Postmantesting~15 mins

Why auth testing secures APIs in Postman - Automation Benefits in Action

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Verify API authentication protects endpoints

Preconditions (3)

Step 1: Open Postman and create a new request

Step 2: Set the request method to GET and enter the protected API endpoint URL

Step 3: Send the request without any authentication headers

Step 4: Observe the response status code and message

Step 5: Add the valid authentication token in the Authorization header

Step 6: Send the request again

Step 7: Observe the response status code and message

✅ Expected Result: The request without authentication returns 401 Unauthorized or 403 Forbidden. The request with valid authentication returns 200 OK with expected data.

Automation Requirements - Postman with Newman CLI

Assertions Needed:

Verify response status code is 401 or 403 when no auth header is sent

Verify response status code is 200 when valid auth header is sent

Verify response body contains expected data on successful auth

Best Practices:

Use environment variables for tokens

Use pre-request scripts to set auth headers

Use test scripts to assert response status and body

Organize tests in collections for reusability

Automated Solution

Postman

pm.test('Unauthorized request returns 401 or 403', function () {
    pm.response.to.have.status.oneOf([401, 403]);
});

// This test runs only if auth header is present
if (pm.request.headers.has('Authorization')) {
    pm.test('Authorized request returns 200', function () {
        pm.response.to.have.status(200);
    });
    pm.test('Response body contains expected data', function () {
        const jsonData = pm.response.json();
        pm.expect(jsonData).to.have.property('data');
    });
}

This Postman test script checks the API response status and body.

First, it verifies that requests without authentication return 401 or 403 status codes, indicating access is denied.

Then, if the Authorization header is present, it asserts the response status is 200, meaning access is granted.

Finally, it checks the response body contains a 'data' property, confirming the API returned expected content.

Using environment variables for tokens and organizing tests in collections helps keep tests clean and reusable.

Common Mistakes - 3 Pitfalls

{'mistake': 'Not checking the response status code for unauthorized requests', 'why_bad': "Without verifying the status code, you can't be sure the API properly blocks unauthorized access.", 'correct_approach': 'Always assert that unauthorized requests return 401 or 403 status codes.'}

Hardcoding authentication tokens in the test scripts

Not testing both authorized and unauthorized scenarios

Bonus Challenge

Now add data-driven testing with 3 different API tokens: one valid, one expired, and one invalid

Show Hint