QA Interview
GraphQL API Testing Interview Questions
GraphQL API testing interview questions and answers: queries vs mutations, the errors array, introspection, schema testing, N+1, depth limits, and security.
2,433 words | Article schema | FAQ schema | Breadcrumb schema
Overview
GraphQL breaks most of the reflexes a tester built on REST, and that is precisely what interviewers are checking. There is one endpoint instead of many, the HTTP status is almost always 200 even when the request failed, and errors live in a JSON array rather than the status line. If your testing instincts still say assert the 404, you will get caught out. This guide rebuilds those instincts for the GraphQL world.
The distinct angle here is the contrast with REST. Nearly every question an interviewer asks is really probing whether you understand what GraphQL moved: the shape of the response is chosen by the client, the schema is a hard contract enforced by the server, and a single malformed field can return partial data plus an error at the same time. Get comfortable talking in those terms and the answers write themselves.
You will find conceptual questions, scenario prompts, hands-on checks on the errors array and status codes, and a solid block on GraphQL-specific security, which is a favorite of senior interviewers because the attack surface differs from REST. Say the core idea, then contrast it with how you would have tested the same thing in REST to prove you understand the shift.
GraphQL vs REST for a Tester
The opener almost always asks you to compare the two, because your framing reveals how much you actually understand. Focus on what changes for testing, not textbook definitions.
Q: How does testing GraphQL differ from testing REST? Answer: In REST I test many endpoints, each with its own URL, verb, and status codes, and I lean on those status codes to tell success from failure. GraphQL has a single endpoint, usually POST /graphql, and the client sends a query describing exactly the fields it wants. That means I stop testing per-URL and start testing per-operation and per-field. The biggest shift is error handling: GraphQL typically returns HTTP 200 even for a failed operation and puts the failure in an errors array in the body, so my assertions move from the status line into the response payload. I also gain the ability to request over-fetching and under-fetching scenarios that simply do not exist in REST.
- Q: Why one endpoint? A: The client specifies its data needs in the query, so the server does not need a URL per resource shape.
- Q: What problems does GraphQL solve? A: Over-fetching (getting fields you do not need) and under-fetching (needing many REST calls to assemble one screen).
- Q: What does that cost testers? A: Status codes stop being the primary signal, and query flexibility creates a much larger input space to cover.
Queries, Mutations, and Subscriptions
You must know the three operation types and what testing each involves, because they map to read, write, and real-time behavior.
Q: What is the difference between a query, a mutation, and a subscription, and how do you test each? Answer: A query reads data and should have no side effects, so I test that I get exactly the fields I asked for with correct types, and I verify it is safe to call repeatedly. A mutation writes data (create, update, delete), so I assert the returned object reflects the change, the change actually persisted, and invalid input is rejected with a clear error. A subscription streams data over a persistent connection (usually WebSocket) when an event fires, so I test it by triggering the event through a mutation and asserting the subscriber receives the expected payload within a timeout. The distinction matters because a query with side effects or a mutation that returns stale data are both real bugs.
- Q: How do you send variables instead of inlining values? A: A variables object alongside the query, referenced as $id in the operation, which is the safe, injection-resistant way to parameterize.
- Q: What are fragments and aliases? A: Fragments are reusable field sets; aliases rename fields in the response so you can request the same field twice with different arguments.
- Q: How do you test a subscription's teardown? A: Confirm the connection closes cleanly and stops delivering events after unsubscribe, so resources are not leaked.
Status Codes and the Errors Array
This is the single most important GraphQL testing question and the one REST testers fail. Master the fact that success and failure both often arrive as HTTP 200.
Q: If GraphQL returns 200 even on failure, how do you know a request failed? Answer: I assert on the response body, not just the status line. A GraphQL response has a data field and an optional errors array. Success means errors is absent and data holds what I asked for. Failure means the errors array is present, each entry carrying a message, a path pointing to the failing field, and often an extensions object with a machine-readable code. Crucially, GraphQL can return both: partial data plus an error, when some fields resolve and one fails. So my assertion is always twofold: check errors is empty for a happy path, and for a negative test assert the specific error code and path rather than a status code.
- Q: When does GraphQL still return non-200? A: Transport-level problems: 400 for a malformed query the server cannot parse, 401 for missing auth at the gateway, or 500 for a server crash before resolution.
- Q: What is partial data? A: A response where some fields resolved successfully and others failed, returning both data and errors together, which must be tested explicitly.
- Q: What do you assert on an error? A: The message, the path to the failing field, and the extensions.code, not a generic 'something failed'.
Schema, Types, and Introspection
The schema is GraphQL's contract, and introspection lets you read it programmatically. Interviewers test whether you use the schema as a testing asset.
Q: How do you use the GraphQL schema and introspection in your testing? Answer: The schema (written in SDL) is the source of truth for every type, field, argument, and whether each is nullable. I use introspection, a special query that asks the API to describe its own schema, to generate contract tests and to detect breaking changes between versions: a removed field, a type change, or a field that became non-null. I validate that responses conform to the schema's types and nullability, and I add a test that the current schema has not drifted from the agreed contract. When the schema changes in a backward-incompatible way, that test fails before consumers are affected.
- Q: What is SDL? A: Schema Definition Language, the text format describing types, queries, mutations, and their fields.
- Q: What is a resolver? A: The server function that fetches the data for a single field; a slow or failing resolver is a common source of partial errors.
- Q: How do you catch a breaking schema change? A: Compare the introspected schema against a stored baseline and fail on removed fields, changed types, or new required arguments.
Scenario-Based Questions
Scenario prompts test whether you can apply GraphQL mechanics to a messy real situation. Reason through the response shape.
Q: A query returns some fields correctly but null for a nested object, with an error in the array. How do you approach it? Answer: This is partial success, and it usually means one resolver failed while the rest succeeded. I read the errors array first: the path tells me exactly which field failed, and the extensions.code often tells me why (unauthorized, not found, downstream timeout). I check whether the null is legitimate (the field is nullable and genuinely has no value) or a masked failure. Then I isolate the failing resolver: is it an auth problem on that specific field, a broken downstream service, or bad test data. I write a focused test that requests only the failing field so the signal is not diluted by the fields that work.
Q: A client complains one screen is slow. You find the query fetches deeply nested lists. What is happening? Answer: This is likely the N+1 problem, where resolving a list triggers one database call per item instead of a batched call. I confirm by counting downstream calls per query, and the fix is usually a batching layer like DataLoader on the server. As a tester I add a query-complexity or nesting-depth check so an expensive query is caught in review, not in production.
GraphQL Security Testing
Security is a heavily weighted GraphQL topic because the flexible query language creates an attack surface REST does not have. Show you know the GraphQL-specific risks.
Q: What security risks are unique to GraphQL and how do you test them? Answer: The flexibility that helps clients also helps attackers. A malicious deeply nested or recursive query can exhaust the server, so I test that query depth limiting and query cost/complexity analysis reject abusive queries with a clear error rather than timing out. Introspection should usually be disabled in production, so I verify an introspection query is refused there. Because there is one endpoint, field-level authorization matters: I test that a low-privilege token cannot read a sensitive field even inside an allowed query. I also check batching and alias abuse, where an attacker repeats an expensive field many times via aliases to amplify load.
- Q: Why disable introspection in production? A: It hands attackers the full schema map; testers verify it returns an error in prod but stays available in lower environments.
- Q: What is query depth limiting? A: A server guard that rejects queries nested beyond a threshold, preventing denial-of-service from recursive queries.
- Q: How do you test field-level auth? A: Send an allowed query with a low-privilege token and assert the sensitive field is denied, not silently returned.
Hands-On and Tooling Questions
For automation roles you will be asked how you actually write GraphQL tests. Emphasize that a GraphQL call is just an HTTP POST, so existing tools work.
Q: How do you automate GraphQL tests, and which tools? Answer: Because a GraphQL request is a POST with a JSON body containing query and variables, I can use any HTTP-capable tool: REST Assured or a Java client, Playwright's request API, a JavaScript client, or Postman which has native GraphQL support with schema-aware autocomplete. I keep queries in separate files so they are reviewable and reusable, pass inputs through variables rather than string interpolation, and assert on the data and errors fields. For contract testing I use the introspected schema to detect drift. The key point I make is that I do not need a special framework; I need discipline about the response shape.
- Q: How do you parameterize safely? A: Pass a variables object, never string-concatenate values into the query, which mirrors avoiding SQL injection.
- Q: How do you test pagination in GraphQL? A: Verify cursor-based (Relay-style) connections: pageInfo.hasNextPage, endCursor, stable ordering, and no duplicated or skipped nodes across pages.
- Q: How do you keep queries maintainable? A: Store them as named operations in version control and reuse field sets with fragments.
Contract Testing and Versioning
GraphQL versions differently from REST, and interviewers want to know you understand evolution over v1/v2 URLs.
Q: How does versioning work in GraphQL and how do you test API evolution? Answer: GraphQL usually avoids URL versioning like /v2. Instead the schema evolves in place: new fields are added, and old fields are deprecated with a @deprecated directive rather than deleted immediately. My testing job is to guard that evolution stays backward compatible. I assert deprecated fields still return correct data until their sunset, verify new fields are additive and do not break existing queries, and run a schema-diff test in CI that flags any removal or type change as a breaking change requiring sign-off. This way clients migrate on their own timeline instead of being broken by a silent deploy.
Frequently Asked Questions
How is testing GraphQL different from testing REST?
GraphQL uses a single endpoint and returns exactly the fields the client requests, and it usually responds with HTTP 200 even on failure, placing errors in an errors array in the body. So assertions move from status codes into the response payload, and you test per operation and field rather than per URL.
How do you know a GraphQL request failed if it returns 200?
Check the response body. A GraphQL response has a data field and an optional errors array. If errors is present, the operation failed at least partially. Assert on the error message, path, and extensions.code rather than relying on the HTTP status line.
What is partial data in GraphQL and why does it matter?
When some fields resolve successfully and one resolver fails, GraphQL returns both the resolved data and an error together. Testers must handle this explicitly by reading the errors array and the path to the failing field, instead of assuming a response is all-success or all-failure.
How do you test GraphQL security?
Verify query depth limiting and complexity analysis reject abusive nested queries, confirm introspection is disabled in production, test field-level authorization so low-privilege tokens cannot read sensitive fields, and check that alias or batch abuse cannot amplify server load.
What tools do you use to test a GraphQL API?
Any HTTP-capable tool works because a GraphQL request is a POST with a JSON body. Common choices are Postman (with native GraphQL support), REST Assured, Playwright's request API, or a JavaScript client. Store queries in files and pass inputs through variables.
How does GraphQL handle versioning?
GraphQL usually evolves the schema in place instead of using versioned URLs. New fields are added and old ones are marked with the @deprecated directive rather than removed. Test that deprecated fields still work, new fields are additive, and a schema-diff test flags any breaking removal or type change.
What is the N+1 problem in GraphQL testing?
It happens when resolving a list triggers one downstream call per item instead of a batched call, making nested queries slow. Confirm it by counting downstream calls per query; the server-side fix is a batching layer like DataLoader, and testers add depth or complexity checks to catch expensive queries.
Related QAJobFit Guides
- GraphQL Testing Interview Questions and Answers
- API Testing Interview Questions and Answers (2026)
- API Testing Interview Questions for 2 Years Experience
- API Testing Interview Questions for 3 Years Experience
- API Testing Interview Questions for 5 Years Experience
- API Testing Interview Questions for 7 Years Experience