API Testing Interview and Viva

Questions and Answers

1. What is API Testing? Why is it important?

Answer:
API Testing involves testing application programming interfaces (APIs) directly to ensure they
meet functionality, reliability, performance, and security standards.

● Importance: APIs are the backbone of software integration. Testing ensures the
seamless communication between different software components or systems.

2. What are the common types of API testing?

Answer:

1. Functional Testing: Verifies API functionality as per requirements.

2. Load Testing: Checks API performance under load.
3. Security Testing: Validates data protection and unauthorized access.
4. Validation Testing: Ensures correct data formatting and schema compliance.
5. UI Testing: Tests API integration with front-end systems.
6. End-to-End Testing: Ensures the API works in a complete system flow.

3. What tools are used for API Testing?

Answer:

● Postman: User-friendly for manual and automated API testing.

● SoapUI: Ideal for SOAP and RESTful APIs.
● JMeter: Performance testing of APIs.
● Karate: Open-source framework for API automation.
● Swagger: Helps with API documentation and testing.

4. Explain the difference between REST and SOAP APIs.

Answer:
 ● REST (Representational State Transfer): Lightweight, uses JSON/XML, relies on
HTTP methods (GET, POST, PUT, DELETE).
● SOAP (Simple Object Access Protocol): Heavier, uses XML for messaging, includes
security features like WS-Security.

5. How do you test a REST API?

Answer:

1. Understand API documentation (endpoints, request formats, response types).

2. Validate HTTP methods (GET, POST, PUT, DELETE).
3. Check response codes (200, 404, 500, etc.).
4. Validate response body structure and data.
5. Test edge cases and error scenarios.

6. What is a status code in an API? Explain some common codes.

Answer:
Status codes indicate the result of an API request.

● 200 OK: Request succeeded.

● 201 Created: Resource successfully created.
● 400 Bad Request: Request syntax is incorrect.
● 401 Unauthorized: Authentication required.
● 403 Forbidden: Access denied.
● 404 Not Found: Resource not found.
● 500 Internal Server Error: Server-side issue.

7. What is JSON? Why is it commonly used in APIs?

Answer:
JSON (JavaScript Object Notation) is a lightweight data-interchange format that's easy to read
and write for humans and machines.

● Use in APIs: It provides structured, easily parsable data exchange between client and
server.

8. How do you validate API response formats?

Answer:

1. Check if the response follows the expected schema (JSON, XML).

2. Validate data types for each key-value pair.
3. Use tools like JSON Schema Validator or Swagger.

9. What is an API endpoint?

Answer:
An API endpoint is a specific URL where an API interacts with a system to retrieve or send
data. Example:
https://api.example.com/v1/users

10. How do you perform security testing of APIs?

Answer:

1. Check authentication mechanisms (OAuth, JWT).

2. Test authorization levels (Role-based access).
3. Validate encryption (SSL/TLS).
4. Test for vulnerabilities like SQL injection, XSS.
5. Verify sensitive data exposure and rate-limiting.

11. What is the difference between PUT and POST methods?

Answer:

● PUT: Updates a resource or creates it if it doesn’t exist.

● POST: Creates a new resource every time it’s called.

Example:

http

PUT /users/1 # Updates or creates a user with ID 1

POST /users # Creates a new user

12. What is API mocking, and why is it useful?

Answer:
API Mocking is creating a dummy API response to simulate the actual API. It’s useful when:

● The real API is not available.

● Testing dependencies on external systems.
● Accelerating development and testing.

13. What is the role of headers in an API request?

Answer:
Headers provide additional information like:

● Authorization: For secure access (e.g., Bearer token).

● Content-Type: Specifies request/response format (e.g., application/json).
● Cache-Control: Controls caching behavior.

14. What is the purpose of rate-limiting in APIs?

Answer:
Rate-limiting restricts the number of requests a client can make in a specific timeframe. This
prevents overuse and safeguards server performance.

15. How do you handle dynamic data in API tests?

Answer:

1. Use environment variables to store dynamic data.

2. Chain requests by extracting data from previous responses.
3. Leverage test data generators for random but valid inputs.

16. What is the difference between synchronous and asynchronous APIs?

Answer:

● Synchronous APIs: Client waits for the server to complete processing and respond.
● Asynchronous APIs: Server processes the request, and the client continues without
waiting.
17. How do you test API performance?

Answer:

● Use tools like JMeter or LoadRunner.

● Measure response time, throughput, and error rate under various loads.
● Simulate concurrent users for stress testing.

18. What is CORS, and how does it affect API testing?

Answer:
CORS (Cross-Origin Resource Sharing) is a browser security feature that restricts resource
sharing between different domains.

● It requires proper headers (Access-Control-Allow-Origin) to permit access.

● Affects testing when APIs are hosted on different origins.

19. How do you handle pagination in APIs?

Answer:

● Pass page and limit parameters in the request.

Example:
GET /users?page=2&limit=10
● Verify the response contains correct data for the requested page.

20. What is API chaining?

Answer:
API chaining involves using the output of one API call as the input for another.
Example:

1. Call API to create a resource (POST /users).

2. Use the returned user ID in another call (GET /users/{id}).

21. What is SOAP API, and how is it different from REST API?

Answer:
SOAP (Simple Object Access Protocol) is a protocol for exchanging structured information in
web services using XML. It is platform- and language-independent.
Key Differences:

1. Protocol vs. Architectural Style: SOAP is a protocol, while REST is an architectural

style.
2. Data Format: SOAP only uses XML, whereas REST supports JSON, XML, HTML, and
plain text.
3. Complexity: SOAP is more rigid and complex, while REST is lightweight and easier to
implement.
4. Transport Protocols: SOAP supports multiple protocols (HTTP, SMTP), whereas REST
typically uses HTTP.

22. What is a webhook, and how does it work?

Answer:
A webhook is an automated message sent from one app to another when a specific event
occurs. It allows real-time communication between systems.

How it Works:

1. A client application registers a webhook URL with the server.

2. The server sends a POST request to the URL whenever the event is triggered.
3. The client processes the data received from the webhook.

Example: Sending a notification when a user submits a form.

23. Explain the concept of API versioning and its importance.

Answer:
API versioning ensures backward compatibility when changes are introduced. This helps
developers maintain existing integrations while improving or fixing the API.

Approaches to Versioning:

1. URL Versioning: https://api.example.com/v1/users

2. Header Versioning: Adding a version header like API-Version: 1.0.
3. Query Parameters: https://api.example.com/users?version=1.

Importance: It prevents breaking changes for existing users and provides flexibility to update
features.
24. What is OAuth, and how does it work in APIs?

Answer:
OAuth (Open Authorization) is a protocol that allows secure access to resources without
sharing credentials.

How It Works:

1. A user grants permission to a client application.

2. The client receives an authorization code.
3. The client exchanges the code for an access token.
4. The token is used to access resources.

Example: Logging into a third-party app using Google credentials.

25. What is an API gateway?

Answer:
An API gateway is a server that acts as an entry point for APIs. It manages and routes requests
from clients to appropriate microservices.

Features:

1. Authentication and Authorization: Ensures secure access.

2. Rate Limiting: Controls traffic.
3. Load Balancing: Distributes requests evenly.
4. Monitoring and Analytics: Tracks API usage and performance.

26. Explain the concept of idempotency in APIs.

Answer:
Idempotency means that making multiple identical requests will have the same effect as
making a single request.

Example:

● GET /user/1: Always retrieves the same user data.

● DELETE /user/1: Deletes the user; subsequent requests have no further effect.

This ensures consistency in APIs, especially for critical operations.

27. What are API rate limits, and how are they enforced?

Answer:
API rate limits restrict the number of API requests a client can make in a specified period. This
prevents abuse and protects server resources.

Enforcement Methods:

1. IP-Based: Limit requests from specific IP addresses.

2. User-Based: Restrict based on user accounts.
3. Token-Based: Use API keys or tokens for rate-limiting.

28. What is a status code 204, and when is it used?

Answer:
Status Code 204 (No Content) indicates that the server successfully processed the request but
didn’t return any content.
Example: Deleting a resource successfully without returning any response body.

29. What is latency in API performance testing?

Answer:
Latency refers to the time taken for a request to travel from the client to the server and back to
the client.

Measured In: Milliseconds (ms).

Importance: High latency can degrade user experience, making performance testing crucial for
APIs.

30. How do you perform data-driven testing for APIs?

Answer:
Data-driven testing involves testing APIs with multiple data inputs to validate responses.
Steps:

1. Prepare test data (e.g., CSV, JSON files).

2. Use tools like Postman or automation frameworks like RestAssured.
3. Iterate through the dataset and assert the expected responses.
31. What are common API vulnerabilities?

Answer:

1. Injection Attacks: SQL injection or script injections.

2. Broken Authentication: Weak login mechanisms.
3. Data Exposure: Sensitive data in responses.
4. Rate-Limiting Issues: Allowing excessive requests.

Mitigation: Use input validation, strong authentication, and encryption.

32. How do you handle API timeouts?

Answer:

1. Set appropriate timeout values in the client configuration.

2. Use retries with exponential backoff.
3. Optimize server-side processing to reduce delays.
4. Implement caching for frequently requested data.

33. What is gRPC, and how does it differ from REST?

Answer:
gRPC (Google Remote Procedure Call) is an open-source framework for remote
communication using Protocol Buffers (protobuf).

Differences from REST:

1. Data Format: gRPC uses protobuf (compact), while REST uses JSON/XML.
2. Performance: gRPC is faster due to smaller payloads.
3. Streaming: Supports bidirectional streaming; REST doesn’t.

34. Explain the term "contract testing" in APIs.

Answer:
Contract Testing validates the interaction between API providers and consumers based on
agreed contracts (e.g., schema, endpoints). It ensures changes in the API don’t break existing
integrations.
35. How do you test APIs with authentication mechanisms?

Answer:

1. Obtain valid tokens or credentials.

2. Test endpoints with and without authentication.
3. Validate session expiry and renewal workflows.
4. Check for unauthorized access attempts.

36. What is API mocking, and why is it important in testing?

Answer:
API mocking involves creating a simulated version of an API that mimics its behavior. It is used
when the actual API is unavailable or under development.

Importance:

1. Early Testing: Allows frontend and backend teams to work in parallel.

2. Cost Savings: Reduces dependency on live environments.
3. Scenarios Testing: Simulates error cases like timeouts and invalid responses.

Tools like Postman, WireMock, or Mockoon are commonly used for API mocking.

37. What is the difference between synchronous and asynchronous APIs?

Answer:

1. Synchronous APIs:
○ Operations are executed sequentially.
○ The client waits for a response before proceeding.
○ Example: HTTP/REST APIs.
2. Asynchronous APIs:
○ Operations are executed concurrently.
○ Responses are sent when ready, without blocking the client.
○ Example: Webhooks or WebSocket APIs.

Use Case: Asynchronous APIs are ideal for real-time updates or long-running processes.

38. Explain the term API testing lifecycle.

Answer:
 1. Requirement Analysis: Understand API specifications and endpoints.
2. Test Plan Creation: Define test scenarios and data.
3. Test Case Development: Write test scripts and queries.
4. Test Execution: Use tools like Postman, JMeter, or SoapUI to test APIs.
5. Bug Reporting: Log defects and issues.
6. Regression Testing: Re-test after fixes.
7. Documentation: Share test results and coverage.

39. What is CORS, and why is it important in APIs?

Answer:
CORS (Cross-Origin Resource Sharing) is a security feature in web browsers that restricts
requests from one domain to another.

Importance:

● Prevents unauthorized access to APIs.

● Ensures only trusted domains can consume the API.

Solution for Errors: Configure server headers (Access-Control-Allow-Origin) to allow

specific origins.

40. What are API performance metrics?

Answer:

1. Latency: Time taken to process a request.

2. Throughput: Number of requests handled per second.
3. Error Rate: Percentage of failed requests.
4. Uptime: Percentage of time the API is operational.
5. Peak Load: Maximum traffic the API can handle.

41. How do you validate API schema?

Answer:
Use tools or libraries to compare API responses against a predefined schema (e.g., JSON
Schema).

1. Define expected field types, required fields, and constraints.

2. Validate responses during testing.
 3. Tools: Postman, AJV (JSON validator), or Swagger.

42. What is HATEOAS in RESTful APIs?

Answer:
HATEOAS (Hypermedia as the Engine of Application State) allows APIs to include
navigational links in responses.

Example:
A response for a user might include links to update or delete the user:

json

"id": 1,

"name": "John",

"links": [

{"rel": "update", "href": "/users/1/update"},

{"rel": "delete", "href": "/users/1/delete"}

43. What is API fuzz testing?

Answer:
Fuzz testing involves sending random or invalid data to APIs to uncover vulnerabilities or edge
cases.
Purpose: To test input validation and identify security issues like buffer overflows or injection
flaws.
44. How do you ensure API security?

Answer:

1. Authentication: Use OAuth, JWT, or API keys.

2. Encryption: Encrypt data using HTTPS and TLS.
3. Rate Limiting: Prevent abuse with quotas.
4. Input Validation: Sanitize and validate input data.
5. Logging and Monitoring: Track API usage and detect anomalies.

45. What are dynamic and static API testing?

Answer:

1. Static Testing: Examines the API specification, schema, or code without execution.
Example: Reviewing OpenAPI specifications.
2. Dynamic Testing: Validates API functionality and performance by executing requests.
Example: Testing endpoints with real data using Postman.

46. Explain the term API orchestration.

Answer:
API orchestration combines multiple API calls into a single workflow to achieve a specific
outcome.
Example: Booking a flight involves:

1. Fetching available flights.

2. Checking seat availability.
3. Making a payment.

Orchestration ensures these steps occur in sequence.

47. What is the role of CI/CD in API testing?

Answer:
CI/CD pipelines automate API testing during software development.

Steps in CI/CD:

1. Automatically execute test cases after every code change.

 2. Use tools like Jenkins or GitHub Actions for pipeline automation.
3. Ensure fast feedback by integrating API testing frameworks like Newman (Postman CLI).

48. What are query parameters and path parameters in APIs?

Answer:

1. Query Parameters: Used to filter or sort data.

Example: /users?age=25&city=NY
2. Path Parameters: Identify specific resources in the URL.
Example: /users/{userId} → /users/123

Key Difference: Query parameters are optional, while path parameters are mandatory.

49. How do you test API integrations?

Answer:

1. Validate all endpoints involved in the integration.

2. Test data flow between systems.
3. Check error handling for failed requests.
4. Perform end-to-end tests simulating real-world scenarios.

50. What is contract-first vs. code-first API design?

Answer:

1. Contract-First: Define the API specification (e.g., OpenAPI) before coding.

○ Ensures consistency and clarity.
2. Code-First: Write the implementation, then document the API.
○ Faster for small teams but risks inconsistencies.

51. What is an API Gateway, and why is it important?

Answer:
An API Gateway is a server that acts as a single entry point for multiple APIs. It manages API
traffic, enforces security, and handles tasks like authentication, rate limiting, and monitoring.

Importance:
 ● Simplifies client-server communication.
● Improves API performance by aggregating responses.
● Enhances security by hiding internal APIs.
● Example: AWS API Gateway, Kong, or Apigee.

52. What is the difference between REST and GraphQL APIs?

Answer:

1. REST:
○ Standard HTTP methods (GET, POST, etc.).
○ Fixed endpoints, e.g., /users.
○ Fetches all data or none.
2. GraphQL:
○ Single endpoint, e.g., /graphql.
○ Clients query exactly what they need.
○ Reduces over-fetching and under-fetching issues.

Example Query in GraphQL:

graphql

query {

user(id: 1) {

name

email

53. How do you test API versioning?

Answer:

1. Verify requests for each version (e.g., /v1/users vs. /v2/users).

 2. Test backward compatibility for older clients.
3. Validate the deprecation of outdated endpoints.
4. Ensure that documentation aligns with each version.

54. What are the common API testing challenges?

Answer:

1. Environment Issues: API dependencies might not be ready.

2. Complex Workflows: Testing interdependent APIs can be challenging.
3. Dynamic Data: Requires parameterization for accurate testing.
4. Security Concerns: Ensuring proper authorization and preventing data leaks.

55. Explain the term idempotency in APIs.

Answer:
An API operation is idempotent if repeated calls produce the same result.

● Example: HTTP GET and PUT methods are idempotent.

○ PUT /user/1 with the same data always updates the user without creating
duplicates.

56. How do you test APIs for scalability?

Answer:

1. Perform load testing using tools like JMeter or Gatling.

2. Gradually increase the number of requests and analyze latency.
3. Validate the API’s behavior under peak load conditions.
4. Monitor server utilization metrics (CPU, memory).

57. What is OAuth, and how does it work in APIs?

Answer:
OAuth (Open Authorization) is a token-based protocol that enables secure third-party access
to APIs.
 1. Flow:
○ The client requests an access token using client credentials.
○ The token is used to access protected resources.
○ Example: Accessing a user’s Google Drive.

58. How do you handle API pagination?

Answer:
Pagination allows APIs to return a subset of data instead of overwhelming the client with all
records.

Approaches:

1. Offset-Based: GET /users?offset=10&limit=20

2. Cursor-Based: GET /users?cursor=abc123&limit=20

Validation: Test correct implementation of next and previous links.

59. How do you validate JSON Web Tokens (JWT)?

Answer:

1. Signature Verification: Check if the token’s signature matches the server’s secret or
public key.
2. Expiration Check: Ensure the token hasn’t expired.
3. Payload Validation: Verify claims (e.g., user_id, roles).

Tools like jwt.io simplify validation during testing.

60. What is the difference between SOAP and REST APIs?

Answer:

1. SOAP (Simple Object Access Protocol):

○ XML-based.
○ Strict standards for request/response format.
○ Example: Banking applications.
2. REST (Representational State Transfer):
○ Lightweight, supports JSON or XML.
 ○ Flexible and faster.
○ Example: Social media platforms.

61. Explain the use of WebSockets in APIs.

Answer:
WebSockets enable real-time, two-way communication between clients and servers.

● Example Use Case: Chat applications or live stock price updates.

● Test scenarios include message latency, connection stability, and handling
disconnections.

62. What are the best practices for writing API test cases?

Answer:

1. Cover all scenarios: positive, negative, edge cases.

2. Use data-driven tests for parameter variations.
3. Include security validations (e.g., authentication).
4. Validate response format and status codes.
5. Ensure API documentation matches functionality.

63. What is the difference between API mocking and stubbing?

Answer:

1. Mocking: Simulates the behavior of an actual API, allowing dynamic responses.

2. Stubbing: Provides fixed, pre-defined responses for specific requests.

64. How do you test APIs for concurrency?

Answer:

1. Simulate multiple users making simultaneous API calls.

2. Validate data consistency and server response time.
3. Tools like JMeter or Locust are helpful for concurrency testing.
65. What is gRPC, and how is it different from REST?

Answer:
gRPC (Google Remote Procedure Call):

● Uses Protocol Buffers (protobuf) for data serialization.

● Faster and efficient compared to REST.
● Supports bi-directional streaming.

REST vs. gRPC: REST uses text-based formats (e.g., JSON), while gRPC focuses on binary
data for speed.

66. How do you test APIs with GraphQL?

Answer:

1. Validate query structures and schemas.

2. Test field-level permissions.
3. Ensure performance under nested queries.
4. Tools: Postman or Apollo Playground.

67. What are the common HTTP status codes tested in APIs?

Answer:

1. 200 OK: Success.

2. 400 Bad Request: Invalid input.
3. 401 Unauthorized: Authentication required.
4. 404 Not Found: Resource not available.
5. 500 Internal Server Error: Server-side issue.

68. How do you automate API tests?

Answer:

1. Use tools like Postman, RestAssured, or Karate.

2. Integrate automation scripts into CI/CD pipelines.
3. Automate validations for status codes, response times, and payloads.
69. How do you test APIs for backward compatibility?

Answer:

1. Validate old clients against new APIs.

2. Ensure deprecated endpoints respond with appropriate warnings.
3. Retest critical workflows involving older versions.

70. Explain the difference between HTTP and HTTPS in API communication.

Answer:

1. HTTP: Transmits data in plain text.

2. HTTPS: Encrypts data using SSL/TLS, ensuring secure communication.

71. What is API Rate Limiting, and why is it important?

Answer:
Rate Limiting restricts the number of API requests a user or system can make within a specific
time frame.

● Importance:
○ Prevents server overload.
○ Mitigates abuse or DDoS attacks.
○ Ensures fair usage for all clients.

Example:

● Limit: 1000 requests/hour.

● Response: 429 Too Many Requests when exceeded.

72. What is an API Throttling Policy?

Answer:
API throttling controls the request rate, pausing or delaying excess requests rather than
blocking them outright.

Scenario:

● A burst of 100 requests in a second slows down processing but avoids rejection if within
limits.
73. How do you test API Authentication?

Answer:

1. Validate with valid credentials (happy path).

2. Test incorrect passwords or tokens.
3. Check for expired tokens.
4. Simulate unauthorized access attempts and ensure proper responses like 401
Unauthorized.

74. What are CORS, and how does it impact API testing?

Answer:
CORS (Cross-Origin Resource Sharing) controls how APIs are accessed across different
domains.

Example:

● Server A hosts the API, and Client B tries to call it.

● The server must allow requests from B via CORS headers like
Access-Control-Allow-Origin.

Testing involves verifying headers for expected behaviors.

75. How do you test APIs for timeout scenarios?

Answer:

1. Simulate high latency by introducing network delays.

2. Verify if the API responds within acceptable thresholds.
3. Ensure proper error codes like 504 Gateway Timeout.

76. What is the significance of content negotiation in APIs?

Answer:
Content Negotiation allows clients to specify response formats (e.g., JSON, XML) via the
Accept header.
Example Test Case:

● Request: Accept: application/json.

● Verify response matches the requested format.

77. How do you handle file uploads and downloads in API testing?

Answer:

1. Validate supported file types and size restrictions during uploads.

2. Check integrity and correct file format in downloaded files.
3. Test invalid uploads (e.g., oversized files).

78. What is a Swagger/OpenAPI specification?

Answer:
Swagger or OpenAPI is a framework for describing APIs.

● Includes details about endpoints, methods, parameters, and response structures.

● Helps auto-generate documentation and test cases.

Testing Tip: Verify the spec aligns with actual API behavior.

79. Explain API chaining in testing.

Answer:
API chaining uses the response of one API as input for another.
Example:

1. POST /login returns a token.

2. Use this token in GET /user for authorization.

80. What is the role of monitoring in API testing?

Answer:
API monitoring ensures availability and performance in production.

● Uses synthetic tests to validate APIs periodically.

 ● Tools: Postman Monitors, New Relic, or Datadog.

81. How do you test APIs for localization?

Answer:

1. Validate language-specific responses based on headers like Accept-Language.

2. Ensure no hardcoded strings in responses.
3. Test formatting for dates, currency, and numbers per locale.

82. What is API shadowing in testing?

Answer:
API shadowing involves duplicating API requests to a parallel environment to observe
performance or errors without affecting live traffic.

83. Explain the concept of API mocking during development.

Answer:
Mocking simulates API responses to test applications when actual APIs are unavailable.

● Tools: Postman Mock Server, WireMock, or Mockoon.

84. What is the use of API schema validation?

Answer:
API schema validation ensures the request and response structures adhere to the expected
format.

● Tools: JSON Schema Validator.

● Test invalid or missing fields.

85. How do you ensure API security during testing?

Answer:
 1. Validate tokens (OAuth/JWT).
2. Test for vulnerabilities like SQL Injection or XSS.
3. Ensure sensitive data (e.g., passwords) isn’t exposed in responses.
4. Use tools like Burp Suite or OWASP ZAP.

86. What is the role of headers in API testing?

Answer:
Headers carry metadata about the API request/response.

● Examples:
○ Content-Type: Specifies payload format (e.g., JSON).
○ Authorization: Validates user identity.
○ Cache-Control: Manages caching behavior.

87. What is an asynchronous API, and how is it tested?

Answer:
Asynchronous APIs use message queues or callbacks instead of immediate responses.
Testing Steps:

1. Trigger the API and verify acknowledgment.

2. Poll the endpoint for results or subscribe to notifications.

88. How do you test APIs for failover scenarios?

Answer:

1. Simulate primary server failure.

2. Verify fallback systems respond appropriately.
3. Ensure minimal downtime or data loss.

89. What is SOAP Fault, and how do you handle it?

Answer:
A SOAP Fault is an error message in SOAP APIs.
 ● Contains details like faultcode and faultstring.
● Test cases should verify error codes and descriptions.

90. Explain ETag in APIs.

Answer:
ETag (Entity Tag) is used to track resource changes.

● API responds with an ETag header.

● Use If-None-Match in subsequent requests to check for updates.

91. What is OAuth, and how is it tested in APIs?

Answer:
OAuth is an open standard for authorization that allows third-party applications limited access to
a user's resources without exposing credentials.

● Testing Steps:
1. Validate the authorization flow (e.g., Authorization Code Flow, Implicit Flow).
2. Test token generation, expiration, and revocation.
3. Ensure sensitive scopes require explicit user consent.

92. How do you test API Pagination?

Answer:
Pagination breaks large datasets into smaller, manageable parts.

● Key Points to Test:

1. Validate next and previous links.
2. Verify correct page sizes and boundaries.
3. Test edge cases, such as empty pages or exceeding the total count.

93. What is the role of the Retry-After header in APIs?

Answer:
This header indicates the time a client must wait before retrying a request, often used in
rate-limiting or server downtime scenarios.

● Testing: Simulate retry logic based on the Retry-After duration.

94. Explain RESTful API Best Practices.

Answer:

1. Use proper HTTP methods (GET, POST, etc.).

2. Use meaningful endpoint names (e.g., /users/{id}).
3. Return appropriate status codes (e.g., 200, 404, 500).
4. Enable filtering, sorting, and pagination for large datasets.

95. What is GraphQL, and how does it differ from REST APIs?

Answer:
GraphQL is a query language for APIs that allows clients to request specific data.

● Differences:
○ REST uses fixed endpoints; GraphQL uses a single endpoint.
○ Clients specify required fields in GraphQL, reducing over-fetching or
under-fetching.

96. How do you test WebSocket APIs?

Answer:
WebSockets provide full-duplex communication.

● Testing:
1. Establish a connection and validate handshake (101 Switching Protocols).
2. Send and receive messages.
3. Test reconnections after network interruptions.

97. What is the difference between PUT and PATCH in APIs?

Answer:

● PUT: Replaces the entire resource.

● PATCH: Updates specific fields in a resource.
● Testing Example:
 ○ PUT /users/1 replaces all user details.
○ PATCH /users/1 updates only specified fields.

98. How do you validate API Performance?

Answer:

1. Measure response times under varying loads.

2. Check latency, throughput, and error rates.
3. Use tools like JMeter, Postman Collection Runner, or Gatling.

99. What is the significance of idempotency in APIs?

Answer:
An API is idempotent if multiple identical requests result in the same effect.

● Example: GET and DELETE are idempotent, but POST may not be.
● Testing: Ensure repeated calls don’t duplicate operations.

100. What is a gRPC API, and how do you test it?

Answer:
gRPC is a high-performance, open-source framework that uses protocol buffers for data
serialization.

● Testing Tools: Postman with gRPC support, BloomRPC.

● Key Tests: Validate .proto files, test unary and streaming calls.

101. Explain API Fuzz Testing.

Answer:
Fuzz testing involves sending random, invalid, or unexpected data to APIs to identify
vulnerabilities.

● Goal: Ensure robust error handling.

102. How do you verify API Logging and Monitoring?

Answer:

1. Check logs for accurate request/response data.

2. Ensure sensitive data (e.g., passwords) isn’t logged.
3. Test alerts for failures or unusual traffic patterns.

103. What is the difference between Synchronous and Asynchronous APIs?

Answer:

● Synchronous: The client waits for the server to process and respond.
● Asynchronous: The client sends a request and continues; the response comes later via
callbacks or polling.

104. How do you test APIs for Cross-Site Scripting (XSS)?

Answer:

1. Inject malicious scripts into API inputs.

2. Validate proper sanitization in responses.
3. Ensure headers like Content-Security-Policy are in place.

105. What is an API Gateway, and why is it important?

Answer:
An API Gateway manages and secures API calls, acting as an entry point for client requests.

● Features:
○ Authentication and rate limiting.
○ Request routing.
○ Load balancing.

106. Explain HTTP/2 and its benefits for APIs.

Answer:
HTTP/2 improves performance by multiplexing multiple requests over a single connection.
 ● Benefits:
○ Reduced latency.
○ Header compression.
○ Better resource utilization.

107. How do you test APIs for Scalability?

Answer:

1. Simulate increasing user loads.

2. Monitor resource usage (CPU, memory).
3. Identify bottlenecks and measure response times.

108. What is API Rate Spike Testing?

Answer:
It tests API behavior during sudden, extreme surges in traffic.

● Goal: Ensure stability under high loads.

109. How do you validate API Error Codes?

Answer:
Ensure each error condition returns the correct status code and message.

● Examples:
○ 400: Bad Request.
○ 403: Forbidden.
○ 500: Internal Server Error.

110. Explain API Contract Testing.

Answer:
Contract testing ensures APIs adhere to agreed-upon specifications (e.g., OpenAPI/Swagger).

● Tools: Pact, Postman.

● Goal: Ensure compatibility between services
111. What is API Load Testing? How is it performed?

Answer:
API Load Testing involves testing the API under expected user load to assess its performance.

● Steps:
1. Define target load (e.g., 1000 concurrent users).
2. Use tools like Apache JMeter, Locust, or Postman.
3. Monitor metrics such as response time, throughput, and error rate.

112. What are Status Codes in REST APIs? Provide Examples.

Answer:
Status codes indicate the result of the client’s request.

● Examples:
○ 200 OK: Request succeeded.
○ 201 Created: Resource successfully created.
○ 401 Unauthorized: Authentication failed.
○ 503 Service Unavailable: Server temporarily down.

113. How do you test APIs for Data Integrity?

Answer:
Data integrity ensures the data retrieved from APIs matches the source.

● Tests:
1. Validate data types, lengths, and formats.
2. Verify consistency during concurrent requests.

114. Explain the Difference Between REST and SOAP APIs.

Answer:

● REST: Lightweight, uses JSON or XML, and is suitable for web services.
● SOAP: More rigid, uses XML, and offers built-in security (e.g., WS-Security).
● Testing: Use Postman for REST; SOAP UI for SOAP.
115. What are Mock APIs, and Why Are They Used?

Answer:
Mock APIs simulate real APIs, allowing testing when the actual service isn’t ready.

● Benefits:
1. Faster development.
2. Independent testing of API consumers.

116. How Do You Test APIs for Security?

Answer:

1. Validate authentication and authorization mechanisms.

2. Check for vulnerabilities like SQL injection, XSS, and insecure data transmission.
3. Use tools like OWASP ZAP, Burp Suite.

117. Explain the Concept of API Versioning.

Answer:
API versioning ensures backward compatibility when introducing changes.

● Types:
1. URI-based: /v1/resource.
2. Header-based: Accept-Version: v1.
3. Query Parameter: ?version=1.

118. What is an API Throttling Test?

Answer:
Throttling limits the number of API calls within a specific timeframe to prevent overloading.

● Testing: Simulate excess requests and validate the response (e.g., 429 Too Many
Requests).

119. How Do You Test for Broken Links in APIs?

Answer:

● Send requests to all endpoints and validate the status codes.

● Look for 404 Not Found or incorrect redirections.
● Use tools like Postman or automated scripts.

120. What is API Dependency Testing?

Answer:
Dependency testing verifies how well APIs handle failures of dependent services.

● Steps:
1. Simulate dependency downtime.
2. Test API responses and fallback mechanisms.

121. Explain the Importance of HTTPS in APIs.

Answer:
HTTPS encrypts data transmission, protecting sensitive information like credentials.

● Testing:
1. Verify SSL/TLS certificates.
2. Check for HTTPS in all API calls.

122. What is an API Mock Server?

Answer:
A mock server mimics API behavior for development and testing purposes.

● Tools: Postman Mock Server, WireMock.

● Usage: Develop and test clients when the actual API isn’t available.

123. How Do You Handle API Timeout Scenarios?

Answer:
Timeout occurs when the server takes too long to respond.

● Testing:
 1. Simulate high latency or server delays.
2. Validate client-side retries and error messages.

124. What are API Schema Validators?

Answer:
Schema validators ensure API responses conform to the defined schema.

● Tools: JSON Schema Validator, Swagger Validator.

● Tests: Validate required fields, data types, and nested objects.

125. What is the Role of Caching in APIs?

Answer:
Caching reduces server load by storing frequently accessed data.

● Headers Used:
○ Cache-Control.
○ ETag.
● Testing: Verify cache expiration and invalidation.

126. What is Token-Based Authentication in APIs?

Answer:
Clients use tokens (e.g., JWT) to authenticate requests instead of credentials.

● Testing:
1. Validate token generation and expiration.
2. Test invalid token scenarios.

127. How Do You Test APIs for Multi-Language Support?

Answer:

1. Send requests with language-specific headers.

2. Validate correct translations in responses.
128. Explain the Role of Webhooks in APIs.

Answer:
Webhooks enable server-side event notifications by sending data to registered URLs.

● Testing:
1. Set up a dummy endpoint.
2. Verify event delivery and payload accuracy.

129. What is API Dependency Injection?

Answer:
Dependency injection allows external components (e.g., services, databases) to be passed into
APIs, improving modularity and testing.

● Testing: Mock dependencies for isolated tests.

130. How Do You Handle Rate-Limiting Errors?

Answer:

1. Send excessive requests to trigger rate limits.

2. Validate the response (429 Too Many Requests).
3. Test retry logic with the Retry-After header.