API testing plays a vital role in software development and testing processes ensuring the reliability and correctness of applications. In this tutorial, I have included more than 40+ important API Testing Interview Questions and Answers for testing professionals.
1) What is an API?
API refers to the Application Programming Interface that enables two software/applications to communicate and exchange information with each other.
2) What is API Testing?
API testing is a type of software testing that verifies the functionality and performance of APIs to make sure that APIs meet expectations in terms of data communication, request handling, and response generation.
3) What is the main difference between API and Web Services?
- All web services are APIs but not all APIs are web services.
- Web services always require a network to operate but APIs can operate without a network.
- APIs support URL, request/response headers, caching, versioning, and content formats while Web services only support HTTP.
4) Why API Testing is Important?
API testing plays a crucial role in modern software development for several reasons:
- API testing ensures the seamless integration of different software components and services.
- It validates the accuracy of data exchanged between systems.
- It helps detect and resolve issues related to performance, security, and functionality.
- API testing facilitates faster development cycles and enables continuous integration and deployment. Additionally, it enhances the overall quality and user experience of applications.
5) Can you explain the type of web service and its characteristics?
Rest Web Services: Use HTTP methods to implement the concept of rest architecture. Allows different data formats like plain text, HTML, JSON, XML, etc.
SOAP Web services: These services are also known as Restless Web services. It supports only XML format and uses more bandwidth and resources.
6) What is the difference between Rest and SOAP? Which one is more preferred?
It depends on the requirement. If Security is the main concern then SOAP will be a good choice because it defines the security layer and is hence more secure than Rest which inherits security measures from transport protocols. However, if speed is the main concern then Rest will be helpful because it’s faster than SOAP.
7) What is an API endpoint?
An API endpoint is a specific URL that represents the location from where API requests can be made. Upon receiving and validating the client’s request, the API performs the requested action and sends a response back to the client.
8) What tools are available for API Testing?
Several API testing tools are available like Postman, SoapUI, Katalon Studio, Jmeter, Karate DSL, Hopscotch etc.
9) What is the purpose of URI in Restful Web services?
URI(Uniform Resource Identifier) is used to locate a resource on the server hosting the web services.URI is the superset of URL.
10) What are the most used HTTP methods in Rest API?
1)GET – This method is used to fetch the requested resource from the server and return 200 as a successful response code.
2)Post – This method creates a new resource on the server and returns response code 201 if successful.
3)Put – This method updates the existing resource and response 200 or 201 if successful.
4)Delete – This method deletes the resource on the server and returns 200 if successful.
11) What is the difference between Put, Patch, and Post?
Post: Post request is used for Create operations. It allows clients to create resources without knowing the URI of the new resources. The post method is not idempotent which means if we execute the Post request N times, we will get N resources with N different URI.
Put: Put request is used for both create and update operations. If the resource already exists then Put will update the resource else it will create one. Put is idempotent. This means it will result in a single resource modification/creation in the case of multiple retries.
Patch: A patch request is used for partial modification to a resource. The patch is not idempotent.
12) Rest API used which protocol?
Protocols define a set of rules and guidelines for transmitting data. Rest APIs use HTTP protocol for communication.
13) Explain the term ‘HTTP Status Codes’ in API.
HTTP status codes are three-digit numbers returned by a server to indicate the status of a request. Examples include 200 OK (successful), 404 Not Found (resource not found), and 500 Internal Server Error (server error).
14) Explain Rest API.
The full form of Rest API is Representational state transfer. It is a software architectural style that uses HTTP protocol for communication. It is flexible and scalable. Rest API defines conditions on how an API should work.
15) Explain idempotency and safety in Rest services.
HTTP methods that do not alter the server state are considered Safe methods. GET, HEAD, OPTIONS, and TRACE are safe methods that can only be used for read-only operations.
Idempotency means that multiple identical requests will have the same outcome. All safe HTTP methods are idempotent. While PUT and DELETE are idempotent, they are not safe. On the other hand, POST and PATCH are neither idempotent nor safe.
16) What are the common API testing types?
Common API testing types are Validation testing, Security testing, Fuzz testing, Penetration testing, Functional testing, Load testing, etc.
17) What will happen if you try uploading an older file version to a web server using API?
We may get a 409 conflict error if we try to upload an older version of the file to the webserver if versioning is maintained. Conflicts are most likely to occur in PUT requests.
18) What should the Delete request return?
Delete request returns the HTTP status code 200(OK) if the response contains an entity describing the status. If the response does not include an entity then it will return 204(No content). Alternatively, we will get 202(Accepted) if the action has been queued.
19) Explain caching in Rest API.
Caching is used for network optimization by reducing the load on servers. It is the ability to store copies of frequently accessed data. Get Requests are by default cacheable, however, Post requests can be made cacheable.
20) Is it possible to send payload in GET and Delete requests?
Sending a payload with the Get and Delete methods is not recommended.
21) What is the use of Accept and content-type headers in HTTP?
- Accept headers tell the web service what kind of response the client is accepting, so if a web service is capable of sending a response in XML and JSON format, the client sends an Accept header as application/XML then an XML response will be sent. For Accept header application/JSON, the server will send the JSON response.
- The Content-Type header is used to tell the server the format of data being sent in the request. If the Content-Type header is application/XML then the server will try to parse it as XML data. This header is valid in HTTP Post and Put requests.
22) What is rate limiting in API?
Rate limiting is a set of measures that restricts the number of API requests a client can make within a specified period. It helps prevent abuse and ensures fair usage of API resources.
23) Can you decode this API base URL?
GET- The Get HTTP method is used to fetch resources from the server.
https://api.getuser.com – Base URI -The address where different resources are located.
workspaces – EndPoint – An URL that enables the API to gain access to resources on a server.
id – PathParam – Identify a resource uniquely.
24) What will happen in case of a PATCH request if the resource is not available?
As per the wiki page of the PATCH request, if the resource is not available, it can create a new resource on the server based on the permissions.
25) What is the difference between the 204 and 404 error codes?
204 states that the request is successful but the server has no additional content to send back in response.
404 states that there is some issue with the client, either the URL is invalid or the resource is missing.
26) What is the difference between authentication and authorization?
Authentication: Prooves identity of entity or user.
Authorization: Prooves entity/user’s right to access.
27) Can you explain the basic difference between the 401 and 403 error codes?
401–Unauthorized error code indicates that provided auth credentials are not valid. The reason can be incorrect credentials or the session expiry.
403–Forbidden indicates that the server understood the request but the user does not have permission for the requested resource.
28) What details can be included in the Rest API header?
HTTP headers are used to pass meta information in the request/response body. API headers can include authorization token, content type, Date, cache-control policy, cookies, etc.
29) Which HTTP Method is more secure and why?
POST is more secure than a GET request because GET params are passed via URL which means params are stored in server logs and browser history.
30) Can we send a payload with a DELETE request?
Although delete requests or responses may have a payload, it is not encouraged to do so to avoid potential issues.
31) What is the limit for a payload to pass in an API?
Theoretically, there is no limit defined for the payload. We can pass unlimited data as payload, but it will consume more bandwidth hence hampering the performance of the API.
32) What is API versioning? Why it is important?
API versioning is the practice of managing different versions of an API to ensure backward compatibility and smooth transitions. It is important to make sure that new changes do not break the existing API. We can always track back to previous versions and check what went wrong in case of new features or updates.
33) Explain the purpose of the ‘Retry-After’ header in an HTTP response.
The ‘Retry-After’ header indicates the amount of time the client should wait before making another request. It is useful in scenarios where the server is temporarily overloaded or undergoing maintenance.
34) What protocols can be tested using API Testing?
The commonly tested protocols are listed below:
- HTTP & HTTPS for data exchange.
4. TCP/IP (Transmission Control Protocol/Internet Protocol)
6. JMS (Java Message Service)
7. FTP, SMTP, MQTT
35) What are the benefits of API testing?
- API testing is less time-consuming than functional testing.
- It is cost-effective.
- Language-independent and time-effective.
36) What are the major challenges faced in API testing?
1)API chaining or sequencing of the API calls.
2)Testing parameter combinations.
3)Frequent Schema changes.
37) What Kind of bugs does API testing often find?
1)High Response time
2)Unhandled error codes.
3)Inappropriate response in XML/JSON.
4) Security-related bugs
5)Test data-related bugs for example missing required fields, Format issues for a Phone number, address, etc.
38) What is API Mocking?
When live data is either unavailable or unreliable we can use a mock API server for API testing. A mock API server imitates a real API server by providing realistic mock API responses to requests. Mocking can be done easily in Postman and rest assured.
39) How can we pass dynamic data for a request?
We can write a pre-request script to pass dynamic data or we can create a collection and pass dynamic data using a CSV file.
40) How do I know which HTTP methods are supported on a resource if no documentation is available?
We can use the Options Method. This will return Access-Control-Allow-Methods that specify which method or methods can access the resource.
41) Can you explain all the authentication mechanisms available?
1)API key: Usually fetched from account settings and often possible to delete and regenerate. You can pass it as a header, query parameter, or even in the request body.
2) Bearer Token: A bearer is a person or entity who holds a security token to get access to a certain resource. The token is a text string included in the request header.
3)Basic auth: Basic auth involves sending a username and password encoded in the form of base 64 in the header. It is not secure.
4)Digestive auth Username and password provided after performing hashing using an algorithm. It offers a higher level of security compared to basic authentication.
5)OAuth: Oauth or open authorization is used to access resources hosted by other applications on behalf of a user. Oauth requires the end-user, the API, and the resource.
42) Can you explain Redirection URI, if you have worked on Oauth?
When a client is authorized and the server sends the authorization code back to the client, then the server redirects the user back to the client’s web page. For that server needs to know where it needs to redirect the user, This location is the Redirect URI or reply URL(Which has to be one of the pages from the client application).
43) What is a JSON web token?
JWT token securely transfers information over the web as a JSON object. JWT tokens are easier to process on a user’s device. These tokens can be used for authentication, authorization, and information exchange.
44) What are the three main components of a JWT token?
JSON Web Token has 3 main components, which are:
a)Header: Comprises the encryption algorithm.
b)Payload: This contains information about the user and the access to the user.
c)Signature: Digital signatures or message authentication codes are used to validate that the token is reliable.
45) Do you know anything about CSRF tokens?
CSRF token is a unique, secret & unpredictable value generated by the server-side application and transmitted to the client. It is used for security reasons. CSRF tokens are tied to user sessions so an intruder can’t mimic your site forms.
46) What is the difference between Unit testing and API testing?
- API testing is generally black box testing, whereas unit testing is white box testing.
- The main goal of unit testing is to test individual pieces of code, such as functions or methods. On the other hand, API testing is focused on testing the APIs that permit different software components to connect.
- Unit testing is conducted at a lower level of abstraction, where the code is tested independently from other components. At a higher level of abstraction, API testing examines how various software components communicate with one another.
47) Explain the Role of Performance Testing in API Testing.
Performance testing of API is very important to ensure scalability and responsiveness. Different approaches can be used to measure the performance of the API.
- Response Time: Measure the response time required by an API in different conditions.
- Load Testing: Test the performance of API under different load conditions.
- Stress Testing: Measure API’s performance under stress to identify the bottlenecks.
48) What is cURL
cURL or Client URL is the widely used command line tool to explore API. It is platform-independent and therefore it can be used easily on any system.
49) What is the reason behind the 500 internal server error?
A 500 internal server error indicates that the server is experiencing an internal error but the exact reason is unknown. There can be several potential reasons behind that. It may occur due to server misconfiguration like incorrect server settings or permissions issues.
Additionally, It can also occur due to high traffic, concurrent connections, or inefficient code. Server downtime or security issues can also result in a 500 error code.
This article covers API testing interview questions and answers in detail to help test engineers gain sound knowledge and get ready for a new role.
To read Rest assured interview questions, please visit this article.