CHAPTER 17
Beginner
API Testing with Postman
Updated: May 14, 2026
45 min read
# CHAPTER 17
API Testing with Postman
1. Introduction
A backend developer who builds an API without testing it is flying blind. You cannot simply typePOST /api/users into a Google Chrome address bar, because web browsers only execute GET requests from the address bar. To test POST payloads, PUT updates, Authentication headers, and DELETE commands, you need a specialized tool. In this chapter, we will introduce Postman, the undisputed industry standard desktop client for API development, testing, and debugging.
2. Learning Objectives
By the end of this chapter, you will be able to:- Understand the role of an API Client in backend development.
- Configure Postman to execute GET, POST, PUT, and DELETE requests.
- Craft raw JSON request bodies.
- Attach HTTP Headers (like Authorization and Content-Type).
- Utilize Postman Environments for dynamic testing.
3. Beginner-Friendly Explanation
Imagine building a high-tech vending machine. You just wired the coin slot and the dispensing motor. You want to see if it works. You don't wait 6 months to build the entire metal frame, the glass window, and paint it just to test the motor. You grab a coin, manually jam it into the slot, and see if the motor turns.Postman is that test. It allows you to fire data (coins) directly at your backend code (the motor) to verify the database saves the data correctly, completely bypassing the need to build a frontend web page (the glass window).
4. What is Postman?
Postman is a graphical user interface (GUI) application that acts as an extremely powerful web browser for developers. It allows you to manually construct every single piece of an HTTP Request—the Method, the URL, the Headers, and the Body—and fire it at your local server (e.g.,http://localhost:3000). It then beautifully formats the JSON response, the Status Code, and the Response Headers.
*(Alternatives include Insomnia and Hoppscotch, but Postman is the industry standard).*
5. Testing a GET Request
Let's test an endpoint that fetches data.- 1. Open Postman.
- 2. Change the Method dropdown to GET.
-
3.
Enter the URL:
http://localhost:3000/api/users
- 4. Click the blue Send button.
*Result:* The bottom pane will illuminate green with a 200 OK status, and print the beautifully formatted JSON array of users.
6. Testing a POST Request (Sending JSON)
Now we must test creating a user. This requires sending a JSON Body.- 1. Change the Method dropdown to POST.
-
2.
Enter the URL:
http://localhost:3000/api/users
- 3. Below the URL, click the Body tab.
- 4. Select raw and change the Text dropdown to JSON.
- 5. Type your valid JSON payload into the editor:
json
{
"name": "Jane Smith",
"email": "jane@example.com",
"password": "securepassword123"
}
`
-
6.
Click Send.
*Result:* Postman will automatically attach the
Content-Type: application/json header for you, send the request, and you should see a 201 Created status code!
7. Testing Authentication (Adding Headers)
If your API routes are protected by a JWT, standard requests will return 401 Unauthorized. You must attach your token.
-
1.
Make a POST request to
/api/login and copy the JWT string from the response.
-
2.
Open a new tab for a protected route:
GET /api/dashboard.
-
3.
Click the Authorization tab.
-
4.
Set the Type dropdown to Bearer Token.
-
5.
Paste your copied JWT into the Token field.
-
6.
Click Send.
*Postman will automatically construct the
Authorization: Bearer <token> HTTP header and inject it into the request, granting you access to the data.*
8. Organizing with Collections and Environments
If you test 50 different APIs, your Postman will become a mess.
-
Collections: Postman allows you to save requests into folders called Collections. You can have a folder called "User API", containing saved templates for your GET, POST, and PUT requests, ready to click at any time.
-
Environments: Instead of typing
http://localhost:3000 50 times, you can create a Postman Variable called {{baseurl}}. You set your local environment baseurl to localhost:3000. When you push your API to the internet, you simply switch to the "Production Environment", changing base_url to api.mywebsite.com. Now all 50 saved requests instantly target the live server!
9. Best Practices
-
Save Example Responses: When you get a successful response in Postman, click "Save Response." This allows you to view what the API payload looks like offline. It is incredibly helpful to send these saved examples to frontend developers so they know exactly what data structures to expect before the API is even finished.
10. Common Mistakes
-
Forgetting
Content-Type in Raw Tests: If you use a lightweight tool like cURL or if you manually manipulate Postman's headers and forget to explicitly send Content-Type: application/json with a POST request, your Express API will not trigger its JSON parser. req.body will be undefined, and your database will save a blank row.
11. Exercises
-
1.
Explain why you cannot use Google Chrome's standard address bar to test an API endpoint that updates a user's profile.
12. Coding Challenges
-
Challenge: You have built a REST endpoint:
DELETE /api/v1/articles/42. Describe the exact configuration steps in the Postman GUI required to execute this request. (Method, URL, Body, Headers).
13. MCQs with Answers
Question 1
When utilizing Postman to test an endpoint that creates a new database record, which tab must the developer configure to input the raw JSON payload?
Question 2
What is the primary purpose of Postman "Environments" in an API developer's workflow?
14. Interview Questions
-
Q: Explain the necessity of using an API Client like Postman or Insomnia during backend development. Why is a standard web browser insufficient for testing REST APIs?
-
Q: Walk me through the exact process of testing an authenticated endpoint in Postman. How do you acquire the token, and how do you configure Postman to attach it to the subsequent protected request?
15. FAQs
Q: Can Postman write automated tests?
A: Yes! Postman has a "Tests" tab where you can write Javascript code that executes *after* the response arrives. You can write scripts that automatically check: pm.expect(pm.response.code).to.eql(200);`. You can then run your entire Collection of 50 endpoints with one click to ensure nothing is broken.