Understanding API Testing Interviews

API testing interviews assess your understanding of HTTP protocols, REST architecture, authentication mechanisms, and your ability to test backend services independently of the frontend. These interviews have become increasingly important as modern architectures rely heavily on APIs.

Core Knowledge Areas

HTTP Methods and Their Testing Implications

Understanding HTTP methods is foundational:

MethodPurposeIdempotentTest Focus
GETRetrieve dataYesResponse format, filtering, pagination
POSTCreate resourceNoValidation, duplicate prevention, response codes
PUTReplace resourceYesFull replacement, missing fields behavior
PATCHPartial updateNoPartial update logic, concurrent modifications
DELETERemove resourceYesSoft vs hard delete, authorization

Status Code Knowledge

Interviewers expect you to know status codes beyond 200 and 404:

Success (2xx): 200 OK, 201 Created, 204 No Content Redirection (3xx): 301 Moved, 304 Not Modified Client errors (4xx): 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 429 Too Many Requests Server errors (5xx): 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable

Authentication Testing

Common authentication patterns and what to test:

API Keys: Test with valid key, invalid key, missing key, expired key, revoked key OAuth 2.0: Test token acquisition, refresh flow, token expiration, scope validation JWT: Test token structure, signature validation, expiration, tampered payload Basic Auth: Test valid credentials, invalid credentials, missing header

Common Interview Questions

Q1: How do you test an API without documentation?

  • Use browser developer tools to capture requests
  • Analyze request/response patterns
  • Test with different HTTP methods
  • Probe for error messages that reveal structure
  • Use tools like Swagger/OpenAPI if endpoint discovery is available

Q2: How do you validate API response schema?

  • JSON Schema validation for structure and types
  • Verify required fields are present
  • Check data types match expectations
  • Validate nested objects and arrays
  • Test with tools like Ajv (JavaScript) or jsonschema (Python)

Q3: How do you test API performance?

  • Response time under normal load
  • Throughput at expected concurrent users
  • Behavior under stress (beyond capacity)
  • Connection pooling and timeout behavior
  • Database query performance impact

Q4: What is idempotency and why does it matter for testing?

  • Idempotent operations produce the same result regardless of how many times called
  • GET, PUT, DELETE should be idempotent; POST typically is not
  • Test by calling the same endpoint multiple times and verifying consistent results
  • Important for retry logic and fault tolerance

Practical API Testing Demonstration

When asked to demonstrate API testing skills, follow this structure:

Approach for testing a CRUD API:

1. Positive flow (Happy path):

POST /users → 201 (create)
GET /users/id → 200 (verify created)
PUT /users/id → 200 (update)
GET /users/id → 200 (verify updated)
DELETE /users/id → 204 (delete)
GET /users/id → 404 (verify deleted)

2. Validation testing:

  • Empty required fields → 400
  • Invalid data types → 400/422
  • Duplicate creation → 409
  • String exceeding max length → 400

3. Authorization testing:

  • No token → 401
  • Invalid token → 401
  • Wrong role → 403
  • Access to another user’s data → 403

4. Edge cases:

  • Concurrent modifications
  • Very large payloads
  • Special characters in strings
  • Null vs missing fields vs empty strings

Exercise: Live API Testing Challenge

Test the following API specification as if in an interview:

Endpoint: POST /api/bookings Purpose: Create a hotel booking Request body:

{
  "guest_name": "string (required)",
  "check_in": "date (required, YYYY-MM-DD)",
  "check_out": "date (required, YYYY-MM-DD)",
  "room_type": "string (standard|deluxe|suite)",
  "guests": "integer (1-4)"
}

Write at least 15 test cases covering functional, validation, and edge scenarios.

Solution
  1. Valid booking with all required fields → 201
  2. Missing guest_name → 400
  3. Missing check_in → 400
  4. Missing check_out → 400
  5. check_out before check_in → 400
  6. check_in in the past → 400
  7. Same check_in and check_out date → 400 or 200 (clarify requirement)
  8. Invalid date format (DD/MM/YYYY) → 400
  9. Invalid room_type (e.g., “penthouse”) → 400
  10. guests = 0 → 400
  11. guests = 5 → 400
  12. guests = -1 → 400
  13. Very long guest_name (1000+ chars) → 400
  14. guest_name with special characters → 200 (names have accents)
  15. SQL injection in guest_name → 400 (sanitized)
  16. Duplicate booking same dates/room → 409 or 200 (clarify)
  17. Booking far in the future (2030) → 200 or 400 (business rule)
  18. HTML/XSS in guest_name → sanitized response
  19. Empty request body → 400
  20. Extra unexpected fields → ignored or 400

Pro Tips

Tip 1: Know Postman deeply. Be comfortable with variables, environments, pre-request scripts, tests tab, and collection runners. Many interviews use Postman for live exercises.

Tip 2: Understand contract testing. Being able to discuss Pact or similar tools shows awareness of modern microservices testing approaches.

Tip 3: Talk about API security. Mentioning OWASP API Security Top 10 demonstrates security awareness that most QA candidates lack.

Key Takeaways

  • Know HTTP methods, status codes, and authentication patterns thoroughly
  • Structure API testing by layers: functional, validation, auth, edge cases
  • Demonstrate a systematic approach when testing unfamiliar APIs
  • Understand idempotency, pagination, and rate limiting concepts
  • Be comfortable with both Postman and code-based API testing
  • Contract testing and schema validation are senior-level differentiators