API Testing TOP 2025 Intermediate-level Interview questions : Part 2

 

Explain the differences between functional and non-functional API testing.

·         Functional API Testing: Focuses on verifying the correctness of the API’s functionality. It ensures that the API behaves as expected based on the requirements. Examples include testing endpoints, request/response validation, error handling, and business logic.

·         Non-Functional API Testing: Focuses on aspects like performance, reliability, scalability, and security. Examples include load testing, stress testing, security testing, and latency measurement.

What are the best practices for API test automation?

·         Use a robust framework (e.g., Postman, RestAssured, or pytest).

·         Write reusable and modular test scripts.

·         Validate response status codes, headers, and payloads.

·         Use data-driven testing for multiple scenarios.

·         Implement proper error handling and logging.

·         Integrate tests into CI/CD pipelines for continuous testing.

·         Mock dependencies for isolated testing.

·         Follow version control for test scripts.

How do you test API performance?

·         Use tools like JMeter, Gatling, or LoadRunner.

·         Test for response time, throughput, and latency under various loads.

·         Conduct stress testing to determine breaking points.

·         Monitor server resources (CPU, memory) during testing.

·         Validate performance against SLAs (Service Level Agreements).

What is the role of API documentation in testing?

·         API documentation (e.g., Swagger/OpenAPI) serves as a reference for understanding endpoints, request/response formats, and authentication methods.

·         It helps testers design accurate test cases and validate API behavior.

·         Automated tests can be generated directly from documentation.

How do you handle API versioning?

·         Use URL-based versioning (e.g., /v1/resource).

·         Implement header-based versioning (e.g., Accept: application/vnd.api.v1+json).

·         Ensure backward compatibility for older versions.

·         Clearly document version changes and deprecation policies.

What is an idempotent method in API testing?

·         An idempotent method produces the same result regardless of how many times it is executed. For example, GET, PUT, and DELETE are idempotent, while POST is not.

·         Testing idempotency involves sending the same request multiple times and verifying the response and server state.

How do you manage API test data?

·         Use test data management tools or databases.

·         Create isolated test environments to avoid conflicts.

·         Use data seeding scripts to populate test data.

·         Clean up test data after execution to maintain consistency.

Explain the concept of pagination in APIs.

·         Pagination is used to split large datasets into smaller chunks (pages) for efficient retrieval.

·         Common methods include offset-based pagination (?page=1&limit=10) and cursor-based pagination (?cursor=abc123).

·         Test pagination by verifying the correct number of items per page and the ability to navigate between pages.

What is a WebSocket, and how does it differ from REST APIs?

·         WebSocket: A bidirectional communication protocol that allows real-time data exchange between client and server.

·         REST API: A stateless, request-response protocol over HTTP.

·         WebSocket is ideal for real-time applications (e.g., chat apps), while REST is better for CRUD operations.

What is OAuth, and how does it work?

·         OAuth is an authorization framework that allows third-party applications to access user data without sharing credentials.

·         It involves tokens (access and refresh tokens) and flows like Authorization Code, Implicit, and Client Credentials.

·         Test OAuth by validating token generation, expiration, and scopes.

How do you perform security testing for APIs?

·         Test for authentication and authorization mechanisms.

·         Validate input to prevent SQL injection, XSS, and other attacks.

·         Use tools like OWASP ZAP or Burp Suite.

·         Check for sensitive data exposure in responses.

·         Test rate limiting and DDoS protection.

What is HATEOAS in RESTful services?

·         HATEOAS (Hypermedia as the Engine of Application State) is a constraint in RESTful APIs where responses include hyperlinks to related resources.

·         It enables clients to navigate the API dynamically without prior knowledge of endpoints.

·         Test HATEOAS by verifying the presence and correctness of hyperlinks in responses.

How do you handle API chaining in testing?

·         API chaining involves using the output of one API as the input for another.

·         Store responses in variables and pass them to subsequent requests.

·         Use tools like Postman or scripts to automate chaining.

·         Validate the final output after the chain completes.

What is the difference between GraphQL and REST?

·         REST: Uses fixed endpoints and returns predefined data structures.

·         GraphQL: Allows clients to query specific data fields and relationships in a single request.

·         GraphQL is more flexible but requires careful schema design.

How do you test APIs in a CI/CD pipeline?

·         Integrate API tests into CI/CD tools like Jenkins, GitLab, or CircleCI.

·         Use automated test frameworks to run tests on every build.

·         Fail the pipeline if tests do not pass.

·         Generate and publish test reports for visibility.

 

What is schema validation in API testing?

·         Schema validation ensures that API responses adhere to a predefined structure (e.g., JSON schema).

·         Tools like JSON Schema Validator or libraries in Python/Java can be used.

·         It helps catch structural errors in responses.

How do you handle session management in APIs?

·         Use tokens (e.g., JWT) for stateless session management.

·         Validate token expiration and renewal mechanisms.

·         Test for session hijacking and token leakage.

Explain the use of response time validation in API testing.

·         Response time validation ensures that APIs meet performance benchmarks.

·         Measure and compare response times against SLAs.

·         Use tools like Postman or JMeter to monitor and report response times.

What are webhooks, and how are they tested?

·         Webhooks are user-defined HTTP callbacks triggered by events.

·         Test webhooks by simulating events and verifying that the correct payload is sent to the endpoint.

·         Use tools like ngrok to expose local endpoints for testing.

How do you perform contract testing in APIs?

·         Contract testing ensures that the API implementation matches the agreed-upon contract (e.g., OpenAPI specification).

·         Use tools like Pact or Dredd to validate requests and responses against the contract.

Focus on backward compatibility and adherence to schema