Master API Testing: From Manual to Automation

API (Application Programming Interface) testing is the most critical skill for modern QA engineers. It allows you to validate the business logic of an application before the UI is even built. This guide covers Postman, Rest-Assured, and RESTful architectures.

API Learning Path

  • Understanding JSON & XML
  • HTTP Methods & Status Codes
  • Manual Testing with Postman
  • API Automation with Rest-Assured
  • Performance Testing with JMeter

Key Concepts

  • Authentication (OAuth, Bearer)
  • Assertions & Validations
  • Mocking & Virtualization
  • CI/CD Integration

1. What exactly is an API?

Think of an API as a Waiter in a restaurant. You (the Client) give an order (Request) to the Waiter (API). The Waiter goes to the Kitchen (Server) and brings back your Food (Response). You don't need to know how the kitchen works; you just need to know how to talk to the waiter.

Why Test APIs?

API tests are significantly faster and more stable than UI tests. By catching bugs at the API layer, you save hundreds of hours in the development lifecycle.

๐Ÿ“Œ API Testing & Postman

1. What is Postman?
English: Postman is an API testing tool used to create, send, and validate API requests such as GET, POST, PUT, and DELETE.
Hinglish: Postman ek API testing tool hai jiska use hum API requests create, send aur validate karne ke liye karte hain.
2. What is an HTTP Method and Which is Most Common?
English: An HTTP method defines the type of operation. GET is most commonly used to retrieve data without modifying anything.
Hinglish: HTTP method batata hai action. GET sabse zyada use hota hai kyunki ye bas server se data fetch karta hai.
3. Difference Between GET and POST?
English / Hinglish:
- GET: Data read karne ke liye. Data URL me jaata hai (Fast but insecure).
- POST: Naya data create/send karne ke liye. Data Request Body me jaata hai (Secure).

Feature GET POST
Data Location URL (Query Parameters) Request Body
Security Less Secure (Visible in URL) More Secure
Data Limit Limited (URL length) Unlimited
4. What are the common Status Codes?
  • 200 OK: Success.
  • 201 Created: Resource created successfully.
  • 400 Bad Request: Client error.
  • 401 Unauthorized: Authentication required (Token missing/invalid).
  • 403 Forbidden: Authenticated, but no permission to access.
  • 404 Not Found: Resource/Endpoint missing.
  • 500 Internal Server Error: Server crashed.
5. What are Query Parameters?
English: Query parameters are key-value pairs used to filter or customize responses, added after ? in the URL (e.g., /users?id=10).
Hinglish: Query Parameter API response ko filter ya customize karne ke liye use hota hai aur URL ke baad ? ke sath add hota hai.
6. How to pass a token from one API to another?
English / Hinglish: Extract the token from the Login API response and store it in an environment variable in the Tests tab:
pm.environment.set("token", pm.response.json().token);
In the Next API, use {{token}} under Authorization: Bearer Token.
7. What is Environment in Postman?
English: In Postman, an Environment is used to store variables like base URL, tokens, and credentials. It allows you to quickly switch contexts (Dev, QA, Prod).
Hinglish: Postman me Environment ka use hum variables store karne ke liye karte hain jaise base URL, token.
8. Variable Priority Order in Postman?
English / Hinglish: Order of Priority (Highest to Lowest):
Local > Data > Environment > Collection > Global
9. Explain HTTP in API.
English: HTTP (HyperText Transfer Protocol) is a communication protocol used between client and server in API testing. It defines how requests are sent and responses are received. Common HTTP methods are GET, POST, PUT, and DELETE.
Hinglish: HTTP ek communication protocol hai jo client aur server ke beech data exchange ke liye use hota hai API me. Ye batata hai request kaise jayegi aur response kaise aayega. Common HTTP methods hain GET, POST, PUT aur DELETE.
10. What is Token and Authentication in API?
English: Authentication is the process of verifying user identity. A token is a unique key generated by the server after successful login, which is sent with every API request to access secured resources.
Hinglish: Authentication ka matlab hota hai user ki identity verify karna. Token ek unique key hoti hai jo login ke baad server generate karta hai aur har API request ke saath bheji jaati hai secure access ke liye.
11. What is API and what are status codes?
English: API allows communication between two systems. Status codes indicate response result like 200, 400, 500.
Hinglish: API do systems ke beech communication karata hai. Status codes response ka result batate hain jaise 200, 400, 500.
12. Explain 400 status code.
English: 400 means Bad Request. The request sent by client is incorrect.
Hinglish: 400 ka matlab Bad Request hota hai. Client ne galat request bheji hai.
13. What is 500 Internal Server Error?
English: 500 means server side error. Request is correct but server failed to process it.
Hinglish: 500 ka matlab server side error hota hai. Request sahi hoti hai par server process nahi kar paata.
14. Explain API GET, POST, PUT methods.
English:
- GET → fetch data
- POST → create data
- PUT → update data
Hinglish:
- GET → data laata hai
- POST → data bhejta hai
- PUT → update karta hai
15. Summarize HTTP status codes.
English:
- 200 → Success
- 400 → Bad Request
- 404 → Not Found
- 500 → Server Error
Hinglish:
- 200 → success
- 400 → client error
- 404 → not found
- 500 → server error
16. What is Microsoft Graph API?
English: Microsoft Graph API is a RESTful web API provided by Microsoft that allows developers to access and manage data from multiple Microsoft services like Outlook, OneDrive, Teams, and Azure Active Directory using a single endpoint. It acts as a central gateway to interact with Microsoft cloud services and uses OAuth 2.0 for secure authentication.

Hinglish: Microsoft Graph API ek REST API hai jo Microsoft provide karta hai. Iska use karke hum Microsoft ke different services jaise Outlook, OneDrive, Teams aur Azure Active Directory ka data ek hi endpoint se access aur manage kar sakte hain. Ye ek central gateway ki tarah kaam karta hai aur secure authentication ke liye OAuth 2.0 use karta hai.

API Testing Interview Questions & Answers

1. Difference between GET vs POST vs PUT vs DELETE
โœ… Answer (English):
These are HTTP methods used to perform different operations on server:
  • GET: Used to retrieve data from server (no data change)
  • POST: Used to create new data
  • PUT: Used to update existing data (complete update)
  • DELETE: Used to delete data
Real-time Example (User API):
  • GET → Get user details
  • POST → Create new user
  • PUT → Update user profile
  • DELETE → Delete user

โœ… Answer (Hinglish):
  • GET → data fetch karta hai
  • POST → naya data create karta hai
  • PUT → data update karta hai
  • DELETE → data delete karta hai
๐ŸŽฏ Interview Tip: Bolna: "GET is read-only, POST creates, PUT updates, DELETE removes data"
2. Different types of status codes
โœ… Answer (English):
Status codes show server response status:
  • 1xx → Informational
  • 2xx → Success (200 OK, 201 Created)
  • 3xx → Redirection
  • 4xx → Client error (400 Bad Request, 401 Unauthorized, 404 Not Found)
  • 5xx → Server error (500 Internal Server Error)

โœ… Answer (Hinglish):
  • 2xx → success
  • 4xx → client ki mistake
  • 5xx → server ki problem
๐ŸŽฏ Interview Tip: Always mention 200, 201, 400, 404, 500 (most important)
3. What is a Collection in Postman?
โœ… Answer (English):
A Collection in Postman is a group of API requests saved together. It helps to organize APIs, reuse them, and run multiple requests in sequence.

Example: Login API, User API, Payment API → all stored in one collection.

โœ… Answer (Hinglish):
Collection Postman me APIs ka folder hota hai jisme multiple requests store hoti hain.
๐ŸŽฏ Interview Tip: Mention: "Used for organization and execution of APIs"
4. What is API chaining in Postman?
โœ… Answer (English):
API chaining means passing data from one API response to another API request.

Example:
  • Login API → returns token
  • Use same token in next API (Get User)
pm.environment.set("token", pm.response.json().token);
โœ… Answer (Hinglish):
Ek API ka response dusri API me use karna → API chaining.
๐ŸŽฏ Interview Tip: "Used for end-to-end testing flow"
5. How do you validate whether the correct response is coming or not?
โœ… Answer (English):
We validate response by checking:
  • Status code (e.g., 200 OK)
  • Response body (expected data)
  • Response time
  • Headers
Example (Postman test): 
pm.test("Status code is 200", function () {
    pm.response.to.have.status(200);
});
โœ… Answer (Hinglish):
Check karte hain: Status code, Response data, Time, aur Headers.
๐ŸŽฏ Interview Tip: "Validation = Status + Body + Headers + Time"
6. How do you test APIs using Postman?
โœ… Answer (English):
  1. Open Postman
  2. Select method (GET/POST etc.)
  3. Enter API URL
  4. Add headers (if needed)
  5. Add body (for POST/PUT)
  6. Click Send
  7. Validate response using tests
Example (POST API JSON body): 
{
  "name": "Ram",
  "email": "ram@test.com"
}
โœ… Answer (Hinglish):
Postman open karo, method aur URL enter karo, header/body add karke Send click karo, phir response check karo.
๐ŸŽฏ Interview Tip: "We can automate APIs using Postman scripts and run collections using Collection Runner"

๐Ÿ“Œ API Basics & Postman

1. What is an API and why is it tested?
English: API (Application Programming Interface) is a set of rules that allows two software components to communicate. We test it to ensure data integrity, security, and backend reliability.
Hinglish: API do softwares ke beech pul ka kaam karti hai. Iska test data aur logic check karne ke liye hota hai.
2. What is Postman and what are its core features?
English: Postman is a tool for developing and testing APIs. Features include collections, environments, global variables, and automated tests (JS scripts).
Hinglish: Postman API testing ka best tool hai jisme requests save karne (Collections) aur test script likhne ke features hain.
3. Difference between Query Parameters and Path Parameters?
English: Path Parameters: Part of the URL (e.g., /users/123). Query Parameters: Appended after ? (e.g., /users?age=25) and used for filtering.
Hinglish: Path param URL ka hi hissa hota hai; Query param ? ke baad lagaya jata hai filter aur sorting ke liye.
4. What are Global, Collection, and Environment variables in Postman?
English: Global: All-in-one. Collection: Within one folder. Environment: Specific to a setup like QA or Prod.
Hinglish: Global har jagah apply hote hain; Environment sirf chune gaye mode (QA/Prod) pe; Collection sirf us group pe.
5. How to automate tests in Postman?
English: By writing JavaScript code in the "Tests" tab of a request (using the pm.test() function).
Hinglish: Postman ke "Tests" tab mein JS script likh kar assertions/checks lagaye ja sakte hain.

๐Ÿ“Œ HTTP Protocol & REST Concepts

6. Explain HTTP Status Codes (2xx, 3xx, 4xx, 5xx).
English:
  • 2xx: Success (200 OK, 201 Created).
  • 3xx: Redirection (301 Moved).
  • 4xx: Client Error (400 Bad Request, 401 Unauthorized, 404 Not Found).
  • 5xx: Server Error (500 Internal Server Error).
Hinglish: 2 series matlab kamyabi, 4 series client ki galti, aur 5 series server ki galti.
7. Difference between GET and POST?
English: GET: Fetches data (data in URL, limited size). POST: Sends data (data in body, secure, no size limit).
Hinglish: GET data laata hai aur URL mein dikhta hai; POST data bhejne ke liye hota hai aur jyadatar body mein hidden hota hai.
8. Difference between PUT and PATCH?
English: PUT: Replaces entire resource. PATCH: Updates only specific fields (Partial update).
Hinglish: PUT poora badal deta hai; PATCH thoda sa part badalta hai (like sirf phone number).
9. What are RESTful Web Services constraints?
English: Statelessness, Client-Server architecture, Cacheability, Layered system, and Uniform Interface.
Hinglish: REST ke kuch rules hain (Stateless etc.) jisse ye flexible aur scalable banti hain.
10. What is 'Idempotency' in API methods?
English: A method is idempotent if calling it multiple times has the same outcome (e.g., GET, PUT, DELETE). POST is NOT idempotent.
Hinglish: Agar method baar-baar chalane pe same result de toh wo idempotent hai (jaise PUT ya DELETE).

๐Ÿ“Œ JSON & API Security

11. What is JSON and why it is preferred over XML?
English: JSON (JavaScript Object Notation) is lightweight, faster to parse, and more human-readable compared to XML.
Hinglish: JSON halka aur fast hota hai, aur iska code padhne mein XML se aasan hai.
12. How do you handle Authentication in APIs?
English: Using headers like Authorization: Bearer <token>, API Keys, or Basic Auth (Username:Password).
Hinglish: Header mein token ya keys daal kar user ki pehchan process ki jati hai.
13. Explain OAuth 2.0 briefly.
English: An authorization protocol where a client gets an 'Access Token' to perform actions on behalf of a user without sharing passwords.
Hinglish: Bina password bataye permission lene ka tareeka (เคœเฅˆเคธเฅ‡ Login with Google).
14. What is 'Payload' and 'Headers'?
English: Payload: Data sent in the body. Headers: Metadata information (like Content-Type: application/json).
Hinglish: Payload asli data hota hai; Header request ke baare mein informatio hoti hai.
15. What are common API security risks?
English: Injection attacks, Broken Object Level Authorization (BOLA), Unprotected endpoints, and Excessive data exposure.
Hinglish: API hacking ki threats jaise purana login use karna ya galti se security gaps chodh dena.

๐Ÿ“Œ Scenario-Based API Questions

16. How to test an API that has no documentation?
English: Use tools like Fiddler, Charles Proxy, or Chrome Network tab to capture requests while interacting with the application UI.
Hinglish: Proxy tools use karke ye pata lagao ki UI kaunsi calls kar raha hai.
17. What is 'API Mocking'?
English: Simulating the behavior of a real API with fake responses. Useful when the backend is not ready but frontend/testing must proceed.
Hinglish: Asli API banne se pehle uski nakal (fake API) banana testing ke liye.
18. Difference between 401 Unauthorized and 403 Forbidden?
English: 401: Identity unknown (no valid credentials). 403: Identity known but access denied (no permission for this resource).
Hinglish: 401 matlab user login nahi hai; 403 matlab login toh hai par use ye dekhne ki ijazat nahi hai.
19. What is 'Contract Testing' in API?
English: Verifying that the API provider (server) and consumer (client) agree on the structure of data exchanged.
Hinglish: Ye check karna ki Client aur Server dono response format (keys/types) pe agree kar rahe hain.
20. How to handle large JSON responses?
English: Using JSON Path expressions to parse and validate specific fields instead of checking the whole string.
Hinglish: JSON Path use karke sirf kaam ki cheezein pick karo pure response ko padhne ke bajaye.

๐Ÿ“Œ Web Services (SOAP vs REST) & Real Scenarios

1. What is a web service?
English: A web service is an interface that allows different applications to communicate and exchange data over the internet.
Hinglish: Web service ek interface hota hai jo do different applications ke beech internet ke through data exchange karne deta hai.
2. What is the difference between SOAP and REST web services?
English / Hinglish:
- REST: Lightweight, supports JSON and XML, simpler and faster, no WSDL required.
- SOAP: XML-based, heavy, uses WSDL, complex but highly secure.

Hinglish: SOAP XML-based aur heavy hota hai, jabki REST lightweight hota hai aur JSON/XML support karta hai. SOAP WSDL use karta hai, REST nahi karta.

Feature REST SOAP
Protocol vs Style Architectural Style Protocol
Data Format JSON, XML, HTML, Text Only XML
Performance Fast, lightweight Slow, heavy payload
3. What is WSDL and what does it contain?
English: WSDL stands for Web Services Description Language. It is an XML file describing the web service. It contains: Service name, Port and endpoint, Operations (methods), and Request/Response structural format.
Hinglish: Ye ek XML file hoti hai jo web service ke operations, request-response format aur endpoint batati hai.
4. Tell me about a time you identified a critical bug through automation.
"During a regression run, automation flagged a scenario where deactivated/inactive users were still able to log in. I immediately analyzed logs & captured screenshots, reported the issue with priority, and informed the development team. It was a security bug. Automation helped catch it early before production, saving a lot of manual effort and risk."
5. Describe a challenging situation with developers or deadlines and how you handled it.
"Once we had a major release with tight deadlines. Developers delivered changes very late. Instead of pushing back, I prioritized critical test cases first, used automation scripts to speed up regression, collaborated closely with devs for quick fixes, and escalated blockers early. As a result, we delivered on time with good quality."
6. Explain about your current project?
English: My current project is a web-based application. My role is to design test cases, execute manual testing, and automate regression test cases using Selenium with Java. I also perform API testing using Postman/SOAP UI and log defects in Jira.
Hinglish: Mera current project ek web-based application hai. Mera role test cases design karna, manual testing karna aur Selenium Java se regression test cases automate karna hai.
7. How to raise a defect in Jira tool?
  1. Click on Create Issue.
  2. Select Issue Type as Bug.
  3. Enter Summary and Description.
  4. Add exact Steps to Reproduce.
  5. Mention Expected and Actual Result.
  6. Attach screenshots/logs.
  7. Click Submit.
8. What is UNION in SQL?
English: UNION is an SQL operator used to combine the result of two or more SELECT queries into a single result set. Both queries must have the same number of columns and compatible data types. By default, it removes duplicates.
Hinglish: UNION ek SQL operator hai jo do ya zyada SELECT queries ko combine karta hai.

The Modern API Automation Strategy

Testing APIs is no longer just about checking status codes. In a microservices architecture, your API testing strategy must be multi-layered to ensure system reliability and performance.

1. The Contract-First Approach

Before writing any logic, ensure the 'Contract' (Swagger/OpenAPI spec) is validated. This ensures that the frontend and backend teams are aligned on the data types, mandatory fields, and response structures.

2. Data-Driven Validations

Use CSV or JSON data files to run your API tests with multiple sets of data. This is crucial for testing boundary values, negative scenarios (e.g., SQL injection attempts), and unauthorized access attempts.

3. Integration & Chaining

Real-world usage involves sequences. Your automation suite should chain requests: Auth → Create Resource → Verify Resource → Delete Resource. This ensures that the state management in your backend is working as expected.

Expert Pro-Tip

"Always validate the Response Time. An API that returns the correct data but takes 10 seconds to do so is a failed API in a production environment. Set performance assertions in your Postman or RestAssured scripts."

API Testing FAQ

Q: Can we perform API testing without a tool like Postman?

A: Yes! You can use command-line tools like cURL or programming libraries like Rest-Assured (Java), Requests (Python), or even browser developer tools for basic GET requests.

Q: What is the difference between an API and a Web Service?

A: All Web Services are APIs, but not all APIs are Web Services. A Web Service always needs a network to function, while an API can be local (like a library or OS API).

๐Ÿ“š Continue Your Learning Journey