Introduction – Why API Testing Is Important in Technical Interviews
Modern software systems are API-first. Web, mobile, microservices, and third-party integrations all communicate through APIs. As a result, technical interviewers rely heavily on api testing technical interview questions to assess whether candidates truly understand backend behavior—not just UI flows.
In technical rounds, interviewers evaluate whether you can:
- Explain REST/SOAP fundamentals clearly
- Validate business logic, not just HTTP status codes
- Handle negative cases, edge cases, and security basics
- Use tools like Postman, SoapUI, Rest Assured, Python
- Reason through real-time production issues
This guide is designed for freshers to experienced QA/API engineers, with simple explanations, practical examples, and scenario-based answers.
What Is API Testing? (Clear & Simple)
API testing verifies that Application Programming Interfaces:
- Accept valid requests
- Enforce business rules
- Return correct responses and status codes
- Handle errors, performance, and security properly
Example (Login API):
- Valid credentials → 200 OK + token
- Invalid password → 401 Unauthorized
- Missing field → 400 Bad Request
REST vs SOAP vs GraphQL (Technical Comparison)
| Feature | REST | SOAP | GraphQL |
| Transport | HTTP | HTTP/SMTP | HTTP |
| Payload | JSON/XML | XML | JSON |
| Contract | Optional (OpenAPI) | Mandatory (WSDL) | Schema |
| Performance | Fast | Slower | Optimized |
| Usage | Most modern apps | Banking/legacy | Modern microservices |
API Testing Technical Interview Questions & Answers (100+)
Section A: Fundamentals (Q1–Q20)
- What is an API?
A contract enabling systems to communicate via requests/responses. - What is API testing?
Validating endpoints, payloads, headers, status codes, and business rules. - API testing vs UI testing?
API tests backend logic; UI tests presentation. - Common API types?
REST and SOAP. - What is REST?
An architectural style using HTTP verbs and stateless interactions. - What is SOAP?
An XML-based protocol with strict contracts (WSDL). - Endpoint?
A URL representing a resource/action. - Request payload?
Data sent to the API body. - Response body?
Data returned by the API. - Statelessness?
Each request contains all needed context. - Idempotency?
Same request → same outcome. - Authentication vs Authorization?
Identity vs permission. - Common auth types?
Bearer token, API key, OAuth, Basic Auth. - JWT?
Signed token with claims for stateless auth. - API versioning?
Managing changes via /v1, /v2. - Positive vs negative testing?
Valid inputs vs invalid/error cases. - Boundary testing?
Min/max values. - Schema?
Defines structure and data types. - API chaining?
Use one response in another request. - Regression testing?
Re-test after changes.
Section B: HTTP Methods & Status Codes (Q21–Q35)
HTTP Methods
| Method | Use |
| GET | Read |
| POST | Create |
| PUT | Replace |
| PATCH | Partial update |
| DELETE | Remove |
Status Codes
| Code | Meaning |
| 200 | OK |
| 201 | Created |
| 204 | No Content |
| 400 | Bad Request |
| 401 | Unauthorized |
| 403 | Forbidden |
| 404 | Not Found |
| 409 | Conflict |
| 422 | Rule violation |
| 429 | Too Many Requests |
| 500 | Server Error |
Is 200 enough?
No—validate data and rules.- Header validation?
Authorization, Content-Type, caching. - Schema validation?
Ensure response structure matches spec. - Response time testing?
Meet SLAs. - Pagination testing?
Pages, boundaries, totals. - Filtering/sorting?
Query params correctness. - Rate limiting?
Expect 429 beyond thresholds. - Caching?
Headers and performance gains. - Concurrency?
Parallel requests correctness. - Rollback?
No partial data on failure. - Data consistency?
Same data across systems. - Error messages?
Clear, non-leaky. - Default values?
Applied when omitted. - Enums?
Reject unsupported values. - Localization/timezones?
Correct formats and offsets.
Section C: Functional & Advanced Topics (Q36–Q60)
- Create (POST) validation?
201, body fields, side-effects. - Read (GET) validation?
200, filters, fields. - Update (PUT/PATCH) validation?
Changed vs unchanged fields. - Delete validation?
204 and resource removal. - Auth failures?
401/403 for missing/invalid token. - Idempotency checks?
Repeat PUT/PATCH. - Business calculations?
Totals, tax, discounts. - Date rules?
Past/future constraints. - File uploads?
Type/size checks. - Webhooks?
Trigger and verify callbacks. - Dependencies?
Graceful failure handling. - Retries?
Transient error behavior. - Search APIs?
Exact/partial matches. - Bulk operations?
Partial success handling. - Null handling?
Required vs optional. - Backward compatibility?
Older clients unaffected. - ETags/optimistic locking?
Prevent lost updates. - Sorting stability?
Deterministic order. - Precision/rounding?
Financial accuracy. - Throttling headers?
Remaining quota. - Cache invalidation?
Updates clear cache. - Soft delete?
Visibility vs removal. - Feature flags?
Conditional behavior. - Observability?
Trace IDs/log correlation. - Contract testing?
Provider–consumer agreement.
Status Codes + API Validation Example
Request
POST /api/orders
Content-Type: application/json
Authorization: Bearer <token>
{
“productId”: 501,
“quantity”: 2,
“coupon”: “SAVE10”
}
Response
{
“orderId”: 9001,
“subtotal”: 200,
“discount”: 20,
“tax”: 18,
“total”: 198,
“status”: “CREATED”
}
Validations
- Status 201
- total = subtotal – discount + tax
- quantity > 0
- Schema and headers correct
Tooling & Automation Snippets
Postman (JavaScript)
pm.test(“201 Created”, () => {
pm.response.to.have.status(201);
});
pm.test(“Total calculation”, () => {
const r = pm.response.json();
pm.expect(r.total).to.eql(r.subtotal – r.discount + r.tax);
});
SoapUI (XPath)
//status = ‘CREATED’
Rest Assured (Java)
given()
.contentType(“application/json”)
.body(payload)
.when()
.post(“/orders”)
.then()
.statusCode(201)
.body(“status”, equalTo(“CREATED”));
Python (requests)
import requests
res = requests.post(url, json=payload, headers=headers)
assert res.status_code == 201
data = res.json()
assert data[“total”] == data[“subtotal”] – data[“discount”] + data[“tax”]
Scenario-Based Practical Q&A (15)
- 200 OK but wrong data—what checks add?
- Coupon applied twice—what rule missed?
- Order created without auth—defect?
- PATCH updates all fields—issue?
- DELETE returns body—acceptable?
- Pagination duplicates—cause?
- Overselling stock—test concurrency how?
- Expired token still works—risk?
- 422 vs 400—when to use?
- Non-deterministic responses—why?
- Timezone bugs—how catch?
- Search ignores filters—where look?
- Retries cause duplicates—prevention?
- Webhook not fired—verify how?
- Schema changed silently—impact?
How Interviewers Evaluate Your Answer
They look for:
- Clear technical reasoning
- Validation beyond status codes
- Real examples and edge cases
- Tool usage and assertions
- Calm, logical debugging
Tip: Explain what you validate and why.
API Testing Technical Interview Cheatsheet
- Validate business rules
- Test positive & negative paths
- Don’t trust 200 alone
- Check schema & headers
- Handle edge cases
- Automate critical paths
FAQs – API Testing Technical Interview Questions
Q1. Is Postman enough for technical rounds?
Yes for manual testing; automation helps.
Q2. REST or SOAP—what to focus on?
REST primarily; SOAP basics are valuable.
Q3. Biggest mistake candidates make?
Only checking status codes.
Q4. Freshers vs experienced focus?
Freshers: fundamentals; Experienced: scenarios & automation.
Q5. How to prepare fast?
Practice real APIs and scenarios daily.