Bird
Raised Fist0
Postmantesting~20 mins

API key authentication in Postman - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
API Key Authentication Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the response status code when API key is missing?

You send a GET request to an API endpoint that requires an API key in the header X-API-Key. You omit this header. What is the expected HTTP status code in the response?

Postman
GET /data HTTP/1.1
Host: api.example.com
A500 Internal Server Error
B200 OK
C401 Unauthorized
D403 Forbidden
Attempts:
2 left
💡 Hint

Think about what status code means 'authentication required but missing or invalid'.

assertion
intermediate
2:00remaining
Which assertion correctly verifies API key authentication success?

You have a Postman test script that checks if the API key authentication succeeded by verifying the response status code is 200. Which assertion is correct?

Postman
pm.test('API key auth success', function() {
    // Fill in assertion here
});
Apm.response.to.have.status(200);
Bpm.response.to.have.status(401);
Cpm.response.to.have.status(403);
Dpm.response.to.have.status(500);
Attempts:
2 left
💡 Hint

Success means the server accepted the API key and returned OK.

locator
advanced
2:00remaining
Identify the best header locator for API key in Postman test script

In a Postman test script, you want to check the value of the API key sent in the request header X-API-Key. Which code correctly accesses this header?

Apm.response.headers.get('X-API-Key')
Bpm.response.getHeader('X-API-Key')
Cpm.request.getHeader('X-API-Key')
Dpm.request.headers.get('X-API-Key')
Attempts:
2 left
💡 Hint

Request headers are accessed from pm.request.headers.

🔧 Debug
advanced
2:00remaining
Why does this Postman test fail to detect missing API key?

Here is a Postman test script snippet:

pm.test('API key present', function() {
    pm.expect(pm.request.headers.get('X-API-Key')).to.not.be.undefined;
});

But the test passes even when the API key header is missing. Why?

Apm.request.headers.get throws an error if header is missing
Bpm.request.headers.get returns null, not undefined, when header is missing
Cpm.expect cannot check undefined values
DThe header name is case-sensitive and should be lowercase
Attempts:
2 left
💡 Hint

Check what value pm.request.headers.get returns if header is absent.

framework
expert
2:00remaining
Which Postman pre-request script correctly sets API key header from environment variable?

You want to add an API key stored in the environment variable API_KEY to the request header X-API-Key before sending the request. Which script does this correctly?

Apm.request.headers.upsert({key: 'X-API-Key', value: pm.environment.get('API_KEY')});
Bpm.request.headers.set('X-API-Key', pm.environment.get('API_KEY'));
Cpm.request.headers.add({key: 'X-API-Key', value: pm.environment.get('API_KEY')});
Dpm.request.headers.append({key: 'X-API-Key', value: pm.environment.get('API_KEY')});
Attempts:
2 left
💡 Hint

Use the method that adds or updates a header correctly in Postman scripts.

Practice

(1/5)
1. What is the main purpose of using an API key in Postman when testing an API?
easy
A. To authenticate and authorize access to the API
B. To format the API response data
C. To change the API endpoint URL
D. To speed up the API response time

Solution

  1. Step 1: Understand API key role

    An API key is used to identify and authorize the client making the request.

  2. Step 2: Identify purpose in Postman

    In Postman, the API key is added to authenticate requests so the server knows who is calling.

  3. Final Answer:

    To authenticate and authorize access to the API -> Option A

  4. Quick Check:

    API key = Authentication [OK]
Hint: API key controls access, not data format or speed [OK]
Common Mistakes:
  • Confusing API key with response formatting
  • Thinking API key changes URL
  • Assuming API key improves speed
2. Which of the following is the correct way to add an API key in Postman headers?
easy
A. Key: Accept, Value: application/xml
B. Key: api_key, Value: <API_KEY>
C. Key: Content-Type, Value: application/json
D. Key: Authorization, Value: Bearer <API_KEY>

Solution

  1. Step 1: Identify standard header for API key

    Many APIs use the Authorization header with a Bearer token format for API keys.

  2. Step 2: Check other options

    api_key is not a standard header key; Content-Type and Accept relate to data format, not authentication.

  3. Final Answer:

    Key: Authorization, Value: Bearer <API_KEY> -> Option D

  4. Quick Check:

    Authorization header = API key location [OK]
Hint: Use Authorization: Bearer <API_KEY> for API key in headers [OK]
Common Mistakes:
  • Using Content-Type or Accept headers for API key
  • Using non-standard header names like api_key
  • Omitting Bearer prefix when required
3. Consider this Postman request setup:
GET https://api.example.com/data?api_key=12345

What will happen if the API key is missing from the query parameters?
medium
A. The API will return a 404 Not Found error
B. The API will return a 401 Unauthorized error
C. The API will return data without restrictions
D. The API will return a 500 Internal Server Error

Solution

  1. Step 1: Understand API key role in authentication

    API keys are used to verify the client. Missing keys usually cause authentication failure.

  2. Step 2: Identify typical server response

    When authentication fails, servers commonly respond with 401 Unauthorized status.

  3. Final Answer:

    The API will return a 401 Unauthorized error -> Option B

  4. Quick Check:

    Missing API key = 401 Unauthorized [OK]
Hint: Missing API key usually causes 401 Unauthorized error [OK]
Common Mistakes:
  • Assuming API returns data without key
  • Confusing 404 Not Found with authentication errors
  • Thinking server crashes with missing key
4. You set the API key in Postman as a header: api_key: 12345. The API still returns 401 Unauthorized. What is the most likely issue?
medium
A. The API key value is too short
B. The API endpoint URL is wrong
C. The API key header name is incorrect; it should be Authorization
D. Postman does not support headers for API keys

Solution

  1. Step 1: Check header naming conventions

    Most APIs expect the API key in the Authorization header, not api_key.

  2. Step 2: Verify Postman supports headers

    Postman fully supports headers, so the issue is likely the header name, not Postman itself.

  3. Final Answer:

    The API key header name is incorrect; it should be Authorization -> Option C

  4. Quick Check:

    Correct header name = Authorization [OK]
Hint: Use Authorization header, not api_key, for API keys [OK]
Common Mistakes:
  • Using wrong header name
  • Blaming Postman for header issues
  • Ignoring API key format requirements
5. You want to securely test an API in Postman using an API key. Which combination of steps ensures best security practice?
hard
A. Add the API key in headers, use HTTPS, and keep the key private
B. Add the API key in URL query parameters and share the collection publicly
C. Use HTTP protocol and add API key in request body
D. Store the API key in environment variables and disable SSL verification

Solution

  1. Step 1: Use HTTPS for secure communication

    HTTPS encrypts data, protecting the API key from being intercepted.

  2. Step 2: Add API key in headers and keep it private

    Headers are safer than URL parameters; keeping the key private prevents leaks.

  3. Final Answer:

    Add the API key in headers, use HTTPS, and keep the key private -> Option A

  4. Quick Check:

    HTTPS + headers + privacy = secure API key use [OK]
Hint: Use HTTPS and headers; never expose API key publicly [OK]
Common Mistakes:
  • Putting API key in URL query parameters publicly
  • Using HTTP instead of HTTPS
  • Disabling SSL verification in Postman