Test Overview
This test checks if the API correctly accepts requests with a valid API key and rejects requests without it or with an invalid key.
0API key authentication in Postman - Test Execution Trace
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Test Code - Postman
Postman
pm.test("API key authentication - valid key", function () { pm.sendRequest({ url: pm.environment.get("api_url") + "/data", method: 'GET', header: { 'x-api-key': pm.environment.get("valid_api_key") } }, function (err, res) { pm.expect(err).to.eql(null); pm.expect(res).to.have.property('status', 200); pm.expect(res.json()).to.have.property('success', true); }); }); pm.test("API key authentication - invalid key", function () { pm.sendRequest({ url: pm.environment.get("api_url") + "/data", method: 'GET', header: { 'x-api-key': 'invalid_key' } }, function (err, res) { pm.expect(err).to.eql(null); pm.expect(res).to.have.property('status', 401); pm.expect(res.json()).to.have.property('error', 'Unauthorized'); }); }); pm.test("API key authentication - missing key", function () { pm.sendRequest({ url: pm.environment.get("api_url") + "/data", method: 'GET' }, function (err, res) { pm.expect(err).to.eql(null); pm.expect(res).to.have.property('status', 401); pm.expect(res.json()).to.have.property('error', 'Unauthorized'); }); });
Execution Trace - 3 Steps
| Step | Action | System State | Assertion | Result |
|---|---|---|---|---|
| 1 | Send GET request to /data with valid API key in header 'x-api-key' | API server receives request with valid API key | Response status code is 200 and JSON contains 'success': true | PASS |
| 2 | Send GET request to /data with invalid API key in header 'x-api-key' | API server receives request with invalid API key | Response status code is 401 and JSON contains 'error': 'Unauthorized' | PASS |
| 3 | Send GET request to /data without API key header | API server receives request missing API key | Response status code is 401 and JSON contains 'error': 'Unauthorized' | PASS |
Failure Scenario
Failing Condition: API server does not validate API key correctly or returns wrong status code
Execution Trace Quiz - 3 Questions
Test your understanding
What does the test check when sending a request with a valid API key?
Key Result
Always test API key authentication with valid, invalid, and missing keys to ensure secure access control.
Practice
1. What is the main purpose of using an
API key in Postman when testing an API?easy
Solution
Step 1: Understand API key role
An API key is used to identify and authorize the client making the request.Step 2: Identify purpose in Postman
In Postman, the API key is added to authenticate requests so the server knows who is calling.Final Answer:
To authenticate and authorize access to the API -> Option AQuick Check:
API key = Authentication [OK]
Hint: API key controls access, not data format or speed [OK]
Common Mistakes:
- Confusing API key with response formatting
- Thinking API key changes URL
- Assuming API key improves speed
2. Which of the following is the correct way to add an API key in Postman headers?
easy
Solution
Step 1: Identify standard header for API key
Many APIs use theAuthorizationheader with aBearertoken format for API keys.Step 2: Check other options
api_keyis not a standard header key;Content-TypeandAcceptrelate to data format, not authentication.Final Answer:
Key: Authorization, Value: Bearer <API_KEY> -> Option DQuick Check:
Authorization header = API key location [OK]
Hint: Use Authorization: Bearer <API_KEY> for API key in headers [OK]
Common Mistakes:
- Using Content-Type or Accept headers for API key
- Using non-standard header names like api_key
- Omitting Bearer prefix when required
3. Consider this Postman request setup:
What will happen if the API key is missing from the query parameters?
GET https://api.example.com/data?api_key=12345
What will happen if the API key is missing from the query parameters?
medium
Solution
Step 1: Understand API key role in authentication
API keys are used to verify the client. Missing keys usually cause authentication failure.Step 2: Identify typical server response
When authentication fails, servers commonly respond with 401 Unauthorized status.Final Answer:
The API will return a 401 Unauthorized error -> Option BQuick Check:
Missing API key = 401 Unauthorized [OK]
Hint: Missing API key usually causes 401 Unauthorized error [OK]
Common Mistakes:
- Assuming API returns data without key
- Confusing 404 Not Found with authentication errors
- Thinking server crashes with missing key
4. You set the API key in Postman as a header:
api_key: 12345. The API still returns 401 Unauthorized. What is the most likely issue?medium
Solution
Step 1: Check header naming conventions
Most APIs expect the API key in theAuthorizationheader, notapi_key.Step 2: Verify Postman supports headers
Postman fully supports headers, so the issue is likely the header name, not Postman itself.Final Answer:
The API key header name is incorrect; it should be Authorization -> Option CQuick Check:
Correct header name = Authorization [OK]
Hint: Use Authorization header, not api_key, for API keys [OK]
Common Mistakes:
- Using wrong header name
- Blaming Postman for header issues
- Ignoring API key format requirements
5. You want to securely test an API in Postman using an API key. Which combination of steps ensures best security practice?
hard
Solution
Step 1: Use HTTPS for secure communication
HTTPS encrypts data, protecting the API key from being intercepted.Step 2: Add API key in headers and keep it private
Headers are safer than URL parameters; keeping the key private prevents leaks.Final Answer:
Add the API key in headers, use HTTPS, and keep the key private -> Option AQuick Check:
HTTPS + headers + privacy = secure API key use [OK]
Hint: Use HTTPS and headers; never expose API key publicly [OK]
Common Mistakes:
- Putting API key in URL query parameters publicly
- Using HTTP instead of HTTPS
- Disabling SSL verification in Postman