Before you can test APIs, you need to understand how they work. REST (Representational State Transfer) is the most common API architecture on the web.
What Is an API?
An API (Application Programming Interface) is a contract between two systems. The frontend asks for data, the backend provides it. The API defines the rules — which URLs to call, what data to send, and what to expect back.
HTTP Methods
REST APIs use HTTP methods to define what action to perform:
| Method | Purpose | Example |
|---|---|---|
| GET | Read data | Get a list of users |
| POST | Create data | Create a new user |
| PUT | Replace data | Update an entire user record |
| PATCH | Partial update | Update just the user's email |
| DELETE | Remove data | Delete a user |
Request Structure
Every HTTP request has:
Method: POST
URL: https://api.example.com/users
Headers:
Content-Type: application/json
Authorization: Bearer eyJhbGciOi...
Body:
{
"name": "Sabaoon",
"email": "sabaoon@example.com"
}- URL: Where to send the request
- Headers: Metadata (authentication, content type, caching)
- Body: The data you're sending (for POST, PUT, PATCH)
- Query parameters: Filters added to the URL (
?page=2&limit=10)
Response Structure
Every HTTP response has:
Status: 201 Created
Headers:
Content-Type: application/json
Body:
{
"id": 42,
"name": "Sabaoon",
"email": "sabaoon@example.com",
"createdAt": "2026-03-12T10:00:00Z"
}Status Codes
Status codes tell you what happened:
2xx — Success
| Code | Meaning |
|---|---|
| 200 | OK — Request succeeded |
| 201 | Created — Resource was created |
| 204 | No Content — Success, but nothing to return |
3xx — Redirection
| Code | Meaning |
|---|---|
| 301 | Moved Permanently |
| 304 | Not Modified (cached) |
4xx — Client Error
| Code | Meaning |
|---|---|
| 400 | Bad Request — Invalid data sent |
| 401 | Unauthorized — Not authenticated |
| 403 | Forbidden — Authenticated but not allowed |
| 404 | Not Found — Resource doesn't exist |
| 409 | Conflict — Duplicate or conflicting data |
| 422 | Unprocessable Entity — Validation failed |
| 429 | Too Many Requests — Rate limited |
5xx — Server Error
| Code | Meaning |
|---|---|
| 500 | Internal Server Error — Something broke |
| 502 | Bad Gateway — Upstream server failed |
| 503 | Service Unavailable — Server is down |
REST Conventions
RESTful APIs follow predictable URL patterns:
GET /users → List all users
GET /users/42 → Get user 42
POST /users → Create a new user
PUT /users/42 → Replace user 42
PATCH /users/42 → Update user 42
DELETE /users/42 → Delete user 42
GET /users/42/posts → Get posts by user 42Key rules:
- Use nouns, not verbs (
/users, not/getUsers) - Use plural names (
/users, not/user) - Use HTTP methods to express actions
- Nest related resources (
/users/42/posts)
What API Testers Check
When testing an API, you verify:
- Correct status code — Does
GET /users/999return 404? - Response body — Does the JSON contain the expected fields and values?
- Headers — Is
Content-Typecorrect? Are CORS headers present? - Performance — Does the response come back within acceptable time?
- Error handling — Does the API return helpful error messages for bad input?
- Authentication — Does it reject requests without valid tokens?