIs and components in the system
Security testing
To test if API is secure and that it cannot be accessed by unauthorized users
Performance testing
To test if an API can handle the expected load and that it responds quickly to requests
Load testing
This kind of testing focuses on how the API behaves under heavy load.
Stress testing
This kind of testing focuses on how the API behaves under extreme load
Interoperability testing: 
To ensure that the API can be used by other systems and applications
Regression testing
To ensure that changes to the API do not break existing functionality

What is auth?
Auth is short for authentication process
Verifies the identity of a user or client
A critical part of API security which helps to ensure that only authorized users can access the API.

What are different authentication methods?
Basic authentication
Uses a username and password to authenticate users. 
Username and password are sent in cleartext over the network
less secured
Digest authentication
Uses a hash function to protect the username and password. 
more secure than basic authentication.
Allows third-party applications to access protected resources on behalf of a user
More secure and flexible alternative to basic and digest authentication

API key

  • An API key is a unique identifier used to authenticate and authorize a user, developer, or calling program to an API. It is typically a string of characters, but it can also be a number or a combination of characters and numbers. API keys are often used to control access to resources, such as data or functionality.

  • They can also be used to track usage and billing.

  • API keys are typically generated by the API provider and are assigned to each user or developer. They can be shared with others, but it is important to keep them secure. API keys are often stored in a secure location, such as a password manager.

  • To use an API key, it must be included in the request header of the HTTP request.

Bearer token

  • A bearer token is a type of authentication token that is used to access protected resources.

  • It is typically a string of characters that is generated by the server and given to the client. The client then sends the bearer token in the Authorization header of each request to the server.

  • The server validates the bearer token and, if it is valid, grants the client access to the requested resource.

  • Bearer tokens are a popular type of authentication token because they are easy to use and secure. They are also relatively easy to implement, which makes them a good choice for a variety of applications.

What is cookies?
Cookies are small text files that are stored on the user's computer by a website
They are used to store information about the user
such as their login status, their preferences, and the contents of their shopping cart
Cookies can also be used to track the user's browsing activity across different websites

Why Cookies are so important in API testing?
In API testing, cookies are important because they can affect the way that an API behaves. 
For example, if an API requires the user to be logged in, the API will need to check the user's cookie to verify their identity. 
If the cookie is not present or is not valid, the API will not be able to authenticate the user and will return an error.

What are the things to keep in mind when testing cookies in API testing?

* Ensure that the API is able to correctly set and read cookies.
* Ensure that the API is able to correctly handle cookies that are set by other websites.
* Ensure that the API is not storing sensitive information in cookies.
* Ensure that the API is not using cookies to track users across different websites.

What is token in API testing?

  • A token is a unique identifier that is used to authenticate a user or client. 

  • Often used in conjunction with other authentication methods, such as OAuth.

What are the different types of tokens that can be used in API testing?
Access tokens

  • Used to access protected resources on an API

  • Generated by the API server and are valid for a limited time

Refresh tokens

  • Used to generate new access tokens

  • Valid for a longer period of time than access tokens

JWT tokens

  • These tokens are based on the JSON Web Token (JWT) standard

  • Used to represent a user's identity or to grant access to a resource

OAuth tokens

  • Used to grant access to a resource on behalf of a user

  • Valid for a limited time

What are the things to keep in mind when testing API tokens?
* Check if the token is valid
* Check if the token is authorized to access the resources that it is requesting
* Check if the token is not expired 

* Check if the token is not being used by unauthorized users
Types of error that could be encountered in API testing?
Invalid request error
Occurs when the API request is not valid
Caused by a missing parameter/an incorrect parameter value or an invalid format
Server error
Occurs when there is a problem with the API server
Caused by a hardware failure/a software bug or a denial-of-service attack
Client error
Occurs when there is a problem with the client code
Caused a programming error/a configuration error or a network error
Authorization error
Occurs when the API request is not authorized
Caused by an invalid token/an expired token or a missing token
Data format error
Occurs when the data that is returned by the API is not in the correct format
Caused by a programming error/a configuration error or a network error

Does every website have an API?
No, not every website has an API. APIs are typically used by websites that want to expose their data or 
functionality to other applications. Some websites may not need to expose 
their data or functionality to other applications, and therefore may not have an API.

How to test an API ?
Understand the API
Understanding the purpose of the API, the data that it exposes, and the operations that it supports. 
Identify the test cases
This includes both positive and negative test cases. 
Test the API for expected behavior as well for unexpected behavior
Create a test plan
Helps to keep track of your testing and to ensure that you have covered all of the necessary test cases
Execute the test cases
This involves sending requests to the API and verifying that the responses are as expected.
Analyze the results  
This includes identifying any errors that occurred and determining whether the API is meeting its requirements.
Report the results
This report should include a description of the test cases that were run, the results of the tests, and any errors that occurred.

What is JSON?

JavaScript Object Notation 
It's a key value pair. Its popular since a light-weight way of transferring data

What are the advantages of API testing?

  • Increases the agility of development by providing a way to test APIs quickly and easily 

  • Helps to ensure that APIs are able to keep up with the changing needs of the business

  • Identifies and fixes defects early in the development process

  • Testing is Carried out at the API (Middle Layer/Business Layer) without the need of GUI

  • Helps to prevent defects from reaching production, which can save time and money

  • Reduces the time required with UI testing thereby save the cost

  • Language independent (data transfer between two softwares occur through JSON, XML file)

  • Helps to ensure that APIs are not vulnerable to attacks

  • Identifies security vulnerabilities which helps to protect APIs from attacks and to protect the data that is exposed by the API

  • Pinpoints performance bottlenecks by verifying that APIs are responsive and that they can handle the expected load

  • Easy to integrate with UI testing
    How to create a API?
    Define the purpose of the API
    Identify the data that the API will expose
    Identify the operations that the API will support
    Design the API endpoints
    Design the API responses
    Implement the API
    Test the API

      Document the API

bottom of page