API Testing Interview Questions and

Answers
1. Explain the differences between REST, SOAP, and GraphQL APIs. How have
you tested each of them in your projects?
REST APIs use HTTP methods and support multiple formats like JSON and XML. They are
stateless and easier to test using tools like Postman or RestAssured.
SOAP APIs use XML format, follow a strict structure with WSDL, and require more setup.
Tools like SoapUI are preferred for SOAP testing.
GraphQL APIs let you query exactly what you need and return precise results. They’re
typically tested using Postman or GraphQL clients.

In my projects:
- REST: Tested using Postman and RestAssured.
- SOAP: Used SoapUI to validate XML structure and responses.
- GraphQL: Used Postman and manual query validation for field-level testing.

2. How do you handle dynamic tokens, session handling, and security headers
in API testing automation?
- Use pre-request scripts or setup methods to fetch tokens.
- Store them in variables and pass them as headers (e.g., Authorization: Bearer <token>).
- In RestAssured, I use filters/interceptors to inject dynamic headers.
- In Postman, I use environment/global variables and scripts in the Tests/Pre-request tab.

3. How do you structure your test suites, manage test data, and handle
common challenges like dynamic authentication tokens or environment-specific
configurations?
- Use modular suites (Smoke, Regression, Negative Tests).
- Store test data in Excel, JSON, or parameterized test cases.
- Handle dynamic tokens with reusable token-fetch functions.
- Manage environments with property files (Java) or environment sets (Postman).
- Use utility classes for request/response handling.

4. How have you used Cucumber for API automation?

- Defined Gherkin scenarios in feature files.
- Implemented step definitions using RestAssured.
- Used `@Before` and `@After` hooks for setup/teardown.
- Managed test data using JSON files or parameterized examples.
- Used tags like @smoke, @regression to control test execution via runner classes.
5. Could you describe a specific project where you integrated API automation
tests into a CI/CD pipeline?
- Project: Order Management System
- Tools: Jenkins, Git, Maven
- API tests triggered post-deployment to QA using Jenkinsfile.
- Used Maven commands to execute Cucumber tests and generate HTML reports.
- Handled test data using setup scripts and environment variables.

6. What challenges did you face integrating API tests in CI/CD, and how did you
overcome them?
- Challenge: Token expiration
Solution: Added logic to auto-generate tokens during CI runs.
- Challenge: Unstable environments
Solution: Introduced retry logic and added environment health checks.
- Challenge: Long-running tests
Solution: Separated smoke and regression suites using tags.

7. How do you implement security tests for APIs using OAuth or JWT?
- Send requests with invalid, expired, or no tokens and expect 401.
- Validate role-based access by generating tokens with limited scopes.
- Test for replay attacks by reusing request tokens.
- Verify HTTPS enforcement and sensitive data exposure.
- Tools used: Postman pre-request scripts, RestAssured filters.

8. Have you used JMeter or LoadRunner for API performance testing? What
metrics did you focus on?
- Used JMeter for simulating load on critical endpoints.
- Key metrics:
- Average and 95th percentile response time
- Throughput (requests per second)
- Error rate
- CPU/memory stats (monitored externally using Grafana/Prometheus)

9. How do you organize API test cases in tools like JIRA or TestRail?
- Organize by modules and features (e.g., Login, Orders).
- Structure test cases by type: Smoke, Functional, Negative.
- Use tags or folders for priority and regression cycles.
- Link test cases to stories in JIRA using Xray/Zephyr.

10. How do you develop a comprehensive API test strategy for a microservice?
- Identify endpoints, input/output, required params.
- Include test types: Functional, Security, Performance.
- Use contract testing (JSON schema validation).
- Manage data using mock or seed scripts.
- Automate critical flows and integrate with CI/CD.
- Document everything in Confluence/JIRA.

11. How do you balance automated and manual testing in API projects?
- Automate stable, repeatable, high-priority flows (e.g., login, checkout).
- Use manual testing for exploratory, UI-API integration, or unstable endpoints.
- Example: Payment gateway validations were done manually in early stages and later
automated once stable.