DEV Community

keploy
keploy

Posted on

30 API Testing Interview Questions That Actually Get Asked in 2026 (With Honest Answers)

#ai #api #beginners #opensource

Let me be straight with you.

Most "interview question" articles are copy-paste lists with surface-level answers that sound right but fall apart the moment a senior engineer pushes back. This one is different. These are questions pulled from real interview patterns at companies that take testing seriously — and the answers here go one level deeper than what the average candidate prepares.

Whether you're a junior dev prepping for your first QA role or a backend engineer moving into a more test-focused position, bookmark this and work through it section by section.

First, Understand What Interviewers Are Actually Evaluating

Before we get into the questions, here's what matters: interviewers asking API testing questions aren't just checking whether you know the definition of a status code. They're evaluating three things:

  1. Whether you understand why API testing exists — not just what it is
  2. Whether you can reason through edge cases — not just happy paths
  3. Whether you've done it in the real world — not just studied it for an interview

Keep that frame in mind as you read through every answer below.

Section 1: Foundational Questions (Expect These in Every Interview)

1. What is API testing, and how is it different from UI testing?

API testing validates how systems communicate — it checks whether the data exchange, business logic, and responses work correctly at the interface layer, without going through any user interface.

UI testing drives a browser or app and simulates user behavior. API testing skips that layer entirely and talks directly to the service.

The practical difference: API tests run faster, are less brittle (no DOM changes break them), and catch logic issues that a UI test would never surface. If you want to go deeper on the fundamentals, what is API testing in software is a solid reference for the complete picture.

What interviewers want to hear: That you understand API testing sits between unit tests and end-to-end tests in the testing pyramid — and that you know why that position makes it valuable.

2. What types of API testing exist?

There are more than most candidates mention. The ones that matter:

  • Functional testing — Does the API do what the spec says?
  • Contract testing — Does the API honor the agreement between consumer and provider?
  • Load/performance testing — How does it behave under traffic?
  • Security testing — Authentication, authorization, injection vulnerabilities
  • Integration testing — Do multiple services communicate correctly?
  • Regression testing — Did a recent change break something that worked before?

Most candidates name two or three. If you want to walk into the interview knowing each type cold — what it covers, when to use it, and how it differs from the others — this breakdown of types of API testing is worth reading before your prep is done. Name all of them and briefly describe the scenario each one addresses — that's what separates a strong answer.

3. What HTTP methods do you commonly test, and what does each one do?

Method Purpose Expected Success Code
GET Retrieve a resource 200 OK
POST Create a new resource 201 Created
PUT Replace a resource entirely 200 OK
PATCH Partially update a resource 200 OK
DELETE Remove a resource 200 OK or 204 No Content

The follow-up question is almost always: "What's the difference between PUT and PATCH?" PUT replaces the entire resource. PATCH modifies only the fields you send. If you send a PATCH with just {"email": "new@email.com"}, only the email changes. A PUT with the same body would wipe every other field.

4. What HTTP status codes should you validate in your tests?

Go beyond 200 and 404. A complete answer:

  • 200 — Request succeeded
  • 201 — Resource created
  • 204 — Success, no content returned (common for DELETE)
  • 400 — Bad request, malformed input
  • 401 — Not authenticated
  • 403 — Authenticated but not authorized
  • 404 — Resource doesn't exist
  • 422 — Validation failed (request was well-formed but logically invalid)
  • 429 — Rate limit hit
  • 500 — Server-side error, unhandled exception

Interview tip: Mention that you always assert status codes and response body structure — not just one or the other.

5. What is a REST API?

REST (Representational State Transfer) is an architectural style where:

  • Communication is stateless — each request contains all information needed
  • Resources are identified by URLs
  • Standard HTTP methods define operations on those resources
  • Responses are typically JSON or XML

Emphasize stateless — it's the property that makes REST APIs scalable and the one interviewers most often ask follow-up questions about.

Section 2: Intermediate Questions (Where Candidates Start Getting Separated)

6. What is API contract testing and why does it matter in microservices?

Contract testing verifies the agreement between a service consumer and a service provider — independent of whether both are running at the same time.

In microservices, Team A's service depends on Team B's API. If Team B renames a field or removes an endpoint, Team A's service breaks. Contract testing catches this at the source, on every commit, before anything reaches a shared environment.

Pact is the most widely used tool. The consumer defines what it expects; the provider verifies it can fulfill that expectation. No live service needed.

7. How do you test an API that requires authentication?

Walk through the full flow:

  1. Obtain the token (via /login, OAuth flow, or API key)
  2. Include it in the Authorization header on subsequent requests
  3. Write test cases specifically for invalid tokens (401), expired tokens (401), and insufficient permissions (403)

Don't just test the happy path. Every auth-related test case should include at least one negative scenario.

8. What's the difference between functional and non-functional API testing?

Functional: Does the API do what it's supposed to? Correct response, correct data, correct behavior given valid and invalid inputs.

Non-functional: How does it perform? Response time under load, behavior at 10x normal traffic, memory behavior during sustained requests.

Both are necessary. Teams that only do functional testing discover performance problems in production.

9. How do you validate the response body of an API?

Three layers:

  1. Status code — Is it the right one?
  2. Schema — Are the correct fields present, with the correct data types?
  3. Values — Are the actual values correct for this specific test case?

Validating only status codes is one of the most common gaps in API test suites. You can get a 200 OK back with completely wrong data.

10. What's the difference between SOAP and REST, and how does testing differ?

REST uses standard HTTP, is lightweight, returns JSON/XML, and is stateless. SOAP uses XML exclusively, has a strict contract defined in a WSDL file, and supports built-in error handling via fault elements.

Testing differs because SOAP tests must validate the XML envelope structure and the WSDL contract. Tools like SoapUI are purpose-built for this. REST testing tools (Postman, Keploy, RestAssured) don't apply to SOAP directly.

11. How do you handle test data in API testing?

Common approaches:

  • Static test data — Hardcoded values, simple but brittle
  • Dynamic data generation — Created at runtime via setup scripts or factory methods
  • Production traffic replay — Tools like Keploy record real traffic and replay it, so test data always reflects actual usage patterns

The follow-up: "What happens when test data state leaks between tests?" Answer: Tests should clean up after themselves, or each test should create its own isolated state.

12. What is idempotency and which HTTP methods should be idempotent?

An idempotent operation produces the same result whether you call it once or ten times. GET, PUT, DELETE, and PATCH should all be idempotent. POST is generally not — two POST requests create two resources.

Why it matters for testing: if your DELETE endpoint isn't idempotent, calling it twice on the same resource might return a 404 on the second call, which is correct behavior — but your test needs to account for it.

Section 3: Advanced Questions (Senior-Level Interviews)

13. How do you test APIs in a microservices architecture without spinning up every service?

Two approaches:

  1. Service mocking / stubbing — Replace real downstream services with controlled mocks that return predictable responses
  2. Contract testing — Verify the contract independently, so you don't need live downstream services

The combination of mocks for unit/integration tests and contract testing for inter-service agreements is the standard approach at scale.

14. What's your approach to API regression testing in a CI/CD pipeline?

A complete answer covers:

  • Tests run on every pull request, not just on merge
  • Tests are isolated — no shared state between runs
  • Contract tests catch breaking changes before integration tests run
  • Performance baselines alert if response times degrade
  • Flaky tests get quarantined and fixed, not ignored

Tools like Keploy auto-generate regression tests from real API traffic, which keeps test coverage aligned with how the API is actually used — not just how someone imagined it would be used when writing the tests.

15. How do you test for security vulnerabilities in an API?

Core scenarios to test:

  • Injection — SQL, NoSQL, command injection via input fields
  • Broken object-level authorization — Can user A access user B's data by changing an ID?
  • Excessive data exposure — Is the API returning fields it shouldn't?
  • Rate limiting — Is there protection against brute-force attacks?
  • Token security — Are JWTs properly validated? Do expired tokens get rejected?

OWASP API Security Top 10 is the reference list every interviewer expects you to know at the senior level.

16. What is API versioning and how do you test across versions?

Versioning allows the API to evolve without breaking existing consumers. Common strategies: URI versioning (/v1/users), header versioning, query parameter versioning.

Testing across versions means maintaining test suites for each active version and validating that v1 consumers don't break when v2 ships. Contract testing plays a key role here — it explicitly verifies that published contracts are still honored.

17. How do you approach load testing an API?

Steps:

  1. Define baseline performance expectations (e.g., p95 response time under 200ms at 500 concurrent users)
  2. Write realistic load scenarios using actual usage patterns, not synthetic uniform traffic
  3. Run gradually increasing load to find the breaking point
  4. Identify whether failures are in the API layer, the database, or downstream dependencies

Tools: k6, Gatling, JMeter. The follow-up question is usually: "How do you isolate *where the bottleneck is?"* — answer: distributed tracing.

18. What is the difference between mocking and stubbing in API testing?

Stub: Returns a hardcoded response. Simple. Good for when you need a downstream service to just "exist" and respond predictably.

Mock: Has expectations built in. You verify that specific calls were made, with specific parameters, a specific number of times.

Mocks are stricter and catch more — but they also tie your tests more tightly to implementation details.

19. How do you test GraphQL APIs differently from REST?

GraphQL has a single endpoint (/graphql) with queries and mutations. Testing differences:

  • You test the query structure and field-level responses, not endpoint-by-endpoint
  • Invalid fields should return errors, not silently drop data
  • Mutations have side effects that need to be validated
  • Performance testing is trickier because one GraphQL query can trigger N database calls (the N+1 problem)

20. How do you handle flaky API tests?

Flaky tests are almost always caused by: shared mutable state, timing dependencies, or tests that depend on external services that aren't reliably available.

Fix by: isolating test state, using mocks for external dependencies, adding proper wait conditions instead of fixed sleeps, and quarantining flaky tests until root cause is fixed. Never merge code that ignores a flaky test.

Section 4: Tool and Hands-On Questions

21. What API testing tools have you used?

Name the category alongside the tool:

  • Manual exploration: Postman, Insomnia
  • Automated REST testing: RestAssured, Supertest, pytest + requests
  • Contract testing: Pact
  • Load testing: k6, Gatling
  • Auto-generated tests from traffic: Keploy
  • SOAP: SoapUI

Don't just list names. Mention what you specifically used each one for.

22. How do you write a good API test case?

A good test case has:

  • A clear, descriptive name that explains the scenario
  • An explicit setup (what state is required before the test runs)
  • A specific action (the exact request being made)
  • Assertions on status code, response schema, and specific values
  • A teardown (cleaning up any state the test created)

One test case, one scenario. Don't bundle multiple assertions about different behaviors into a single test.

23. What's the difference between positive and negative test cases?

Positive: The happy path — valid inputs, expected behavior, expected success response.

Negative: Everything else — missing required fields, wrong data types, invalid auth tokens, requests that exceed rate limits, IDs that don't exist.

Most bugs live in negative test cases. Teams that only write positive tests discover those bugs in production.

24. How do you test an API endpoint that creates a resource?

For a POST endpoint:

  1. Valid request → assert 201, assert response body matches created resource
  2. Missing required field → assert 400 or 422, assert error message is descriptive
  3. Duplicate resource (if uniqueness is enforced) → assert 409
  4. Invalid data type → assert 400
  5. Unauthorized request → assert 401

Then verify the resource actually exists by calling the corresponding GET endpoint.

25. How do you test pagination?

  • Request first page — assert correct number of items, assert next link exists
  • Request last page — assert correct number of items, assert no next link (or it's null)
  • Request with limit parameter — assert response respects the limit
  • Request a page beyond total results — assert empty results, not an error
  • Request with invalid page number — assert 400

Section 5: Behavioral and Situational Questions

26. Tell me about a time an API bug made it to production. What happened?

If you have a real story: tell it honestly, including what you missed and what you changed afterward.

If you don't: describe a hypothetical based on a known class of issue — authentication tokens not being validated for expiry, for example — and explain how you would have caught it with proper negative testing.

27. How do you prioritize what to test when time is limited?

Risk-based testing: prioritize endpoints that handle authentication, payment, or user data — failures there have the highest business impact. Then prioritize high-traffic endpoints. Then cover edge cases in the happy path before expanding to low-traffic flows.

28. How do you document your API tests?

Tests should be self-documenting: the test name should describe the scenario, the assertions should make the expected behavior explicit. Separate documentation covers test coverage maps (what endpoints are covered, what scenarios are tested), known gaps, and the rationale for skipped scenarios.

29. How do you collaborate with developers on API testing?

Shift left: get involved before the API is built. Review the OpenAPI spec, identify gaps in the contract, flag missing error cases. Write tests against the spec before implementation is done, so the developer gets immediate feedback when their implementation doesn't match.

30. Where do you see API testing going in the next few years?

AI-assisted test generation from real traffic is already here. Tools that auto-generate tests from recorded API interactions (instead of requiring manual test authoring) are changing how teams maintain test coverage. The shift is from "write tests manually to match the spec" to "observe real behavior and continuously validate against it."

How to Use This List

Don't memorize answers. Use these as starting points — understand the concept behind each answer deeply enough that you can adapt when an interviewer takes the conversation in a different direction.

The candidates who stand out aren't the ones who recite perfect definitions. They're the ones who say "in my experience, what actually happens is..." and back it up with something concrete.

Good luck with the interview. You've got this.

Exploring API testing concepts before your interview? Start with what is API testing in software for a complete grounding in the fundamentals.

Tags: #testing #api #interviews #career #webdev #qa

Top comments (0)