API testing interview questions

// 37 QUESTIONS · UPDATED MAY 2026

API testing interview questions covering Postman, REST Assured, schema validation, contract testing, authentication patterns, and integrating API tests into CI.

Level

Showing 37 of 37 questions

  1. What is the difference between PUT and PATCH?Junior

    PUT replaces the entire resource — fields you don't send are typically wiped. PATCH applies a partial update — only the fields in the req…

  2. How do you validate a JSON response schema in your API tests?Mid

    Define the contract once as a JSON Schema, then validate every response against it inside the test. Tools like Ajv, JSV (REST Assured), o…

  3. What is API testing and how does it differ from UI testing?Junior

    API testing exercises the application's network endpoints directly — sending HTTP/gRPC requests and asserting on responses, without a bro…

  4. List the main HTTP methods and what each is used for.Junior

    GET reads, POST creates, PUT replaces, PATCH partially updates, DELETE removes, OPTIONS describes (CORS preflight), HEAD is GET without a…

  5. What is the difference between status codes 200, 201, 204, 400, 401, 403, 404, and 500?Junior

    2xx = success: 200 OK with body, 201 Created, 204 No Content. 4xx = client error: 400 Bad Request (validation), 401 Unauthorised (no/bad…

  6. What is REST and what makes an API RESTful?Junior

    REST is an architectural style for networked APIs based on stateless requests over HTTP, resources identified by URLs, standard verbs (GE…

  7. What is JSON and how does it differ from XML?Junior

    JSON is a lightweight data format using nested key-value pairs and arrays — the de-facto standard for modern web APIs. XML is a markup fo…

  8. What is the difference between authentication and authorisation?Junior

    Authentication (authn) is proving who you are — login, tokens, certificates. Authorisation (authz) is what you're allowed to do once iden…

  9. How do you test that an API endpoint returns the correct response?Junior

    Send the request with a known input, assert four things: status code, response shape (schema), key field values, and timing if relevant.…

  10. Compare Postman, REST Assured, and Playwright's APIRequestContext for API testing.Mid

    Postman: GUI-driven exploration + lightweight test scripts. REST Assured: full Java/Maven framework with deep TestNG/JUnit integration an…

  11. How do you ensure API tests don't depend on each other (test isolation)?Mid

    Each test creates its own data via API setup, asserts on it, and cleans up. No shared fixtures, no test ordering. If two tests must share…

  12. Explain the structure of a JWT and how to test endpoints that use it.Mid

    JWT = base64url(header).base64url(payload).base64url(signature). Header declares the algorithm; payload contains claims (sub, exp, scopes…

  13. What is contract testing (e.g. Pact) and when do you use it?Mid

    Contract testing pins the agreement between a consumer (frontend, mobile, microservice client) and a provider (API). The consumer records…

  14. How do you handle test data setup and teardown for an API test suite?Mid

    Set up via the API itself when possible — test fixtures stand on the same contract as production. Use builders to generate unique data pe…

  15. How do you test an API that has rate limiting?Mid

    Three angles: assert the limit is enforced (burst beyond limit returns 429), assert the response carries informative headers (Retry-After…

  16. How do you test pagination in an API?Mid

    Verify page boundaries (first, last, beyond-last), totals match, no records duplicated or skipped across pages, and pagination tokens or…

  17. What's the difference between idempotent and non-idempotent operations? Why does it matter for testing?Mid

    Idempotent: calling once or many times produces the same final state. PUT, DELETE, GET are idempotent. Non-idempotent: each call adds an…

  18. How do you mock external services your API depends on?Mid

    Stand up a stub server (WireMock, Mockoon, MSW, nock) that mimics the third-party's contract. Point your API at the stub via env-var URLs…

  19. How would you test a webhook callback?Mid

    Stand up a receiver in the test (an HTTP server, ngrok tunnel, or webhook.site for manual exploration), trigger the source action, and as…

  20. Walk through testing an OAuth 2.0 flow from your API tests.Mid

    Use the client credentials grant for service-to-service tests (no UI). For authorization code flow, programmatically POST to /authorize →…

  21. How do you test an API that uses GraphQL?Mid

    Send POST requests to the single endpoint with a query/mutation in the body; assert on `data` and `errors`. Test query shape (only reques…

  22. How do you organise environment variables and secrets across local/staging/prod API tests?Mid

    Layered config: defaults in code, per-environment files (.env.local, .env.staging) for non-secrets, secrets in a manager (1Password, Vaul…

  23. How would you test a deprecated endpoint that still needs to work for legacy clients?Mid

    Tag the test as 'legacy' or 'deprecated' so it's not confused with current API tests. Cover the documented behaviour, including the depre…

  24. How do you test long-running async operations (e.g. queued jobs) at the API level?Mid

    Three patterns: poll a status endpoint until completion (with timeout); subscribe to a webhook callback; or wait on an event/queue you ca…

  25. How would you architect an API test suite from scratch for a microservices team?Senior

    Layer the strategy: per-service unit + integration tests owned by service teams, cross-service contract tests (Pact), a thin layer of E2E…

  26. Walk me through your strategy for catching breaking changes in a public API.Senior

    Layered: schema diff in CI on every PR; contract tests against a representative consumer suite; deprecation header + sunset checks; an Op…

  27. How would you handle versioning for API tests when the underlying API has v1, v2, and v3 alive?Senior

    One test suite per version, parameterised by `apiVersion`. Each version has its own contract (schema, expected behaviours) — don't reuse…

  28. How do you decide what to cover at the API layer vs the UI layer to avoid duplication?Senior

    Cover business logic, validation, auth, and edge cases at the API layer (fast, deterministic). Cover only UI-specific concerns at the UI…

  29. How do you test idempotency keys (e.g. Stripe-style) in payment APIs?Senior

    Replay the same request with the same Idempotency-Key, assert the second call returns the original result without creating a duplicate. T…

  30. Walk through how you'd test eventual consistency in a distributed system.Senior

    Tests must wait for convergence, not assume it. Poll for the expected state with a sensible timeout. Don't assert immediately after a wri…

  31. How would you test for security vulnerabilities at the API layer (OWASP API Top 10)?Senior

    For each OWASP API Top 10 category, write targeted tests: BOLA (request other tenants' resources), broken auth (tampered tokens, missing…

  32. How do you reproduce and write a regression test for a production-only race condition?Senior

    Reproduce locally with controlled concurrency: identical concurrent requests, fast iteration. If it won't reproduce locally, instrument t…

  33. How would you measure and improve API test execution speed?Senior

    Measure first: per-test runtime, parallelism utilisation, network time vs setup time. Optimise: parallel runs, persistent connections, sh…

  34. How would you build performance tests on top of your existing functional API test framework?Senior

    Reuse the functional auth, fixtures, and helpers, but call them from a load tool (k6, Locust, JMeter). Treat performance as a separate su…

  35. How do you handle backwards-compatible API changes that require client coordination?Senior

    Treat the API change as one of three deploy phases: add new (non-breaking, server-only), migrate clients (rolling, both old and new contr…

  36. How would you justify investment in contract testing to a leadership team focused on velocity?Lead

    Frame it as velocity protection: contract tests catch breaking changes in CI rather than in customer support tickets. Bring data — recent…

  37. How do you set quality SLAs for an API integration test suite owned by QA?Lead

    Three numbers: pass rate, escape rate, and runtime. Bands not points (pass rate 99-100%, escape rate < 1/quarter, full suite < 5 min). Pu…

// Continue exploring

Performance

JMeter, k6, load patterns, percentiles, bottleneck diagnosis.

REST Assured

RequestSpec, ResponseSpec, schema validation, auth, integration.

Karate

DSL, scenarios, embedded JS, parallel runner, mocks, performance.