Introduction – Why API Testing Using Postman Is Important in Interviews
In today’s applications, APIs are the core layer connecting UI, backend services, mobile apps, and third-party systems. Because of this, most QA, Automation, and SDET interviews include interview questions for API testing using Postman.
Interviewers prefer Postman because:
- It’s widely used in real projects
- It allows manual and basic automation testing
- It shows how well you understand backend logic without UI dependency
In interviews, Postman questions help recruiters evaluate:
- Your understanding of REST APIs
- Your ability to validate responses, headers, and status codes
- Your real-time debugging and testing approach
- Your readiness to move into API automation
This guide includes:
- Clear interview answers
- Postman examples
- JSON/XML samples
- Status code explanations
- Postman scripts
- Scenario-based questions
What Is API Testing? (Clear & Simple)
API testing is a type of software testing that validates the functionality, reliability, performance, and security of APIs (Application Programming Interfaces) by sending requests and verifying responses.
Instead of testing the graphical user interface (UI), API testing focuses on backend communication between systems. APIs act as intermediaries that allow different software applications to exchange data and communicate with each other.
API testing verifies whether APIs:
- Return correct responses
- Process requests accurately
- Handle errors properly
- Maintain security standards
- Perform efficiently under load conditions
Why API Testing Is Important
Modern applications depend heavily on APIs for communication between:
- Web applications
- Mobile applications
- Databases
- Third-party services
- Cloud platforms
If APIs fail, important business operations may stop functioning properly.
Areas Validated in API Testing
Functional Validation
Checks whether APIs work according to business requirements.
Data Validation
Ensures API responses contain accurate data.
Error Handling
Validates how APIs behave under invalid conditions.
Security Validation
Checks authentication and authorization mechanisms.
Performance Validation
Measures response time and scalability.
Example
Sending a GET request to:
/users/1
and validating whether the correct user details are returned in the response.
Real-Time Scenario
In a banking application, API testing verifies whether account balance APIs return accurate balance information after successful authentication.
REST vs SOAP vs GraphQL (Interview Comparison)
| Feature | REST | SOAP | GraphQL |
| Protocol | HTTP | XML-based | HTTP |
| Data Format | JSON / XML | XML only | JSON |
| Performance | Fast | Slower | Optimized |
| Flexibility | High | Low | Very High |
| Usage in Postman | Very High | Moderate | Growing |
Unable to insert the picture
Most interview questions for API testing using Postman focus on REST APIs.
Interview Questions for API Testing Using Postman (90+ Q&A)
Section 1: Postman & API Basics (Q1–Q20)
1. What is Postman?
Postman is a popular API testing tool used to design, send, test, and automate API requests.
It helps testers and developers validate backend services without depending on the UI layer.
Postman supports:
- REST APIs
- SOAP APIs
- GraphQL APIs
- Authentication testing
- Automation scripts
- API collections
It is widely used in real-time projects because it simplifies API testing and debugging.
2. Why is Postman used for API testing?
Postman is used because it makes API testing faster and easier without requiring heavy coding knowledge.
Benefits of using Postman:
- Easy request creation
- Fast response validation
- Supports automation scripts
- Useful for debugging APIs
- Supports authentication methods
- Helps perform API chaining
- Useful for regression testing
Postman is one of the most commonly used tools in QA and API testing projects.
3. What types of APIs can be tested using Postman?
Using Postman, we can test:
- REST APIs
- SOAP APIs
- GraphQL APIs
REST APIs are the most commonly tested because modern applications mainly use REST architecture.
4. What is an API?
An API (Application Programming Interface) allows different software systems to communicate with each other.
APIs act as an intermediary layer between systems.
Example
- Mobile app communicates with backend server using APIs
- Payment gateways interact through APIs
- Weather applications fetch data using APIs
Modern applications heavily depend on APIs for backend communication.
5. What is API testing?
API testing validates API requests, responses, headers, authentication, status codes, schema, and business logic without involving the UI layer.
API testing focuses on:
- Backend logic
- Data validation
- Integration testing
- Error handling
- Security validation
It is faster and more stable than UI testing because it directly validates backend services.
6. What are HTTP methods?
HTTP methods define operations performed on API resources.
Common HTTP methods:
| Method | Purpose |
| GET | Retrieve data |
| POST | Create resource |
| PUT | Full update |
| PATCH | Partial update |
| DELETE | Remove resource |
These methods are fundamental in REST API testing.
7. What is GET request?
GET request is used to retrieve data from the server.
Example
GET /api/users/101
This request may fetch details for user ID 101.
GET requests should not modify data.
8. What is POST request?
POST request is used to create new data or resources on the server.
Example
POST /api/users
POST requests usually contain request payloads.
Example Payload
{
“name”: “Ravi”,
“role”: “QA”
}
POST requests are commonly used for:
- Registration
- Login
- Order creation
9. Difference between PUT and PATCH?
PUT
PUT performs a full update of a resource.
Missing fields may get overwritten.
PATCH
PATCH performs a partial update and modifies only specified fields.
Example
PUT
{
“name”: “Ravi”,
“email”: “ravi@test.com”
}
PATCH
{
“email”: “new@test.com”
}
Simple difference:
- PUT → Full update
- PATCH → Partial update
10. What is DELETE request?
DELETE request is used to remove data or resources from the server.
Example
DELETE /api/users/101
Expected status code is often:
204 No Content
DELETE requests should remove the specified resource successfully.
11. What is an endpoint?
An endpoint is a specific URL representing an API resource or operation.
Example
/users/10
This endpoint may return details for user ID 10.
Endpoints combined with HTTP methods define API actions.
12. What is request payload?
Request payload is the data sent to the API in the request body.
Payloads are commonly used in:
- POST requests
- PUT requests
- PATCH requests
Example
{
“username”: “testuser”,
“password”: “pass123”
}
Payload validation is important during API testing.
13. What is response body?
Response body is the data returned by the API after processing the request.
Example
{
“token”: “abc.def.xyz”,
“userId”: 101
}
Response validation ensures APIs return correct business data.
14. What is stateless API?
A stateless API means each request contains all required information for processing independently.
The server does not store session information between requests.
REST APIs are generally stateless.
Each request should include:
- Authentication token
- Headers
- Parameters
15. What is idempotency?
Idempotency means sending the same request multiple times produces the same result without additional side effects.
Example
PUT /users/101
Repeated PUT requests should not create duplicate data.
Idempotent Methods
- GET
- PUT
- DELETE
Non-Idempotent Method
- POST
POST may create duplicate records if repeated.
16. What is authentication?
Authentication verifies the identity of users or systems.
Common authentication methods:
- Bearer Token
- JWT Token
- API Key
- Basic Authentication
Authentication ensures only valid users can access APIs.
17. What is authorization?
Authorization checks whether authenticated users have permission to access specific resources or perform certain operations.
Example
- Admin users can delete records
- Normal users may only view records
Authorization controls access levels and permissions.
18. What authentication types are supported in Postman?
Postman supports multiple authentication types:
- Bearer Token
- Basic Authentication
- API Key
- OAuth 2.0
Authentication testing is one of the most commonly asked interview topics.
19. What is API versioning?
API versioning manages API changes without breaking existing integrations.
Example
/api/v1/users
/api/v2/users
Versioning helps:
- Maintain backward compatibility
- Introduce new features safely
- Support older clients
20. What is negative API testing?
Negative API testing validates API behavior using invalid or unexpected inputs.
Example scenarios:
- Invalid credentials
- Missing mandatory fields
- Expired tokens
- Invalid payloads
- Special characters
Negative testing ensures APIs handle failures properly.
HTTP Status Codes – Must Know for Postman Interviews
| Code | Meaning | Example |
| 200 | OK | Successful GET |
| 201 | Created | Successful POST |
| 204 | No Content | Successful DELETE |
| 400 | Bad Request | Invalid input |
| 401 | Unauthorized | Invalid token |
| 403 | Forbidden | Access denied |
| 404 | Not Found | Invalid endpoint |
| 409 | Conflict | Duplicate record |
| 422 | Unprocessable | Business rule failure |
| 500 | Server Error | Backend failure |
Section 2: API Validation Using Postman (Q21–Q45)
21. What validations do you perform in Postman?
Common validations include:
- Status code validation
- Response body validation
- Header validation
- Schema validation
- Response time validation
- Authentication validation
- Business logic validation
Interviewers expect validation beyond status codes.
22. Is status code validation enough?
No.
An API may return 200 OK but still provide incorrect business data.
Example
{
“total”: -500
}
The status code is successful, but the business logic is incorrect.
Always validate:
- Response body
- Business rules
- Schema
- Headers
- Calculations
23. How do you validate response body in Postman?
Response body is validated using JavaScript test scripts in Postman.
Example
pm.test(“Token exists”, function () {
const json = pm.response.json();
pm.expect(json.token).to.not.be.undefined;
});
This validation checks whether the token field exists in the response.
24. How do you validate headers in Postman?
Headers are validated using Postman test scripts.
Example
pm.test(“Content-Type is JSON”, function () {
pm.expect(pm.response.headers.get(“Content-Type”))
.to.include(“application/json”);
});
Common headers validated:
- Content-Type
- Authorization
- Cache-Control
25. How do you validate response time?
Response time can be validated using:
pm.response.responseTime
Example
pm.test(“Response time is below 2 seconds”, function () {
pm.expect(pm.response.responseTime).to.be.below(2000);
});
Performance validation is important for user experience.
26. What is schema validation?
Schema validation ensures API response structure matches the expected API contract.
It validates:
- Field names
- Data types
- Mandatory fields
- Arrays
- Nested objects
Schema validation helps detect unexpected backend changes.
27. What is positive API testing?
Positive API testing validates APIs using valid inputs and expected workflows.
Example
- Valid login credentials
- Correct payload
- Authorized access
Expected result:
- Successful response
- Correct data returned
28. What is negative API testing?
Negative API testing validates API behavior using invalid or missing parameters.
Example
- Invalid token
- Missing mandatory fields
- Incorrect payload format
- Invalid credentials
Expected result:
- Proper error handling
- Correct status codes
29. What is boundary value testing?
Boundary value testing validates minimum and maximum input values.
Example
If valid quantity range is:
- Minimum = 1
- Maximum = 100
Test values:
- 0
- 1
- 2
- 99
- 100
- 101
Boundary testing helps identify validation defects.
30. What is API regression testing?
API regression testing means re-testing APIs after code changes to ensure existing functionality still works correctly.
Regression testing helps detect:
- Broken functionality
- Integration issues
- Unexpected side effects
Regression suites are commonly automated using Postman collections and Newman.
31. What is API smoke testing?
API smoke testing is a basic health check performed to verify whether critical APIs are working correctly before detailed testing begins.
Smoke testing validates:
- API availability
- Server accessibility
- Basic functionality
- Authentication flow
Example
Checking whether:
- Login API works
- Core APIs respond successfully
- Server is reachable
If smoke testing fails, further testing is usually stopped because the build may be unstable.
32. What is pagination testing?
Pagination testing validates APIs that return large datasets page by page instead of sending all records at once.
Example
GET /users?page=2&size=10
Validations performed:
- Correct number of records per page
- No duplicate records
- No missing records
- Correct page navigation
- Proper last-page handling
Pagination testing is common in search and reporting APIs.
33. What is filtering testing?
Filtering testing validates whether query parameters correctly return filtered data.
Example
GET /users?status=active
Expected result:
- Only active users should be returned
Common validations:
- Correct filtered data
- Multiple filter combinations
- Empty filter responses
- Invalid filter handling
Filtering validation ensures data accuracy.
34. What is sorting testing?
Sorting testing validates whether API responses are returned in the correct order.
Example
GET /users?sort=name
Common validations:
- Ascending order
- Descending order
- Alphabetical sorting
- Numeric sorting
- Date-based sorting
Sorting validation is commonly used in search APIs and analytics systems.
35. What is API chaining?
API chaining means using the response from one API as input for another API request.
Example Workflow
- Login API returns token
- Token stored in variable
- Token reused in Profile API
Example Script
pm.environment.set(“token”, pm.response.json().token);
API chaining validates complete workflows and is very commonly asked in interviews.
36. How do you store token in Postman?
Tokens are usually stored using environment variables in Postman.
Example
pm.environment.set(“token”, pm.response.json().token);
Stored tokens can then be reused across multiple API requests.
Environment variables make authentication handling easier and more dynamic.
37. What is Pre-request Script?
Pre-request Script is JavaScript code executed before sending an API request in Postman.
It is commonly used for:
- Token generation
- Timestamp generation
- Dynamic request preparation
- Data setup
Pre-request scripts help automate dynamic workflows.
38. Why use Pre-request Script?
Pre-request Scripts are used to generate dynamic values before requests are sent.
Common use cases:
- Generating tokens
- Creating timestamps
- Generating random test data
- Dynamic authentication handling
Example
pm.environment.set(“timestamp”, Date.now());
This helps automate real-time API workflows.
39. What is Collection Runner?
Collection Runner is a feature in Postman used to execute collections multiple times automatically.
It supports:
- Regression testing
- Data-driven testing
- Bulk API execution
Collection Runner improves automation and execution speed.
40. What is Newman?
Newman is the command-line runner for Postman collections.
It allows Postman collections to run outside the Postman UI.
Common use cases:
- CI/CD pipelines
- Jenkins integration
- Automated execution
- Scheduled API testing
Newman is commonly used in automation projects.
41. What is data-driven testing in Postman?
Data-driven testing means executing APIs multiple times using external test data files such as CSV or JSON.
Example
Testing login API with multiple users:
| Username | Password |
| user1 | pass1 |
| user2 | pass2 |
This improves test coverage and reduces manual execution effort.
42. What is API mocking in Postman?
API mocking means simulating API responses when actual backend services are unavailable.
Mock APIs help:
- Frontend teams continue development
- Perform early testing
- Simulate expected responses
Postman provides mock server functionality for this purpose.
43. What is environment in Postman?
An environment in Postman is a set of variables used for different environments such as:
- Development
- QA
- Staging
- Production
Example variables:
- Base URL
- Tokens
- User IDs
Environments help avoid hardcoding values.
44. Difference between global and environment variables?
| Global Variables | Environment Variables |
| Available everywhere | Specific to environment |
| Shared across collections | Used for environment-specific values |
| Less secure for sensitive data | Better for environment isolation |
Example
Global variable:
companyName = ABC
Environment variable:
baseUrl = qa-api.company.com
Environment variables are preferred for dynamic testing.
45. What is logging in Postman?
Logging in Postman means capturing request and response details for debugging and analysis.
Common logging details:
- Request payload
- Response body
- Headers
- Tokens
- Error messages
Example
console.log(pm.response.json());
Logging helps troubleshoot API failures efficiently.
Real-Time API Validation Example Using Postman
Sample Request
POST /api/login
Content-Type: application/json
{
“username”: “testuser”,
“password”: “pass123”
}
Sample Response
{
“token”: “abc.def.xyz”,
“expires_in”: 3600,
“userId”: 101
}
Validations
Expected validations include:
- Status code should be 200
- Token should not be null
- expires_in > 0
- userId should be numeric
- Response format should be JSON
- Response time should meet SLA
These validations ensure both technical and business correctness.
Postman Test Script Examples
Status Code Validation
pm.test(“Status code is 200”, function () {
pm.response.to.have.status(200);
});
Token Validation
pm.test(“Token exists”, function () {
const json = pm.response.json();
pm.expect(json.token).to.not.be.undefined;
});
Response Time Validation
pm.test(“Response time is less than 2000ms”, function () {
pm.expect(pm.response.responseTime).to.be.below(2000);
});
Interviewers commonly ask candidates to explain these validations.
Automation Snippets (Interview Bonus)
Rest Assured (Java – Basic)
Using Rest Assured:
given()
.contentType(“application/json”)
.body(payload)
.when()
.post(“/login”)
.then()
.statusCode(200);
Basic automation awareness creates a strong advantage in interviews.
Python Requests (Basic)
import requests
response = requests.post(url, json=payload)
assert response.status_code == 200
Python is commonly used for lightweight API automation.
Scenario-Based Interview Questions for API Testing Using Postman
These are very common in interviews.
1. API returns 200 but wrong data – what do you validate?
I validate:
- Response body
- Business logic
- Backend calculations
- Database values
- Schema consistency
Status code validation alone is not enough.
2. Login API works, profile API fails – possible reasons?
Possible reasons:
- Invalid token
- Expired token
- Incorrect authorization header
- Backend dependency issue
- Environment mismatch
I would debug using logs and request tracing.
3. Token expired but API still accessible – defect?
This is a security and authorization defect because expired tokens should not allow API access.
Expected response:
401 Unauthorized
4. API works in Postman but not in UI – why?
Possible reasons:
- Frontend integration issue
- Missing headers
- CORS issue
- Session handling issue
- Different environments
This usually requires frontend and backend debugging together.
5. API slow only in production – possible causes?
Possible causes:
- High production traffic
- Database bottlenecks
- Network latency
- Server load issues
- Caching problems
Performance monitoring and logs help identify root cause.
6. Duplicate records created – what validation missed?
Possible missed validations:
- Duplicate checks
- Idempotency validation
- Retry handling
- Concurrency testing
This issue commonly occurs in payment and order systems.
7. Unauthorized user accesses secured API – issue?
This is a security and authorization issue.
Access control validation failed.
8. API crashes for special characters – what testing?
This requires:
- Negative testing
- Input validation testing
- Security testing
APIs should handle special characters safely.
9. Same request returns different responses – why?
Possible reasons:
- Caching issue
- Database inconsistency
- Race conditions
- Backend synchronization problems
Response consistency validation is important.
10. Payment deducted but order not created – what testing?
This requires:
- Rollback testing
- Transaction testing
- Data consistency validation
Partial transactions should not occur.
11. API returns null fields – how do you handle?
I use assertions to validate mandatory fields.
Example
pm.expect(json.userId).to.not.be.null;
Null validation is important for schema and business validation.
12. API schema changes suddenly – impact?
Possible impact:
- Frontend failures
- Automation failures
- Integration failures
- Contract mismatches
Schema validation helps detect such changes quickly.
13. API fails only in Newman – possible reasons?
Possible reasons:
- Environment variable mismatch
- Incorrect command configuration
- Missing dependencies
- Authentication issues
- CI/CD configuration problems
I would analyze Newman logs and environment setup.
14. API returns XML instead of JSON – issue?
This is a content-type or response-format issue.
Expected header:
Content-Type: application/json
Incorrect formats may break frontend and automation scripts.
15. Partial data saved after failure – what testing missed?
Possible missed validations:
- Rollback validation
- Transaction validation
- Data consistency checks
This indicates improper transaction handling.
How Interviewers Evaluate Your Answers
Interviewers mainly evaluate:
- API fundamentals
- Practical Postman usage
- Validation beyond status codes
- Real-time debugging mindset
- Scenario-based thinking
- Functional validation approach
Hands-on explanation matters more than memorized definitions.
Postman API Testing Interview Cheatsheet
- Never trust only 200 OK
- Always validate response body
- Use environment variables
- Test negative scenarios
- Understand authentication clearly
- Practice real APIs in Postman
- Validate business logic
- Learn API chaining
- Use meaningful assertions
- Practice scenario-based debugging
FAQs – Interview Questions for API Testing Using Postman
Q1. Is Postman enough for API testing interviews?
Yes — for many API testing interviews, strong Postman knowledge is enough, especially for:
- Freshers
- Manual QA roles
- Functional API testing roles
- Service-based company interviews
But for Automation QA and SDET roles, Postman alone is usually not enough.
The expectation depends on:
- Your experience level
- Company type
- Role requirements
- Automation expectations
Q2. Do interviewers expect automation knowledge?
Yes — in many modern API testing interviews, interviewers do expect at least basic automation knowledge, especially for candidates with around 2 years experience and above.
However, the level of expectation depends on:
- Role type
- Company type
- Experience level
- Project requirements
You usually do NOT need advanced framework expertise unless the role is heavily automation-focused.
Q3. REST or SOAP – which is more important?
For most modern API testing interviews and real-world projects, REST is much more important than SOAP.
Today, most applications use REST APIs because they are:
- Lightweight
- Faster
- Easier to integrate
- Easier to automate
- Better suited for web and mobile applications
However, basic SOAP knowledge is still useful because some enterprise and legacy systems continue using SOAP services.
Why REST Is More Important Today
REST APIs are heavily used in:
- Web applications
- Mobile applications
- Microservices architecture
- Cloud platforms
- SaaS applications
- Third-party integrations
Most modern backend systems are REST-based.
That is why interviewers focus heavily on REST concepts during API testing interviews.
Q4. Biggest mistake candidates make?
The biggest mistake candidates make in API testing interviews is focusing only on tools and status codes instead of understanding real business behavior and backend validation.
Many candidates think:
“I sent the request in Postman and got 200 OK, so the API works.”
But interviewers expect much deeper analysis, especially for candidates with around 2 years of experience.
1. Trusting Only 200 OK
This is the most common mistake.
Candidates often validate only:
Status code = 200
But APIs can still return incorrect business data.
Example
{
“total”: -500
}
The API technically succeeded, but the business logic is wrong.
Interviewers expect validation of:
- Response body
- Business calculations
- Database updates
- Schema
- Headers
- Workflow behavior
Not just status codes.
2. Knowing Only Basic Postman Usage
Many candidates only know:
- Sending requests
- Checking response
- Viewing status code
But at 2 years experience, interviewers expect more advanced usage such as:
- Assertions
- API chaining
- Dynamic variables
- Pre-request scripts
- Environment variables
- Collection Runner
- Negative testing
Example
pm.expect(r.total).to.eql(r.subtotal – r.discount + r.tax);
This demonstrates business validation thinking.
3. Ignoring Business Logic
API testing is not only technical testing.
Interviewers expect candidates to validate:
- Discounts
- Tax calculations
- Order workflows
- Payment handling
- Access permissions
- Duplicate prevention
Example Questions
- Can duplicate orders happen?
- Can unauthorized users access APIs?
- Are invalid transactions blocked?
- Does rollback work properly?
Business logic validation is one of the most important interview areas.
4. No Negative Testing Mindset
Many candidates test only happy paths.
Strong candidates always test:
- Invalid payloads
- Missing fields
- Expired tokens
- Invalid authentication
- Boundary values
- Special characters
- Empty requests
Negative testing shows deeper understanding of API behavior.
5. Weak Debugging Approach
Weak answer:
“I will report the defect.”
Strong answer:
- Check logs
- Verify request payload
- Compare database records
- Validate headers
- Analyze backend logic
- Reproduce the issue
- Check dependent services
Interviewers heavily evaluate troubleshooting ability at this level.
6. No Real-Time Scenario Thinking
Many candidates memorize definitions but struggle with practical questions.
Common interview scenarios:
- API returns 200 but wrong data — what do you do?
- Login works but profile API fails — why?
- Payment deducted but order not created — what testing applies?
- Retry creates duplicate records — how prevent it?
Interviewers prefer practical thinking over memorized theory.
7. Weak Understanding of Authentication
Candidates commonly confuse:
- Authentication
- Authorization
- JWT tokens
- Bearer tokens
- 401 vs 403
These are among the most frequently asked API interview topics.
You should clearly understand:
- How tokens work
- How tokens expire
- How tokens are passed
- Role-based access control
8. No Automation Awareness
Some candidates think API testing means only manual testing in Postman.
But modern projects increasingly expect:
- Basic automation knowledge
- Assertions
- API automation awareness
- CI/CD basics
Even simple knowledge of:
- Rest Assured
- Python requests
- Newman
creates a stronger profile.
9. Weak Assertions
Some candidates validate only:
pm.response.to.have.status(200);
Interviewers expect stronger validations such as:
- Schema validation
- Field validation
- Business rule validation
- Header validation
- Range validation
Assertions should validate meaningful behavior, not just technical success.
10. Explaining “What” but Not “Why”
Weak answer:
“I validated response fields.”
Better answer:
“I validated totals and discounts because incorrect calculations may cause financial defects.”
Interviewers value reasoning and risk awareness.
Q5. How should freshers prepare?
If you want to prepare quickly for Infosys API testing interviews, focus only on the topics that Infosys interviewers repeatedly ask.
Do not try to learn everything deeply at once.
Infosys interviews usually focus more on:
- API fundamentals
- Practical testing knowledge
- Real-time scenarios
- Postman usage
- Functional validation
Basic automation awareness

