API Testing Interview Questions and Answers for 2025

You’ve found the ultimate resource for API Testing Interview Questions. This guide features over 100 questions and detailed answers tailored for freshers, intermediate, and experienced professionals. Whether you’re facing your first technical screening or aiming for a senior role, mastering these common API testing interview questions will help you demonstrate your expertise and secure the job.

The global API testing market is expanding rapidly, with its value projected to grow from over USD 1.3 billion in 2024 to nearly USD 6 billion by 2030, reflecting a compound annual growth rate (CAGR) of around 16-20%. This growth highlights the critical role of APIs in modern software and the increasing demand for skilled testers.

Introduction to API Testing

Application Programming Interfaces (APIs) are the backbone of modern software, enabling different applications to communicate and exchange data seamlessly. API testing is a type of software testing that focuses on verifying the functionality, reliability, performance, and security of these interfaces. Unlike UI testing, which validates the look and feel of an application, API testing operates at the message layer, ensuring the business logic works correctly without a user interface.

As companies increasingly adopt Agile, DevOps, and microservices architectures, the need for robust API testing has become paramount to ensure system reliability and deliver flawless user experiences.

Roles and Responsibilities in API Testing

An API Tester plays a crucial role throughout the software development lifecycle. Their responsibilities go beyond simple validation and require a unique set of technical skills.

Key responsibilities include:

• Test Planning and Design: Collaborating with developers and stakeholders to create comprehensive test plans and designing test cases that cover positive and negative scenarios, boundary conditions, and error handling.
• Test Execution: Running tests to validate API functionality, including checking requests, responses, and data accuracy.
• Automation: Developing and maintaining automated test scripts using tools and frameworks to increase efficiency and test coverage.
• Performance and Security Testing: Conducting load, stress, and security tests to identify performance bottlenecks and vulnerabilities.
• Defect Management: Identifying, documenting, and tracking bugs and collaborating with the development team for resolution.
• Documentation Review: Validating API documentation to ensure it is accurate and clearly reflects the API’s behavior.
• CI/CD Integration: Integrating the API test framework into CI/CD pipelines for continuous testing and feedback.

Basic API Testing Interview Questions and Answers

These questions focus on fundamental concepts to assess a candidate’s basic understanding of API testing.

For Beginners

1. What is an API?
An API (Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate with each other. It defines the methods and data formats that applications can use to request and exchange information.

2. What is API testing?
API testing is a software testing practice that tests APIs directly to determine if they meet expectations for functionality, reliability, performance, and security. It involves sending requests to the API, getting the response, and validating the response data, HTTP status codes, and response time.

3. What are the common types of APIs?

• Web APIs: RESTful APIs, SOAP APIs, GraphQL APIs.
• Operating System APIs: To interact with OS functionalities.
• Library APIs: Pre-built functions for developers.
• Database APIs: Allow applications to communicate with databases.

4. Name some common tools used for API testing.
Postman, Swagger, SoapUI, Katalon Studio, REST-Assured.
Exploring the official Postman documentation is recommended for practical skill-building.

5. What is the difference between API testing and UI testing?
API testing validates the business logic layer without a UI, while UI testing validates the presentation layer’s look, feel, and user interaction.

For Intermediate Professionals

These questions delve deeper into the practical aspects of API testing, requiring more detailed knowledge.

6. What are the most common HTTP methods used in RESTful APIs?

• GET: Retrieve data.
• POST: Submit new data.
• PUT: Update/replace existing data.
• DELETE: Remove a resource.
• PATCH: Partially update existing data.

7. How do you handle API authentication in your tests?
Using credentials in requests via:

• API Keys (headers/query params).
• Basic Auth (username/password).
• OAuth (token-based).
• JWT (JSON Web Tokens).

8. What is API payload?
Data sent to the server in a request body (typically JSON or XML for POST/PUT requests) or as query parameters in a GET request.

9. What are some common API error codes and how do you test for them?

• 400 Bad Request: Invalid client request.
• 401 Unauthorized: Missing/invalid authentication.
• 403 Forbidden: Access denied.
• 404 Not Found: Resource not found.
• 500 Internal Server Error: Server-side issue.
  Test by sending malformed/invalid data to trigger these codes and verify error handling.

10. What is the difference between PUT and POST?

• POST creates a new resource; it is not idempotent.
• PUT creates or updates a resource; it is idempotent, meaning multiple identical PUT requests result in the same state.

For Experienced Professionals

11. How would you design a scalable and maintainable API test automation framework?
It should be:

• Modular: Reusable components for requests, validations, and utilities.
• Data-Driven: Use CSV/JSON files for datasets.
• Configurable: Use config files for environments, endpoints, and credentials.
• Integrated with CI/CD: Jenkins/GitLab for continuous testing.
• Rich in Reporting: Allure or ExtentReports for actionable reporting.

12. What are the biggest challenges in API testing and how do you overcome them?

• Schema Validation: Use JSON/XML schema validators.
• Managing Test Data: Data-driven testing and generation tools.
• Handling Dependencies: Use service virtualization/mocking.
• Complex Authentication: Use Postman or REST-Assured to manage token workflows.

13. How does a microservices architecture impact API testing?
It increases complexity, requiring:

• Unit Testing for each service.
• Integration Testing for service interactions.
• Contract Testing to validate shared expectations.
• End-to-End Testing for workflows across services.
  Recommended resource: Martin Fowler’s blog for advanced testing methodologies.

14. What is contract testing, and why is it important in a microservices environment?
Contract testing ensures that API providers and consumers adhere to a shared contract without requiring full E2E tests. It ensures independent service evolution without breaking integrations.

15. What strategies would you use for API security testing?

Data Exposure Testing to prevent sensitive data leaks.
Authentication/Authorization Testing (OAuth, JWT).
Penetration Testing for vulnerabilities.
Fuzz Testing with random/invalid data.

Here is a comprehensive list of 100 API testing interview questions and answers, categorized by experience level.

API Testing Interview Questions For Freshers

This section covers foundational API testing interview questions for freshers. These questions focus on core concepts to assess a candidate’s basic understanding of API testing principles and terminology.

1. What is an API?
An API (Application Programming Interface) is a set of rules, protocols, and tools that allows different software applications to communicate with each other. It acts as an intermediary, processing requests and ensuring seamless functioning between systems.

2. What is API testing?
API testing is a type of software testing that validates the functionality, reliability, performance, and security of APIs. It involves sending requests to the API, receiving the response, and verifying that it matches the expected outcome.

3. Why is API testing important?
It’s important because it tests the core business logic of an application, providing early feedback and ensuring system stability before the UI is even developed. It’s faster and more efficient than UI testing.

4. What are the common types of APIs?
The most common types include Web APIs (REST, SOAP, GraphQL), Operating System APIs, Library APIs, and Database APIs.

5. Name some common tools used for API testing.
Popular tools include Postman, Swagger, SoapUI, Katalon Studio, and REST-Assured.

6. What is the difference between API testing and UI testing?
API testing focuses on the business logic layer without a graphical interface, while UI testing focuses on the presentation layer, validating the look, feel, and user interaction with the application.

7. What is an API endpoint?
An endpoint is a specific URL where an API can be accessed. Each endpoint corresponds to a specific function or resource within the API.

8. What is an API payload?
The payload is the data sent to the server within the body of an API request (e.g., in POST or PUT methods). It’s typically in formats like JSON or XML.

9. What is a resource in the context of an API?
A resource is an object or entity that an API can provide information about. For example, in a social media API, a user or a post would be a resource.

10. What are the core components of an HTTP request?
An HTTP request consists of a Request Method (e.g., GET, POST), Request URL/Endpoint, Request Headers (metadata), and an optional Request Body (payload).

11. What are the core components of an HTTP response?
An HTTP response includes a Status Code (e.g., 200 OK), Response Headers, and an optional Response Body containing the requested data.

12. What is REST?
REST (Representational State Transfer) is an architectural style for designing networked applications. It uses standard HTTP methods and is known for being stateless, simple, and scalable.

13. What is SOAP?
SOAP (Simple Object Access Protocol) is a protocol for exchanging structured information. It relies heavily on XML and has strict standards, including a built-in error handling system.

14. What is the main difference between REST and SOAP?
REST is an architectural style, while SOAP is a protocol. REST is more lightweight, uses various data formats (like JSON), and is generally faster. SOAP is more structured, uses only XML, and has built-in standards for security and transactions (WS-Security).

15. What is a URI?
A URI (Uniform Resource Identifier) is a string of characters that identifies a resource. A URL is a type of URI that also provides the location of the resource.

16. What does “stateless” mean in the context of REST APIs?
Stateless means that the server does not store any information about the client’s previous requests. Each request from a client must contain all the information needed for the server to understand and process it.

17. What is an API key?
An API key is a unique string of characters used to identify and authenticate an application or user when making requests to an API. It helps control and track API usage.

18. What are HTTP status codes?
HTTP status codes are standard responses from a server indicating the outcome of a request. They are grouped into five classes: 1xx (Informational), 2xx (Success), 3xx (Redirection), 4xx (Client Error), and 5xx (Server Error).

19. What does a 200 OK status code mean?
It indicates that the request was successful.

20. What does a 404 Not Found status code mean?
It means the server could not find the requested resource or endpoint.

21. What does a 500 Internal Server Error mean?
It indicates that the server encountered an unexpected condition that prevented it from fulfilling the request.

22. What is JSON?
JSON (JavaScript Object Notation) is a lightweight, human-readable data-interchange format. It is commonly used for transmitting data in web applications (e.g., sending some data from the server to the client, so it can be displayed on a web page).

23. What is XML?
XML (eXtensible Markup Language) is a markup language designed to store and transport data. It uses tags to define elements and is more verbose than JSON.

24. What is API documentation?
API documentation is a technical content deliverable that contains instructions on how to effectively use and integrate with an API. Examples include Swagger/OpenAPI documentation.

25. What is a GET request?
A GET request is used to retrieve data from a specified resource on a server. It should only retrieve data and have no other effect.

26. What is a POST request?
A POST request is used to submit data to a server to create a new resource.

27. What is smoke testing in API testing?
Smoke testing involves running a small set of critical tests to verify that the most important functions of an API are working correctly after a new build.

28. What do you mean by “request headers”?
Request headers are key-value pairs in an HTTP request that provide metadata, such as the content type, authentication tokens, and browser information.

29. What is Postman used for?
Postman is a popular collaboration platform for API development and testing. It allows users to create, send, and save complex HTTP requests and view their responses easily.

30. What is a positive test?
A positive test verifies that an application behaves as expected with valid input data. For an API, this means testing for a successful response (e.g., a 200 or 201 status code) with a valid request.

31. What is a negative test?
A negative test ensures the application behaves gracefully with invalid input or unexpected user behavior. For an API, this involves testing for appropriate error codes (e.g., 400 or 404) with an invalid request.

32. What is the purpose of the Accept header?
The Accept header tells the server which content types (e.g., application/json) the client can understand in the response.

33. What is the purpose of the Content-Type header?
The Content-Type header, used in requests with a body (like POST or PUT), tells the server what type of data is being sent in the payload (e.g., application/json).

API Testing Interview Questions For Intermediate Professionals

The following API testing interview questions are for intermediate professionals. They explore practical application, automation, and deeper technical concepts you’ll likely face in an interview.

34. What are the most common HTTP methods used in RESTful APIs?
The most common are GET (retrieve), POST (create), PUT (update/replace), DELETE (remove), and PATCH (partially update).

35. How do you handle API authentication in your tests?
Authentication can be handled by including credentials in the request. Common methods include Basic Auth (username/password), API Keys, OAuth 2.0 (token-based), and JWT (JSON Web Tokens).

36. What is the difference between PUT and POST?
POST is used to create a new resource and is not idempotent (multiple identical requests will create multiple resources). PUT is used to create or update a resource at a specific URI and is idempotent (multiple identical requests will have the same effect as one).

37. What is the difference between PUT and PATCH?
PUT replaces the entire resource with the new data provided. If some fields are omitted, they are set to null or their default value. PATCH applies a partial update to the resource, modifying only the fields included in the request body.

38. What does idempotency mean for an API?
An idempotent operation is one that can be applied multiple times without changing the result beyond the initial application. GET, PUT, and DELETE methods are typically idempotent, while POST is not.

39. What is schema validation in API testing?
Schema validation is the process of verifying that an API’s response (e.g., a JSON or XML body) conforms to a predefined structure or schema. It ensures data consistency and contract adherence.

40. How do you perform data-driven testing for APIs?
Data-driven testing involves running the same test case with multiple datasets. In API testing, this can be done by externalizing test data into files (like CSV or JSON) and iterating through them using automation frameworks like Postman (with a Collection Runner) or REST-Assured.

41. What is Swagger (OpenAPI)?
Swagger, now known as the OpenAPI Specification, is a standard for describing, documenting, and visualizing RESTful APIs. The documentation allows both humans and machines to understand the capabilities of an API without access to source code.

42. What are some common API error codes and how do you test for them?

• 400 Bad Request: Client-side error. Test by sending a malformed request (e.g., invalid JSON).
• 401 Unauthorized: Missing or invalid authentication. Test by sending a request without credentials.
• 403 Forbidden: Valid authentication but insufficient permissions. Test by using a low-privilege user token to access a high-privilege resource.
• 429 Too Many Requests: Rate limiting is enforced. Test by sending a high volume of requests in a short time.

43. What is request chaining in API testing?
Request chaining is the practice of using data from the response of one API request as input for the next request. For example, using an id from a POST response to GET or DELETE that specific resource.

44. What is REST-Assured?
REST-Assured is a Java library used to test RESTful APIs. It provides a domain-specific language (DSL) that makes it easy to write powerful, maintainable API automation tests in Java.

45. What is OAuth?
OAuth (Open Authorization) is an access delegation standard. It allows a user to grant a third-party application limited access to their resources on a server without sharing their credentials (username and password).

46. How would you test a rate-limiting feature on an API?
I would write an automated script to send a number of requests exceeding the defined limit within a specific timeframe and assert that the API returns a 429 Too Many Requests status code for the excess requests.

47. What is parameterization in API testing?
Parameterization is the process of replacing hard-coded values in tests with variables. This is crucial for running tests across different environments (dev, staging, prod) or with dynamic data. Tools like Postman use environment or global variables for this.

48. What is the difference between authentication and authorization?
Authentication is the process of verifying who a user is (identity). Authorization is the process of verifying what a user is allowed to do (permissions).

49. How can you validate a JSON response?
You can validate a JSON response by:

• Asserting specific key-value pairs.
• Checking the data types of values.
• Validating the entire structure against a JSON Schema.
• Checking the size or count of arrays.

50. What is a “contract” in API testing?
A contract is a formal agreement on how an API will behave, defining the expected requests, responses, data formats, and status codes. Contract testing verifies that the API adheres to this agreed-upon contract.

51. Explain what a pre-request script in Postman does.
A pre-request script is JavaScript code that runs before an API request is sent. It’s often used for tasks like setting dynamic variables, generating timestamps, or handling complex authentication logic.

52. What are environment variables in Postman?
Environment variables are key-value pairs that allow you to customize requests for different environments (e.g., development, staging, production). You can switch environments to run the same test suite with different configurations (like base URLs or credentials).

53. What is GraphQL and how does testing it differ from REST?
GraphQL is a query language for APIs. Unlike REST, which uses multiple endpoints, GraphQL typically uses a single endpoint. Testing GraphQL involves validating queries (requesting specific data) and mutations (modifying data), and ensuring the response contains exactly the data requested and nothing more.

54. What is the assert function used for in API automation?
assert is a function used in test scripts to check if a certain condition is true. If the condition is false, the assertion fails, and the test case is marked as failed. It’s the primary mechanism for validation.

55. What is a collection in Postman?
A collection is a group of saved API requests. It helps in organizing and documenting related requests, and it can be run as a whole using the Collection Runner to automate a test suite.

56. When would you use mocking for an API?
You use mocking when an API you need to test depends on another service that is unavailable, unstable, or costly to use. A mock service simulates the behavior of the real dependency, allowing you to test your API in isolation.

57. How do you handle timeouts in API testing?
You should test that an API responds within an acceptable timeframe as defined in the Service Level Agreement (SLA). Automation tools allow you to configure a timeout period, and the test should fail if the response takes longer than specified.

58. What is API versioning and why is it important?
API versioning is the practice of managing changes to an API and making different versions available. It is crucial for ensuring that existing client applications do not break when breaking changes are introduced to the API.

59. How would you test for a memory leak in an API?
This falls under performance testing. You would conduct a soak test (or endurance test) by sending a sustained load to the API over a long period and monitoring the server’s memory usage. A gradual increase in memory that is not reclaimed indicates a memory leak.

60. What is the purpose of a finally block in a try-catch-finally structure in test automation?
The finally block contains code that will always be executed, regardless of whether an exception was thrown in the try block or caught in the catch block. It is often used for cleanup operations, like closing database connections or resetting test data.

61. What is BDD and how can it be applied to API testing?
BDD (Behavior-Driven Development) is a development process that encourages collaboration between business and technical teams. For APIs, BDD can be implemented using tools like Cucumber with a framework like REST-Assured, where test scenarios are written in a human-readable Gherkin syntax (Given-When-Then).

62. What are query parameters?
Query parameters are key-value pairs appended to the end of a URL after a ? symbol. They are used to filter, sort, or paginate the results from a GET request.

63. What are path parameters?
Path parameters are variables within the URL path itself, used to identify a specific resource. For example, in /users/{userId}, userId is a path parameter.

64. Explain the difference between a library and a framework in test automation.
A library (e.g., REST-Assured) is a collection of functions or classes that you can call from your code to perform specific tasks. A framework (e.g., Serenity BDD) provides a structure and a set of rules for building your application; it calls your code. You have more control with a library, while a framework imposes more structure.

65. What is correlation and why is it important in performance testing?
Correlation is the process of capturing dynamic values from a server’s response and using them in subsequent requests. It is critical in performance testing to simulate realistic user sessions, especially for handling session IDs or security tokens.

66. What is serialization and deserialization in the context of APIs?
Serialization is the process of converting an object (like a Java or C# object) into a format that can be easily transmitted, such as JSON or XML. Deserialization is the reverse process: converting the JSON or XML data back into an object.

67. How would you verify the headers of an API response?
In your test script, you would access the response headers and write assertions to check for the presence of specific headers (like Content-Type or Cache-Control) and validate their values against expected ones.

API Testing Interview Questions For Experienced Professionals

These advanced API testing interview questions are for experienced professionals. The focus here is on high-level strategy, test architecture, and leadership, reflecting the expectations for senior QA roles.

68. How would you design a scalable and maintainable API test automation framework from scratch?
A scalable framework should be modular and layered (e.g., API services, test cases, utilities, reporting). It should be data-driven, use page object models (for UI) or an equivalent for APIs (API action classes), be integrated with CI/CD, use configuration files for environments, and have robust logging and reporting (like Allure or ExtentReports).

69. What are the biggest challenges in API testing and how do you overcome them?
Challenges include managing test data, handling complex authentication, dealing with service dependencies (overcome with mocking/virtualization), ensuring schema validation, and keeping up with frequent API changes (overcome with contract testing and good CI/CD practices).

70. How does a microservices architecture impact API testing strategy?
It increases complexity. The strategy must include:

• Unit Testing for each microservice in isolation.
• Integration Testing to test interactions between services.
• Contract Testing to ensure services communicate correctly without full E2E testing.
• End-to-End Testing for complete business flows.
  A robust monitoring and logging strategy becomes critical.

71. What is contract testing, and which tools would you use for it?
Contract testing verifies that interactions between two services (consumer and provider) adhere to a shared contract, ensuring services evolve independently without breaking each other. Tools: Pact, Spring Cloud Contract.

72. What strategies would you use for API security testing?

• Test for OWASP API Security Top 10 vulnerabilities.
• Fuzz Testing with malformed/random data.
• Penetration Testing to simulate attacks.
• Authentication/Authorization Testing.
• Data Exposure Testing to ensure no sensitive data leaks in responses.

73. How do you approach API performance testing? What key metrics do you monitor?
Approach includes load, stress, spike, and endurance testing. Key metrics:

• Response Time/Latency
• Throughput (requests/sec)
• Error Rate
• CPU and Memory Utilization on the server side.

74. What is service virtualization and how is it different from mocking?
Mocking creates simple, code-based fakes within a test suite. Service virtualization creates a full, reusable replica of a service, simulating its data, behavior, and performance, sharable across teams and environments.

75. How would you integrate API tests into a CI/CD pipeline?

• Check API tests into version control (Git).
• Configure CI server (Jenkins/GitLab) to trigger tests on commits or schedules.
• Fail the pipeline on test failures to act as a quality gate.

76. What is a quality gate in a CI/CD pipeline?
A checkpoint where predefined quality criteria (e.g., test pass rate, code coverage, no critical vulnerabilities) must be met for the build to proceed.

77. What is idempotency and why is it important for consumers of an API?
Idempotency means making the same request multiple times results in the same outcome, helping consumers safely retry requests without causing unintended side effects.

78. What is Broken Object Level Authorization (BOLA) and how do you test for it?
BOLA (or IDOR) occurs when users can access others’ resources by manipulating IDs. Test by logging in as User A and attempting to access User B’s resources, asserting denial (e.g., 403 Forbidden).

79. How would you measure the ROI of API test automation?
Measure by comparing automation costs against benefits:

• Reduced manual testing effort.
• Faster feedback and time-to-market.
• Cost of bugs found in production vs. pre-release.
• Increased coverage and product quality.

80. What is gRPC and how does it differ from REST?
gRPC is a high-performance RPC framework using Protocol Buffers and HTTP/2. It is faster and more efficient for internal communication but less human-readable and not browser-friendly, unlike REST.

81. What are webhooks and how would you test them?
Webhooks are automated callbacks on events. Test by setting up a public endpoint (using ngrok) to receive the callback, triggering the event, and verifying the payload and data.

82. Explain the “shift-left” testing approach in the context of APIs.
Shift-left means testing earlier in the development cycle. For APIs, it includes reviewing contracts, writing tests from specs before code completion, using mocks, and integrating tests early in CI pipelines.

83. What is Chaos Engineering and how can it apply to APIs?
Chaos Engineering tests system resilience by injecting failures (e.g., latency, server crashes) in production to see how APIs and services handle and recover from turbulence.

84. How would you create a test data management strategy for API testing?

• Use data generation tools for realistic data.
• Isolate test data for parallel tests.
• Use setup/teardown scripts for test data management.
• Mask/anonymize sensitive data in non-prod environments.

85. What is consumer-driven contract testing?
The consumer defines the contract with expected API behavior, generating a contract file for the provider to verify compatibility. Tools like Pact facilitate this.

86. What is a circuit breaker pattern and why is it useful in a microservices architecture?
It prevents cascading failures by stopping calls to a failing service after repeated failures, allowing recovery checks before resuming, thus improving resilience.

87. In a distributed system, how would you ensure data consistency when testing an API workflow that spans multiple services?
Use patterns like Sagas, trigger full workflows, query each service/database, and verify compensation logic for failed steps.

88. How would you test an API that is asynchronous?

• Make the initial call and get a transaction/job ID (202 Accepted).
• Poll a status endpoint using the ID until completion/failure.
• Alternatively, check the target system or DB for outcomes.

89. What is a “canary release” and how does API testing support it?
A canary release gradually rolls out changes to a subset of users. API tests monitor error rates and latency for the canary, enabling quick rollback if issues arise.

90. Describe a scenario where you had to debug a complex API issue. What was your process?
(Use STAR). Example: Replicated in Postman → checked logs → isolated with cURL → paired with dev → enabled detailed tracing → found issue in a downstream service.

91. What is the N+1 query problem and how can it affect API performance?
It occurs when fetching a list (1 query) and then fetching related data for each item (N queries), leading to performance issues. Solve by eager-loading related data.

92. How do you stay updated with the latest trends and tools in API testing?
Follow blogs (Postman, Martin Fowler), newsletters, online forums, webinars, and experiment with tools in personal projects.

93. What is your experience with API Gateway testing?
Involves verifying routing, authentication, rate limiting, request/response transformations, and ensuring the gateway manages API traffic securely and correctly.

94. How do you decide what not to automate in API testing?
Avoid automating unstable tests, rare tests, complex human interactions (e.g., CAPTCHA), and rapidly changing features. Prefer manual exploratory testing for these.

95. What is bi-directional contract testing?
It verifies contracts from both the consumer and provider perspectives, ensuring alignment and reducing integration failures.

96. How do you handle API deprecation in your test suites?

• Keep existing tests for legacy support.
• Write tests for the new API version.
• Add tests to check deprecation warnings.
• Remove old tests post-retirement.

97. What is API observability and what are its three pillars?
API observability means understanding internal system states via external outputs. Three pillars:

• Logs (event records).
• Metrics (numerical, time-based data).
• Traces (request journey across services).

98. When would you choose GraphQL over REST?
When clients have varied, evolving data needs (e.g., mobile apps) to avoid over-fetching/under-fetching, which are common issues with REST.

99. How would you test an API for data privacy compliance (like GDPR or CCPA)?
Test for:

• Consent management.
• Data minimization.
• Right to erasure.
• Data security in transit and at rest.

100. As a senior tester, how would you mentor a junior team member in API testing?
Pair on tasks, explain API/HTTP fundamentals, provide resources, assign small reproducible bugs, and conduct regular code reviews with constructive feedback.

Frequently Asked Questions (FAQ) for API testing interview questions