APIs power almost every modern application. Whether you’re creating users, retrieving data, updating records, or validating purchases, APIs handle the communication between client and server.
In this workshop, Jesús Fiora walks through the fundamentals of API testing and demonstrates how to validate API behavior using two powerful tools:
- Postman for building and testing API calls
- Charles Proxy for intercepting and inspecting live network traffic
🎥 Watch the Full Webinar
Prefer to watch? The complete session is above.
Prefer a structured breakdown of the concepts and tools? Keep scrolling.
What You’ll Learn
By the end of this session, you will:
- Understand what API testing is and why it matters
- Differentiate API testing from integration testing
- Apply CRUD operations in API workflows
- Use HTTP methods correctly (GET, POST, PUT, PATCH, DELETE)
- Validate response codes and detect server/client errors
- Build and automate API tests in Postman
- Intercept and debug network traffic using Charles Proxy
- Identify security risks (like unencrypted credentials in URLs)
What Is API Testing?
API testing ensures that the data sent and received between applications behaves as expected.
When a user:
- Creates an account
- Logs in
- Updates a profile
- Makes a purchase
There is constant communication between client and server. API testing validates that:
- Data is stored correctly
- Responses are accurate
- No unexpected data is returned
- Errors are handled properly
- Nothing breaks when new features are added
It’s not always visible in the UI, but it underpins smoke tests, functional tests, regression tests, integration tests, and end-to-end flows.
API Testing vs Integration Testing
A common confusion is equating integration testing with API testing. While integration testing may involve API communication, API testing is broader. It verifies:
- Data exchange
- Request/response behavior
- Communication reliability
- Correct handling of CRUD operations
API testing supports integration testing, but they are not identical.
Understanding CRUD and HTTP Methods
CRUD stands for:
- Create → POST
- Read → GET
- Update → PUT
- Delete → DELETE
Additional clarification:
- PUT updates an entire resource
- PATCH partially updates specific fields
Understanding this distinction is essential when validating backend behavior.
HTTP Status Codes in API Testing
Validating responses means checking more than just the body.
Common status codes include:
200 OK – Successful request
201 Created – Resource successfully created
400 Bad Request – Client error (invalid input)
401 Unauthorized – Authentication missing
403 Forbidden – Access denied
404 Not Found – Resource does not exist
429 Too Many Requests – Rate limiting
500 Internal Server Error – Server-side failure
Example insight from the workshop: If login credentials are visible in a URL and not encrypted, that is a high severity security issue and must be reported immediately.
Postman: Testing APIs Through a User Interface
Postman provides a UI to build and test API calls efficiently.
Key components covered:
- Method selector (GET, POST, PUT, DELETE)
- URL (where the request is sent)
- Params (query parameters for specificity)
- Headers (versioning, auth, metadata)
- Body (typically JSON payload for POST/PUT)
- Scripts (automated tests written in JavaScript)
Useful Features
- Environments (switch between servers easily)
- Variables (avoid hardcoding repeated values)
- Import/export collections
- Automated test scripts
- Response validation
Postman allows testers to simulate backend behavior independently from the UI, making it extremely powerful for debugging.
Charles Proxy: Inspecting Live Traffic
Charles Proxy works differently from Postman.
While Postman actively sends requests, Charles Proxy intercepts and inspects traffic happening in real time.
It acts as a middle layer between client and server, allowing you to:
- View requests and responses
- Inspect headers and body data
- Debug authentication flows
- Validate encrypted traffic
- Test mobile app API behavior
This is particularly useful when testing:
- Mobile applications
- Native apps
- Systems without visible developer tools
Unlike Postman, Charles Proxy is primarily a manual debugging tool and does not integrate into CI pipelines as a CLI tool.
When to Use Each Tool
Use Postman when:
- Creating or validating specific API endpoints
- Running structured CRUD tests
- Automating test scripts
- Switching between environments
Use Charles Proxy when:
- Debugging mobile apps
- Inspecting live traffic
- Verifying encryption and headers
- Investigating unexpected behavior
Together, they provide strong coverage for API validation workflows.
Key Takeaways
- API testing validates the communication backbone of modern applications.
- CRUD operations map directly to HTTP methods and must be tested precisely.
- Response codes matter just as much as response bodies.
- Postman simplifies building and automating API tests.
- Charles Proxy enables deep inspection of live traffic, especially for mobile apps.
- Security validation (like encrypted credentials) is a critical part of API testing.
API testing is foundational for reliable software delivery.
FAQs
Can Charles Proxy be used in CI pipelines?
No. It is primarily a UI-based debugging tool and does not function as a CLI automation tool.
Can Postman support GraphQL requests?
Yes. Postman can be used to test GraphQL APIs.
What’s the difference between PUT and PATCH?
PUT replaces the entire resource. PATCH updates specific fields.