REST API Interview Questions and Practice Challenges

# CHAPTER 30

REST API Interview Questions and Practice Challenges #

1. Introduction #

Congratulations on reaching the final chapter! You have mastered the architecture, security, performance, and implementation of REST APIs using PHP and MySQL. To land a job as a Backend Developer or API Engineer, you must be able to articulate these concepts clearly. In Chapter 30, we have compiled the most frequently asked REST API interview questions, coding challenges, and mini-projects to finalize your preparation.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Confidently answer common architectural and technical API interview questions.

• Differentiate clearly between similar concepts (e.g., PUT vs PATCH, 401 vs 403).

• Complete practical backend coding challenges.

• Build portfolio-ready REST API projects to showcase your skills.

3. Top 15 Architectural Interview Questions #

1. 1. Explain the constraints of REST.

*(Focus on: Client-Server separation, Statelessness, Cacheability, Uniform Interface, Layered System).*

1. 2. What does it mean for an API to be "Stateless"?

*(Explain that the server stores no session data; the client must provide full context, like a token, with every single request).*

1. 3. What is an "Idempotent" HTTP method? Which methods are idempotent?

*(An operation that produces the same result no matter how many times it is executed. GET, PUT, DELETE are idempotent. POST is not).*

1. 4. Compare REST vs SOAP.

*(REST is an architectural style primarily using JSON and HTTP. SOAP is a strict protocol primarily using XML).*

1. 5. How do you design REST endpoints for deeply nested relationships?

*(Keep URLs shallow, max 2 levels. Use /authors/1/books. For deeper actions on a specific book, flatten it to /books/5/chapters).*

4. Top 15 Technical & HTTP Interview Questions #

1. 6. Explain the exact difference between PUT and PATCH.

*(PUT completely replaces the resource. PATCH partially updates specific fields).*

1. 7. When should you use Path Parameters vs Query Parameters?

*(Path params /users/5 identify a specific resource. Query params /users?role=admin filter or sort a collection of resources).*

1. 8. Explain the difference between a 401 and 403 status code.

*(401 Unauthorized: The user is not logged in or token is invalid. 403 Forbidden: The user is logged in, but lacks permission/role to do the action).*

1. 9. Why is $POST empty in PHP when receiving a JSON payload?

*(Because $POST only populates for form-data or x-www-form-urlencoded. JSON must be read via filegetcontents('php://input')).*

1. 10. What is the N+1 Query Problem in API development?

*(Running a query to get 100 items, and then running 100 separate queries inside a loop to get related data. Solved via SQL JOINs).*

5. Top 10 Security & Performance Interview Questions #

1. 11. Explain how Token-Based Authentication works.

*(Client logs in, receives a token, and sends it in the Authorization: Bearer header on subsequent requests. Server validates it statelessly).*

1. 12. What is a JWT and how does it differ from a database API key?

*(JWT is cryptographically signed. The server can verify its authenticity and read its payload without ever querying the database, making it highly scalable).*

1. 13. How do you protect a REST API from SQL Injection?

*(By strictly using PDO Prepared Statements and parameter binding. Never concatenate user input into SQL strings).*

1. 14. What is CORS and why do browsers enforce it?

*(Cross-Origin Resource Sharing. It prevents malicious website A from running background JavaScript to steal data from API B).*

1. 15. How do you implement API Versioning?

*(Primarily via the URL path, e.g., /api/v1/users, ensuring old clients don't crash when breaking changes are introduced).*

6. Practice Coding Challenges #

Challenge 1: The Validator Write a PHP function that accepts a JSON string payload containing a user registration. Validate that the email is valid, the password is at least 8 characters, and the role is either 'admin' or 'user'. Return a perfectly formatted 422 JSON error array if it fails.

Challenge 2: The Router Without using a framework, write an index.php script that parses the URL and HTTP method. Route GET /products to a listProducts() function, and GET /products/42 to a showProduct(42) function. Return 404 for anything else.

Challenge 3: The JWT Decoder Using PHP's base64_decode, write a script that takes a JWT string, splits it by the period ., decodes the payload segment, and echoes the user's ID.

7. Real-World Portfolio Projects #

To prove your skills to employers, you must build and deploy real APIs.

Project 1: E-Commerce Inventory API

• Resources: Categories, Products, Reviews.

• Skills demonstrated: Relational databases, Pagination (?page=2), Sorting (?sort=price), and JSON nesting.

Project 2: Secure Blog API with JWT

• Resources: Users, Posts, Comments.

• Skills demonstrated: JWT Authentication. Role-based authorization (Users can comment, Admins can delete posts).

Project 3: File Storage Cloud API

• Resources: Folders, Files.

• Skills demonstrated: multipart/form-data file uploads, secure MIME type validation, unique file renaming, and generating public URLs.

8. Final Developer Checklist #

Before deploying any API to production, check:

• [ ] Is it using HTTPS?

• [ ] Are all endpoints behind /api/v1/?

• [ ] Are all database queries using Prepared Statements?

• [ ] Does it return appropriate HTTP Status Codes (200, 201, 400, 401, 403, 404, 422, 500)?

• [ ] Is CORS configured to only allow your specific frontend domains?

• [ ] Is the API documented using Swagger/OpenAPI?

9. Conclusion #

You have completed the RESTful Principles Tutorial. You transitioned from not knowing what an API is, to understanding HTTP, mastering JSON, and building a fully secure, scalable, and versioned backend architecture in PHP and MySQL.

REST APIs are the backbone of the modern internet. Whether you are building mobile apps, connecting microservices, or creating the next big SaaS platform, the foundational skills you have learned here will serve you for your entire career.

Happy coding, and good luck on your API journey!

--- *(End of Curriculum)*