Essential API Concepts for Technical Interview
1. HTTP Verbs
• GET – Retrieve data from the server (read-only)
• POST – Create a new resource on the server
• PUT – Replace an existing resource completely
• PATCH – Partially update an existing resource
• DELETE – Remove a resource from the server
• TRACE – Returns the full HTTP request (for debugging)
• OPTIONS – Lists allowed HTTP methods for a URL
• CONNECT – Establish a secure tunnel (e.g., for HTTPS)
• PURGE – Invalidate a cached resource
• LOCK – Lock a resource for exclusive client access
• UNLOCK – Unlock a previously locked resource
• MKCOL – Create a collection (used in WebDAV APIs)
• COPY – Duplicate a resource to a new location
2. HTTP Status Codes
• 1xx – Informational
Request received, continuing process (e.g., 100 Continue)
• 2xx – Success
Request was successful (e.g., 200 OK, 201 Created)
• 3xx – Redirection
Further action needed to complete the request (e.g., 301 Moved
Permanently, 302 Found)
• 4xx – Client Errors
Request was invalid or unauthorized (e.g., 400 Bad Request, 401
Unauthorized, 404 Not Found)
• 5xx – Server Errors
Server failed to fulfill a valid request (e.g., 500 Internal Server Error,
503 Service Unavailable)
www.linkedin.com/in/vishupriyaravichandran
�3. API Security – Core Mechanisms
• OAuth
Authorization standard for granting limited access to APIs without sharing
credentials.
• JWT (JSON Web Token)
Compact and secure way to transmit information between parties as a
signed JSON object.
• SSL/TLS
Protocols for encrypting communication between client and server, ensuring
data confidentiality.
• API Key
Unique token used to authenticate API clients; often passed in headers or
query strings.
• Rate Limiting
Restricts the number of API requests allowed per client over a time window
to prevent abuse.
• OpenID Connect
Layer built on OAuth for user authentication across different domains
(used in SSO systems).
• CORS (Cross-Origin Resource Sharing)
Security feature that controls which domains are allowed to access API
resources from the browser.
4. API Design – Core Styles
• REST (Representational State Transfer)
Resource-based architecture using standard HTTP methods like GET, POST,
PUT, DELETE.
• SOAP (Simple Object Access Protocol)
XML-based protocol for structured data exchange, often used in enterprise
systems.
www.linkedin.com/in/vishupriyaravichandran
� • GraphQL
Query language and runtime that allows clients to request exactly the data
they need.
• API Gateway
A single entry point for managing, securing, and scaling APIs — handles
routing, rate limiting, logging, and more.
5. API Testing – Essential Tools
• Postman
Widely used GUI tool for manual and automated API testing. Great for
quick requests, scripting, and test collections.
• SoapUI
Supports testing of both SOAP and REST services; ideal for functional and
security testing.
• Swagger
Offers interactive API documentation and testing interface; often paired
with OpenAPI specifications.
• JMeter
Load testing and performance benchmarking tool for APIs, often used in CI
pipelines.
• TestRail
Test management platform to document, execute, and track API test cases.
• Dredd
CLI tool that validates your API implementation against your API
documentation.
• REST Assured
Java library for automating REST API tests — commonly used in backend
and integration testing.
• Karate DSL
BDD-style API testing framework using Gherkin syntax; supports data-
driven tests and assertions.
www.linkedin.com/in/vishupriyaravichandran
� • HttpMaster
Advanced API testing tool for simulating requests and evaluating responses.
• Assertible
Enables automated monitoring and testing of API endpoints with
integrations for CI/CD.
6. Response Headers – Key Headers to Know
• Content-Type
Specifies the MIME type of the response (e.g., application/json,
text/html)
• Content-Length
Indicates the size of the response body in bytes
• Cache-Control
Directs how responses are cached (e.g., no-cache, max-age=3600)
• Location
Provides the URI of a newly created resource or redirection target
• Server
Reveals the software and version used by the server (can be hidden for
security)
• Access-Control-Allow-Origin
Used in CORS; specifies which domains can access the resource
• Set-Cookie
Sends cookies from server to client for session management
• Expires
Sets an expiration time after which the response is considered stale
• Last-Modified
Indicates when the resource was last updated; useful for caching and
conditional requests
www.linkedin.com/in/vishupriyaravichandran
�7. API Documentation – Tools & Formats
• OpenAPI
Specification format (YAML or JSON) for defining RESTful APIs; enables
automatic documentation and testing tools.
• API Blueprint
A markdown-style language for describing APIs in a human-readable way.
• RAML (RESTful API Modeling Language)
YAML-based modeling language for describing RESTful APIs, widely used
with MuleSoft.
• Swagger UI
Interactive UI that renders OpenAPI specs — allows developers to try API
endpoints directly in the browser.
• Slate
Static site generator for beautiful, responsive API documentation with
code samples and live references.
8. API Performance – Optimization Techniques
• Caching
Stores responses temporarily to reduce server load and speed up repeated
requests.
• Throttling
Limits the number of API requests allowed per user or app over a time
period to maintain system stability.
• Load Balancing
Distributes incoming API traffic across multiple servers to maximize
performance and availability.
• Content Delivery Network (CDN)
Delivers static assets and cached API responses from geographically
distributed servers to reduce latency.
www.linkedin.com/in/vishupriyaravichandran
� • Edge Computing
Processes data closer to the user's location to minimize response time and
improve speed for API calls.
9. API Versioning & Best Practices
🔹 Versioning
Manage changes to your API without breaking existing clients.
• Example: /v1/users vs /v2/users
• Methods: URI versioning, header-based versioning
🔹 Pagination
Break large datasets into smaller chunks for better performance and usability.
• Common patterns: ?page=1&limit=20, cursor-based pagination
🔹 Caching
Enhance performance by reusing previous responses.
• Headers involved: Cache-Control, ETag, Last-Modified
🔹 Error Handling
Return clear, meaningful error messages and status codes.
• Example: 400 Bad Request, 404 Not Found, 422 Unprocessable Entity
🔹 HATEOAS (Hypermedia as the Engine of Application State)
Include links in responses to guide the client through valid next actions.
• Example: A user object includes a link to fetch their orders
www.linkedin.com/in/vishupriyaravichandran
�10. API Tools – Design, Testing & Management
• API Studio
Web-based IDE for designing, testing, and mocking APIs.
• Stoplight
Collaborative platform for API design, documentation, and governance using
OpenAPI.
• Apigee
Google’s full-lifecycle API management platform for securing, deploying, and
analyzing APIs.
• Azure API Management
Microsoft’s managed service for publishing, securing, and monitoring APIs
at scale.
• Postman Learning Center
Educational hub offering tutorials and best practices for effective API
testing with Postman.
www.linkedin.com/in/vishupriyaravichandran
