🔌 Complete Tutorial
Postman API
Testing Tutorial
Learn API testing from scratch — simple language, real examples, zero assumptions.
⏱️ ~2 hrs
🎯 15 Topics
💡 Real examples
🧪 Quizzes
01
Introduction
What is Postman?
Postman is a free tool that lets you send requests to any API and see the response — without writing a single line of code. It is the most popular API testing tool used by QA engineers worldwide.
Think of it like a remote control for APIs. Instead of building a full app to test a feature, you use Postman to directly talk to the server.
🧠 Analogy: You call a restaurant's order line (the API). You say "I want 1 pizza" (request). Restaurant says "Order received, 30 min" (response). Postman is the phone — it lets you test what happens when you make different requests.
- →Test APIs independently No need to wait for UI. Test backend directly.
- →Find bugs faster Test edge cases — empty data, invalid inputs, wrong tokens.
- →Save and reuse Save API calls in collections and run anytime.
- →Automate tests Write scripts to auto-validate responses.
💡
Postman is free. Go to postman.com, download, and create a free account.
02
Foundation
What is an API?
API (Application Programming Interface) is a way for two applications to talk to each other — it defines what requests can be made, what data to send, and what response to expect.
🧠 Waiter analogy: You don't go to the kitchen yourself. You tell the waiter (API) what you want. The waiter goes to the kitchen (server), gets your food, and brings it back. API = messenger between your app and server.
- 1Client sends Request Postman sends request to server — URL, method, headers, optional body.
- 2Server processes Server receives, processes logic, fetches data from DB.
- 3Server sends Response Returns status code (200, 404, 500) + body (usually JSON).
🔍 Real Example
When you open Swiggy and search restaurants:
→ App sends: GET /restaurants?city=Pune
→ Swiggy server looks up database
→ Returns JSON list of restaurants
→ App shows them on screen
You just used an API!
→ App sends: GET /restaurants?city=Pune
→ Swiggy server looks up database
→ Returns JSON list of restaurants
→ App shows them on screen
You just used an API!
📄 Sample JSON Response
// Response from GET /users/1 { "id": 1, "name": "Priya Sharma", "email": "priya@example.com", "role": "QA Engineer" }
03
Core Concept
HTTP Methods
The HTTP Method tells the server WHAT you want to do with the data.
GETPOST
PUTPATCH
DELETE
- GGET — Fetch data Does NOT change anything. GET /users → returns all users.
- PPOST — Create new Sends data to create a record. Response: 201 Created.
- UPUT — Full replace Replaces entire existing record with new data.
- PAPATCH — Partial update Only updates fields you send. Others stay unchanged.
- DDELETE — Remove Deletes the resource. Response: 200 or 204.
🧠 File Cabinet: GET = Read file | POST = Add new file | PUT = Replace entire file | PATCH = Edit one line | DELETE = Bin the file
04
Getting Started
Postman Interface
Collections
Left panel — folders to save and organise all requests. Like a project folder.
Method Dropdown
Before the URL bar — select GET, POST, PUT, DELETE here.
URL Bar
Type your API endpoint here. E.g. https://api.example.com/users
Send Button
Fires your request to the server.
Params Tab
Add query params — ?city=Pune. Postman adds to URL auto.
Headers Tab
Add Content-Type, Authorization headers here.
Body Tab
For POST/PUT — add JSON data you are sending.
Tests Tab
Write JS test scripts that auto-run after every request.
Response Panel
Bottom — shows status code, time, body, headers.
Environments
Store variables like base URL, tokens. Switch Dev/Staging/Prod easily.
ℹ️
Don't memorise all of this now — you'll understand each part naturally as you practice.
05
Hands-On
Your First API Request
🎯 Free Practice API — no account needed!
URL: https://jsonplaceholder.typicode.com/users
- 1Open Postman Click + to create a new request tab.
- 2Select GET Keep method as GET (default).
- 3Enter URL: https://jsonplaceholder.typicode.com/users
- 4Click Send Hit the blue Send button.
- 5See Response Status 200 OK + JSON list of 10 users appears below.
📄 Response (shortened)
[
{
"id": 1,
"name": "Leanne Graham",
"email": "Sincere@april.biz"
}
// 9 more users...
]
✅
Congrats! Try fetching one user — change URL to /users/1 and click Send.
06
Request Setup
Request Headers
Headers are extra info sent with your request — telling the server about the data format, who you are, and what response format you expect.
🧠 Analogy: A letter envelope has details written outside (sender, recipient, stamp) — these are headers. The server reads headers before opening the body.
Content-Type
Format of data you're sending. Most common: application/json
Authorization
Your login token. Format: Bearer <token>
Accept
Response format you expect. Usually: application/json
X-API-Key
API key required by some APIs for access.
⚠️
For POST/PUT, always add Content-Type: application/json. Without it, many APIs will reject your request.
07
Request Setup
Request Body
The Request Body is the actual data you send — used in POST, PUT, PATCH. GET and DELETE usually don't have a body.
- 1Method = POST. URL: https://jsonplaceholder.typicode.com/posts
- 2Headers tab: Key = Content-Type, Value = application/json
- 3Body tab → raw → JSON → paste JSON below
- 4Click Send
📤 Request Body
{
"title": "My First Post",
"body": "This is the content",
"userId": 1
}
📥 Response — 201 Created
{
"id": 101,
"title": "My First Post",
"userId": 1
}
🎯 QA validates
✓ Status = 201 (not 200) ✓ All fields in response ✓ New id generated ✓ Empty body → 400
08
Core Knowledge
HTTP Status Codes
Every API response has a Status Code — 3-digit number telling you if the request succeeded or failed, and why.
💡
2xx = Success ✅ | 4xx = Your fault ❌ | 5xx = Server fault 🔥
200
OKRequest successful. Standard for GET, PUT.
201
CreatedNew resource created. Standard for POST.
204
No ContentSuccess but no body returned. Common for DELETE.
400
Bad RequestYour request is wrong — missing fields or bad format.
401
UnauthorizedNot logged in or token expired. "Who are you?"
403
ForbiddenLogged in but no permission. "You can't do this."
404
Not FoundEndpoint or resource doesn't exist. Wrong URL.
409
ConflictDuplicate data — e.g. email already registered.
429
Too Many RequestsRate limit exceeded. Slow down.
500
Server ErrorBug on the server side. Not your fault.
503
UnavailableServer is down or overloaded.
| Code | Name | Plain English |
|---|---|---|
| 200 | OK | Request successful. Standard for GET, PUT, PATCH. |
| 201 | Created | New resource created. Standard for POST. |
| 204 | No Content | Success, no body returned. Common for DELETE. |
| 400 | Bad Request | Wrong request — missing fields, bad format. |
| 401 | Unauthorized | Not logged in or token expired. |
| 403 | Forbidden | Logged in but no permission. |
| 404 | Not Found | Endpoint/resource doesn't exist. |
| 409 | Conflict | Duplicate data. |
| 429 | Too Many Requests | Rate limit exceeded. |
| 500 | Server Error | Bug on server side. Not your fault. |
| 503 | Unavailable | Server down or overloaded. |
🧪 Quick Check: You send DELETE. What status code do you expect?
09
QA Testing
Response Validation
- 1Status Code GET→200, POST→201, DELETE→200/204?
- 2JSON Structure All required fields present? Names correct?
- 3Data Types Is id a number? Is active a boolean? Is email a string?
- 4Values Did the data you sent come back correctly?
- 5Response Time Under 2000ms = good. Above 5000ms = bug.
- 6Error Messages "Email is required" ✅ vs "Error 0x1A" ❌
🔍 Login API — QA Scenarios
Positive: Valid email+password → 200 OK + token
Negative: Wrong password → 401 + "Invalid credentials"
Negative: Missing email → 400 + "Email is required"
Security: SQL injection → 400, NOT 200 or 500
Negative: Wrong password → 401 + "Invalid credentials"
Negative: Missing email → 400 + "Email is required"
Security: SQL injection → 400, NOT 200 or 500
10
Efficiency
Environment Variables
Environment Variables store values (base URL, tokens) once and reuse across all requests using {{variableName}} syntax.
🧠 Analogy: 50 requests all use the same URL. URL changes. Without variables: edit all 50. With {{baseUrl}}: change ONE place — all 50 update!
- 1Click Environments (eye icon, top right) → Add → Name it "Development".
- 2Add: Key = baseUrl, Value = https://jsonplaceholder.typicode.com
- 3Save → Select this environment from dropdown.
- 4In URL bar type: {{baseUrl}}/users — Postman replaces it auto!
{{baseUrl}}
Root URL — changes between Dev / Staging / Production
{{authToken}}
Login token — used in Authorization header across all requests
{{userId}}
User ID captured from one request and passed to next
11
Organisation
Collections
A Collection is a folder where you group related API requests — one per feature or module. Think of it as a test suite.
📁 Example Structure
📁 E-Commerce API Tests
📂 Auth → POST /login, POST /logout
📂 Products → GET /products, POST /products
📂 Orders → POST /orders, GET /orders/{{orderId}}
📂 Auth → POST /login, POST /logout
📂 Products → GET /products, POST /products
📂 Orders → POST /orders, GET /orders/{{orderId}}
- 1Click New → Collection → Give it a name.
- 2Save requests inside the collection folder.
- 3Click ▶ Run → Collection Runner opens.
- 4Click Run — all requests run in sequence, show ✅ pass / ❌ fail.
💡
Interview answer: "I organize requests into Collections by feature, use Environment Variables for URLs and tokens, run via Collection Runner or Newman."
12
Security Testing
Authentication
Most real APIs are protected. You need to prove who you are — this is Authentication. Most common: Bearer Token (JWT).
- 1Login first — POST /login with credentials. Server returns a token.
- 2Copy token — From response body, copy the token string.
- 3Authorization tab → Bearer Token → Paste token.
- 4Or Headers tab: Key = Authorization, Value = Bearer your_token
🎯 QA Auth Test Scenarios
✓ No token → 401
✓ Expired token → 401
✓ Tampered token → 401
✓ User A's token to access User B's data → 403
✓ Expired token → 401
✓ Tampered token → 401
✓ User A's token to access User B's data → 403
13
Automation
Writing Tests in Postman
Postman's Tests tab runs JavaScript code automatically after every request to verify the response is correct.
🧪 Essential Test Scripts
// 1. Check status code pm.test("Status is 200", function () { pm.response.to.have.status(200); }); // 2. Response time under 2s pm.test("Response time OK", function () { pm.expect(pm.response.responseTime) .to.be.below(2000); }); // 3. Check field value pm.test("Name is correct", function () { const body = pm.response.json(); pm.expect(body.name).to.equal("Priya"); }); // 4. Check field exists pm.test("Has id field", function () { const body = pm.response.json(); pm.expect(body).to.have.property("id"); }); // 5. Check Content-Type header pm.test("Content-Type is JSON", function () { pm.expect(pm.response.headers .get("Content-Type")) .to.include("application/json"); });
ℹ️
Postman has a Snippets panel in the Tests tab — click any snippet to auto-insert code. No JS memorization needed!
14
Advanced
Chaining Requests
Request Chaining = using the response of one API as input for the next. E.g. save login token from Request 1 and auto-use it in Request 2.
📝 Step 1: POST /login → Tests Tab (save token)
// Save token to environment variable const res = pm.response.json(); pm.environment.set("authToken", res.token); pm.test("Token saved", function () { pm.expect(res.token).to.be.a("string"); });
🔗 Step 2: Next request → Authorization Header
// Authorization tab → Bearer Token // Token field: {{authToken}} // Postman auto-fills it! // OR Headers tab: // Key: Authorization // Value: Bearer {{authToken}}
💡
Run using Collection Runner in sequence. Token from Step 1 auto-fills in Step 2 — no manual copy-paste!
15
CI/CD
Newman — Command Line Runner
Newman is the command-line version of Postman. It runs your collections automatically from terminal — for CI/CD pipelines (Jenkins, GitHub Actions).
⚙️ Install Newman
# Requires Node.js installed
npm install -g newman
npm install -g newman-reporter-html
- 1Export Collection: Right-click collection → Export → JSON file.
- 2Export Environment: Click environment → Export → JSON file.
- 3Run Newman from terminal:
🚀 Run Command
newman run collection.json \ -e environment.json \ --reporters cli,html \ --reporter-html-export report.html
🔗 In Jenkins
Add as Build Step: newman run collection.json -e env.json
Test fails → Newman exits code 1 → Jenkins marks build FAILED → team email sent. API tests now run auto in CI/CD! 🎯
Test fails → Newman exits code 1 → Jenkins marks build FAILED → team email sent. API tests now run auto in CI/CD! 🎯
🧪 Final Quiz: What is Newman used for?
Ready for Real Interviews?
STAD Solution's QA training covers Postman A to Z with real projects, mock interviews, and 100% placement support.
Explore Courses at STAD Solution →
