Resource library

QA Interview

API Testing Interview Questions for 2 Years Experience

Prepare api testing interview questions 2 years experience candidates face, with practical answers, test design, automation code, and project guidance.

17 min read | 3,189 words

TL;DR

For a two-year API testing interview, master HTTP behavior, practical test design, response and state validation, authentication, data chaining, basic automation, and defect diagnosis. Use concise answers backed by one example you can defend in follow-up questions.

Key Takeaways

  • Answer with concept, test approach, and one concrete piece of evidence.
  • Derive positive, negative, boundary, authorization, and workflow cases from the contract.
  • Validate headers, schema, business values, state, and side effects beyond the status code.
  • Keep automated scenarios independent through owned data, scoped variables, and cleanup.
  • Debug from the sanitized request through state and correlation evidence before assigning cause.
  • Prepare three honest project stories about a defect, an automated flow, and an investigation.

API testing interview questions 2 years experience candidates receive usually test practical execution: HTTP fundamentals, request construction, response validation, test design, authentication, Postman or code-based automation, data handling, and defect investigation. Interviewers do not expect platform architecture leadership at this level. They do expect clear reasoning and examples from real testing work.

This guide helps you answer at the right depth. It shows what a strong two-year candidate should know, how to structure scenario answers, a runnable automation example, and model answers that sound credible without exaggerating ownership.

TL;DR

For every API scenario, explain the contract, inputs, action, assertions, and cleanup. Cover status, headers, body schema, business values, side effects, authorization, and negative boundaries. When describing experience, use one concrete example and state what you personally designed, executed, automated, or diagnosed.

Interview area Two-year expectation Evidence in an answer
HTTP Methods, status classes, headers, content types Explain behavior, not memorized numbers only
Test design Positive, negative, boundary, authorization Derive cases from a sample endpoint
Tools Postman and one automation stack Describe variables, assertions, execution, and reports
Data Create, capture, reuse, and clean test records Keep tests independent
Debugging Read request, response, logs, and correlation IDs Isolate client, API, data, or dependency cause
Communication Clear defect reports and ownership Give a concise project example

1. How to Answer API Testing Interview Questions 2 Years Experience Candidates Receive

At two years, a good answer is practical and bounded. Start with the direct definition, then explain how you apply it, and close with a brief example. A useful pattern is concept -> test approach -> evidence. For example: "Idempotency means repeating the same operation has the defined effect. I test a payment API by repeating the request with the same idempotency key and verifying one charge, a consistent response, and no duplicate event."

Do not turn every answer into a tool tutorial. If asked how you test a POST endpoint, begin with the test model, not the location of the Send button in Postman. Explain required fields, valid creation, response contract, persisted state, invalid and boundary inputs, authorization, duplicate submission, and cleanup. Then mention how Postman or an automated suite executes those cases.

Be precise about your role. "I added automated regression coverage for order and refund APIs" is more credible than "I designed the entire microservices architecture." Interviewers often follow up on test data, authentication, reports, and one difficult failure. Choose examples you can defend.

When you do not know an implementation detail, state the assumption. An answer such as "If this operation is documented as idempotent, I would..." shows judgment. APIs vary, so strong testers clarify the contract instead of inventing a universal rule.

2. Refresh HTTP and REST Fundamentals

HTTP methods express request intent. GET reads a representation and should be safe. POST commonly creates a resource or triggers a command. PUT commonly replaces the target representation and is defined as idempotent. PATCH applies a partial update, with idempotency depending on the patch semantics. DELETE removes or marks a resource deleted and is idempotent in intended effect, even if repeated response codes differ.

Know status code classes and representative codes. A successful create often returns 201 with a resource reference. A valid request with no response body may return 204. A malformed request may return 400, missing or unacceptable authentication commonly returns 401, insufficient permission commonly returns 403, and an absent resource returns 404. Conflict states often use 409, semantic validation can use 422, throttling uses 429, and unexpected server failures use 5xx. The API contract decides the exact choice.

Headers matter. Content-Type describes the representation sent. Accept states what the client can receive. Authorization carries credentials. Cache-Control guides caching. Location can identify a created resource. Correlation IDs connect client evidence to server logs.

REST is an architectural style, not a synonym for JSON over HTTP. In an interview, focus on resource-oriented interfaces, stateless interactions, representations, uniform semantics, and cacheability where applicable. Do not claim every production API is perfectly RESTful. QA tests the published contract, including deliberate RPC-style commands.

For a Java automation perspective, review REST Assured given, when, then examples. The HTTP reasoning remains the same across tools.

3. Derive Positive, Negative, and Boundary Tests

Suppose an endpoint creates a booking with customerId, roomType, checkIn, checkOut, and guestCount. Start with one valid request and verify status, response fields, generated ID, default state, headers, and persistence through a GET or trusted database check. Then vary one rule at a time.

Positive partitions include supported room types, minimum and maximum valid guest counts, same-day rules if supported, and an authenticated user with permission. Negative partitions include missing required values, null, wrong types, blank identifiers, unsupported enum values, invalid date order, unauthorized customer IDs, and malformed JSON. Boundaries cover the smallest and largest allowed values plus one immediately outside each edge.

Add protocol and workflow cases:

Category Example for create booking Main assertion
Contract Missing Content-Type Documented 4xx and stable error code
Validation checkOut before checkIn No booking is created
Authorization User books for forbidden customer Denial and unchanged state
Duplicate Same idempotency key twice No unintended duplicate
Concurrency Last room requested twice At most one valid allocation
Dependency Payment service times out Defined rollback or pending state

Avoid creating dozens of combinations without a model. Use equivalence partitioning, boundary value analysis, decision tables, and state transitions. Explain why each case covers a different risk. This answer demonstrates test design skill beyond listing random payloads.

If an OpenAPI document exists, use it to identify required fields, types, formats, schemas, and documented responses. Generating API tests from OpenAPI can accelerate mechanical coverage, but business rules and authorization still need human design.

4. Validate More Than the Status Code

A 200 response can contain an error object, stale data, another user's record, or a body that violates the schema. A strong API assertion checks layers in a useful order. First validate the status and content type. Then validate required headers and schema. Next assert business values and relationships. Finally confirm durable state and relevant side effects.

For a created order, verify the returned customer matches the request, server-generated fields are present, money uses the expected currency and rounding, status begins in the correct state, and links or IDs refer to retrievable resources. Query the order through a second endpoint. If creation publishes an event, verify it through an approved test consumer or observable record.

Negative tests need equally strong assertions. Verify a stable error code, useful field-level details where documented, no stack trace or secret, and no persistence. Avoid matching the entire English error sentence unless that wording is itself a contract. Product copy changes can create noisy failures.

Schema and value assertions solve different problems. A schema can prove that total is a number, but it cannot prove the total equals quantity multiplied by unit price. Conversely, checking one expected total does not prove required fields and types across the response.

Also consider response time, but do not place an arbitrary strict threshold on every developer machine. Use an agreed service objective in a controlled environment and investigate distributions, dependencies, and warmup. Functional tests can record latency without pretending to be full performance tests.

5. Explain Authentication and Authorization Clearly

Authentication answers who the caller is. Authorization answers whether that identity may perform an action on a function or object. A valid bearer token can authenticate Alice while authorization correctly prevents Alice from reading Bob's account.

Test authentication with a valid credential, missing credential, wrong scheme, malformed credential, expired token, revoked token, and a token intended for another audience when relevant. Do not log the token. If tests need fresh tokens, obtain them through an approved identity flow or a test fixture with least privilege.

Test authorization using at least two users and preferably two tenants. Create data owned by each identity, then repeat valid reads and mutations with the wrong identity. Cover collection results, nested resources, exports, and administrative functions, not just direct GET by ID. Verify the response and state after denial.

In an interview, distinguish 401 from 403 without making it absolute for every product. Say that 401 commonly means the request lacks acceptable authentication, while 403 commonly means the authenticated identity is not permitted. Some APIs return 404 for unauthorized object access to avoid confirming existence.

Explain that CORS is a browser-enforced cross-origin policy, not server-side authentication. Curl, mobile apps, and backend clients are not stopped by a browser's CORS checks. For a broader checklist, use API security testing basics.

6. Handle Variables, Data Chaining, and Cleanup

API workflows often require data from an earlier response. A test creates a customer, extracts the generated customer ID, creates an order for that customer, verifies the order, and deletes or expires the generated data. Pass values through scoped variables or function arguments rather than global mutable state.

In Postman, use collection or environment variables intentionally and keep secrets in an appropriate secret mechanism. A test script can read JSON with pm.response.json(), assert with the provided Chai-style API, and store a generated ID with pm.collectionVariables.set("customerId", value). In command-line runs, supply environment-specific values securely and publish sanitized reports. Do not assume a desktop-only local value exists in CI.

Independent tests are easier to debug. Each scenario should create the minimum data it owns or use an immutable fixture. Cleanup should run even when an assertion fails. If deletion is not available, use unique names with a run identifier and an agreed retention process.

Avoid chaining an entire regression collection through one shared customer. One early failure then causes dozens of misleading failures. Chaining is appropriate inside one business scenario, not as an accidental suite-wide dependency.

Test data must represent authorization boundaries, states, dates, and value edges. Keep personal and payment data synthetic. A good interview example explains how you prevented collisions during parallel execution and how you found records for cleanup without exposing secrets.

7. Write a Runnable Starter Automation Test

This example uses only current built-in Node.js APIs: node:test, strict assertions, HTTP, and fetch. Save it as users-api.test.mjs and run node --test users-api.test.mjs. It demonstrates a positive create, a negative validation case, response checks, data extraction, and state verification.

import assert from "node:assert/strict";
import http from "node:http";
import test from "node:test";

const users = new Map();
let nextId = 1;

const server = http.createServer(async (req, res) => {
  res.setHeader("Content-Type", "application/json");

  if (req.method === "POST" && req.url === "/users") {
    let raw = "";
    for await (const chunk of req) raw += chunk;
    const input = JSON.parse(raw);
    if (typeof input.email !== "string" || !input.email.includes("@")) {
      res.writeHead(422).end(JSON.stringify({ code: "INVALID_EMAIL" }));
      return;
    }
    const user = { id: String(nextId++), email: input.email, status: "active" };
    users.set(user.id, user);
    res.writeHead(201, { Location: `/users/${user.id}` }).end(JSON.stringify(user));
    return;
  }

  const match = req.url.match(/^\/users\/(\d+)$/);
  const user = match && users.get(match[1]);
  if (req.method === "GET" && user) {
    res.writeHead(200).end(JSON.stringify(user));
    return;
  }
  res.writeHead(404).end(JSON.stringify({ code: "NOT_FOUND" }));
});

test("creates and retrieves a valid user", async (t) => {
  await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
  t.after(() => server.close());
  const { port } = server.address();
  const baseUrl = `http://127.0.0.1:${port}`;

  const create = await fetch(`${baseUrl}/users`, {
    method: "POST",
    headers: { "content-type": "application/json" },
    body: JSON.stringify({ email: "qa@example.test" })
  });
  assert.equal(create.status, 201);
  assert.match(create.headers.get("location"), /^\/users\/\d+$/);
  const created = await create.json();
  assert.deepEqual(created, { id: created.id, email: "qa@example.test", status: "active" });

  const read = await fetch(`${baseUrl}/users/${created.id}`);
  assert.equal(read.status, 200);
  assert.deepEqual(await read.json(), created);

  const invalid = await fetch(`${baseUrl}/users`, {
    method: "POST",
    headers: { "content-type": "application/json" },
    body: JSON.stringify({ email: "not-an-email" })
  });
  assert.equal(invalid.status, 422);
  assert.equal((await invalid.json()).code, "INVALID_EMAIL");
});

In a real framework, the server already exists. Keep the same structure: arrange isolated data, send through a reusable client, assert the contract and business state, and clean up. Mention the stack you actually use, whether Java with REST Assured, JavaScript or TypeScript, Python, or a collection runner.

8. Debug Failures and Report API Defects

When an API test fails, first preserve a sanitized request, response, timestamp, environment, build, identity alias, and correlation ID. Confirm whether the failure reproduces with one direct request. Separate request construction problems from application behavior.

Use a consistent path:

  1. Confirm URL, method, headers, content type, encoding, and payload.
  2. Check authentication freshness and the test identity's role.
  3. Compare the observed response with the contract.
  4. Query state to determine whether processing occurred.
  5. Use the correlation ID to inspect gateway, service, database, and dependency evidence.
  6. Reproduce with controlled data and reduce the request to the minimum failing case.

A timeout does not automatically mean the API is slow. DNS, TLS, proxy configuration, client connection pools, test runner saturation, and dependencies can contribute. A 500 after malformed input may be a validation defect. A 404 may result from wrong environment data or correct authorization concealment. Investigate before assigning cause.

A strong defect report contains a descriptive title, environment and build, preconditions, exact sanitized request, actual response, expected behavior, state impact, repeatability, severity reasoning, and correlation evidence. For intermittent failures, include frequency as observed in a defined sample, not a vague "sometimes."

Interviewers value learning. Prepare one example where the first symptom was misleading, describe the evidence you gathered, and explain the regression coverage added after the fix.

9. Practice API Testing Interview Questions 2 Years Experience Candidates Face

Run a 45-minute mock session. Spend ten minutes on HTTP and REST, fifteen on test design for a sample endpoint, ten on tool or code automation, and ten on project examples. Answer aloud. Clear structure matters more than reciting a long list.

Prepare three project stories:

  • A defect found through a negative or boundary case.
  • An API scenario you automated and stabilized.
  • A difficult failure you diagnosed with logs, state, or correlation IDs.

For each story, state the context, your responsibility, action, evidence, and result. Avoid confidential names and invented metrics. Quantify only what you know, such as the number of endpoints you personally covered or the suite duration you measured.

Practice from incomplete requirements. Ask what authenticates the caller, who owns the object, which fields are required, what the boundaries are, what side effects occur, whether the operation is idempotent, and how errors are represented. Interviewers often assess the questions you ask before the cases you list.

You should be able to sketch a small automated test and explain why it is independent. You do not need to memorize every library method. Know how your chosen tool sends requests, sets headers, serializes JSON, extracts data, asserts responses, runs in CI, and produces useful failure evidence.

Interview Questions and Answers

Q: What is API testing?

API testing validates an application's service interface directly by sending requests and checking responses, state, side effects, security, and reliability. It does not depend on the user interface. I use the API contract and business rules to design positive, negative, boundary, and authorization scenarios.

Q: What is the difference between PUT and PATCH?

PUT commonly replaces the target representation and has idempotent semantics. PATCH applies a partial change, and whether it is idempotent depends on the patch operation. I verify the API's documented behavior, omitted-field handling, and repeated requests.

Q: What do you validate in an API response?

I validate status, content type, important headers, schema, required fields, types, business values, and relationships. For mutations I also verify persisted state and side effects. For errors I check the stable error code and absence of internal details.

Q: How do you test a POST API?

I start with valid minimum and typical payloads, then confirm creation and retrieval. I add missing, null, wrong-type, boundary, duplicate, authorization, content-type, and concurrency cases based on risk. I verify rejected requests create no record.

Q: What is the difference between 401 and 403?

401 commonly means acceptable authentication is missing or failed. 403 commonly means the server recognized the identity but denies the action. I follow the product contract because some object endpoints intentionally return 404 to avoid disclosing existence.

Q: How do you pass data between API requests?

I parse the first response, validate the value, and pass it through a scoped variable or function argument to the next request. I avoid suite-wide mutable globals. The scenario owns its data and cleanup.

Q: What is idempotency?

An idempotent operation has the same intended effect when repeated. GET, PUT, and DELETE have idempotent semantics, while POST is not generally idempotent unless the API adds a mechanism such as an idempotency key. I test both the response and duplicate side effects.

Q: How do you validate a JSON schema?

I use the contract's schema with a supported validator to check types, required fields, formats, and allowed structures. I also add business assertions because schema validation cannot prove ownership, calculations, or state rules.

Q: How do you test pagination?

I cover empty, one-page, exact-page, and multi-page datasets. I verify page size, ordering, no duplicates or gaps while data is stable, boundary cursors, invalid parameters, authorization filtering, and terminal-page behavior.

Q: How do you handle dynamic values?

I assert their type, format, and relationship instead of an exact hard-coded value. I extract generated IDs for later requests and compare timestamps within a justified range. Stable expected values remain exact.

Q: What is contract testing?

Contract testing checks that the API's request and response behavior matches an agreed interface. It can include schema, status, headers, and consumer-provider expectations. It complements, rather than replaces, business workflow and end-to-end testing.

Q: How would you investigate a 500 response?

I save the sanitized request and correlation ID, confirm the request is valid, reproduce with minimal data, and inspect service and dependency logs. I check whether state changed despite the error. Then I report impact and add regression coverage after the fix.

Common Mistakes

  • Memorizing definitions without examples: Add one practical test or project observation.
  • Checking only status codes: Validate schema, business values, state, and side effects.
  • Listing random negative cases: Derive partitions and boundaries from actual rules.
  • Confusing authentication with authorization: Always include cross-user or cross-tenant checks.
  • Sharing one data record across the suite: Create scenario-owned data to prevent order dependence.
  • Hard-coding tokens and generated IDs: Obtain credentials safely and extract runtime data.
  • Claiming every POST is non-idempotent: The method is not generally idempotent, but an API can define deduplication behavior.
  • Blaming the server too early: Validate the client request, environment, identity, and evidence first.
  • Exaggerating ownership: Explain your real contribution and be ready for follow-up details.

Conclusion

Strong answers to API testing interview questions 2 years experience candidates face combine correct fundamentals with evidence of hands-on work. Explain the contract, derive focused cases, validate business outcomes, handle authentication and data safely, and debug with a repeatable process.

Practice one endpoint from requirement to automated test, then rehearse three defensible project stories. That preparation shows the interviewer you can contribute to API quality now and grow into broader framework and strategy ownership.

Interview Questions and Answers

What is API testing, and why is it useful?

API testing validates service behavior directly through requests and responses. It checks the contract, business rules, state, side effects, security, and reliability without depending on a user interface. It gives focused feedback and can cover cases that are difficult to reach through the UI.

Which checks belong in a positive POST API test?

I send a valid payload with the required identity and headers. I validate creation status, content type, schema, returned values, generated ID, defaults, and Location when documented. Then I retrieve or query the resource to prove the correct durable state.

How do you design negative API cases?

I derive equivalence partitions and boundaries from each field and business rule. I add missing, null, type, format, authorization, content-type, duplicate, and state-transition cases according to risk. For every rejection, I verify a stable error and no unintended state change.

What is the difference between status 400 and 422?

A service often uses 400 when the request cannot be processed as a valid request, while 422 can represent semantically invalid content. Products differ in how they divide validation failures. I follow the published contract and check error consistency rather than forcing one convention.

How do you validate a dynamic response field?

I validate its type, format, and relationships instead of hard-coding an exact value. A generated ID can be extracted and used to retrieve the resource. A timestamp can be parsed and compared with the action time using a justified tolerance.

How do you test API authentication?

I cover valid, missing, malformed, expired, and revoked credentials according to the system design. I verify the documented 401 behavior and check that no sensitive detail leaks. Credentials are obtained safely and redacted from output.

How do you test API authorization?

I use at least two identities with separated ownership and roles. I repeat valid reads and mutations against another user's or tenant's object, then verify denial and unchanged state. I include collection and nested-resource paths because permission defects can hide there.

How do you chain API requests without making a suite fragile?

I chain only the steps within one business scenario. The scenario creates its own data, parses and validates generated values, and passes them through local scope. Other tests do not depend on that chain and cleanup runs even after failure.

What is JSON schema validation unable to prove?

A schema can prove structure, types, required fields, and allowed formats. It cannot prove a calculation, ownership rule, correct database change, or permitted workflow transition. I pair schema validation with explicit business and state assertions.

How would you test pagination?

I create empty, one-page, exact-boundary, and multi-page datasets. I verify limit rules, ordering, filters, invalid page or cursor values, terminal behavior, and authorization filtering. With stable data, traversal should produce no unexpected gaps or duplicates.

How do you investigate an unexpected 500 response?

I capture the sanitized request, response, time, build, and correlation ID. I confirm the request and identity, reduce the case, check durable state, and inspect the related service and dependency evidence. I report the observed cause only after the evidence supports it.

How do you run API tests from CI?

I provide environment configuration and secrets through the CI platform, install the pinned dependencies, and run the collection or code suite noninteractively. Reports publish sanitized failures and artifacts. The job fails on agreed critical assertions and preserves enough evidence for triage.

What is an idempotency key?

It is a client-provided identifier an API can use to recognize repeated attempts for the same operation. I repeat the same request and key and verify one business effect. I also check how the API handles a reused key with a different payload.

What makes a strong API bug report?

It includes environment and build, preconditions, an exact sanitized request, actual and expected results, state impact, repeatability, and a correlation ID. Severity is tied to customer or system impact. The report avoids tokens and other sensitive data.

Frequently Asked Questions

What should a QA engineer with two years know about API testing?

You should understand HTTP methods, common status codes, headers, JSON, authentication, positive and negative design, boundaries, schema and value assertions, and basic automation. You should also be able to create and clean test data, run tests in CI, and investigate failures with correlation evidence.

Are Postman skills enough for a two-year API testing interview?

Postman can demonstrate request construction, variables, scripts, collection execution, and reports, but interviews usually assess test thinking beyond the tool. Explain contracts, authorization, state, side effects, independence, and debugging. Knowing one code-based automation stack strengthens your profile.

How many API interview questions should I prepare?

Do not optimize only for question count. Cover HTTP, test design, authentication, payloads, data, automation, debugging, and project scenarios deeply enough to handle follow-ups. A smaller practiced set is more useful than memorizing hundreds of short definitions.

Will I be asked to write API automation code?

Many interviews include a small request, assertion, parsing, or framework question. Practice sending a JSON request, checking the response, extracting a dynamic ID, and using it in a second call. Use the language and library you genuinely know.

How should I explain an API defect in an interview?

Describe the context, expected contract, request variation, observed response and state, investigation evidence, and your contribution to regression coverage. Keep confidential data out and avoid claiming team work as individual work.

What scenario questions are common for two years of experience?

Common scenarios include testing create or update endpoints, pagination, authentication, duplicate requests, dynamic IDs, validation boundaries, and a 500 or timeout investigation. Interviewers may also ask how you would test an endpoint with incomplete requirements.

How should I answer when I do not know an API detail?

State the assumption and ask which behavior the contract promises. Explain how your test would change for the likely alternatives. This shows disciplined reasoning and is better than presenting one product-specific convention as universal.

Related Guides