API Cheat Sheet 2026

The 30 highest-yield API facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

50 questions
60 min time limit
70% to pass
  1. What is Pytest's mechanism for executing code before each test method? Pytest fixtures
  2. What is the 'N+1 query problem' in GraphQL testing? Fetching a list then making N additional queries for each item's related data
  3. Which HTTP header specifies the format of the request body? Content-Type
  4. What HTTP status code indicates a resource was successfully created? 201 Created
  5. Which attack involves injecting malicious scripts through API inputs that are reflected in responses? Cross-Site Scripting (XSS)
  6. What does OAuth 2.0 authorization code flow primarily protect against compared to the implicit flow? Exposing access tokens in the browser URL
  7. What is the BDD approach in API test automation? Behavior-Driven Development using human-readable scenarios to define tests
  8. What does 'idempotent test setup' mean in API test automation best practices? Setup that produces the same starting state regardless of how many times it runs
  9. What does a 408 Request Timeout status code mean? The client didn't send a request within the server's timeout period
  10. What does a 503 Service Unavailable response indicate? The server is temporarily unable to handle the request
  11. What does JWT stand for? JSON Web Token
  12. What does it mean for a REST API to be 'stateless'? Each request contains all information needed to process it
  13. Which attack involves sending malicious data in API input fields to manipulate backend database queries? SQL Injection
  14. What isn't a method for designing dynamic tests? Audit
  15. What does 'contract testing' verify in a microservices API architecture? Consumer and provider agree on the API interface format
  16. What does 'connection pooling' do to improve API performance testing results? Reuses database connections instead of creating new ones per request
  17. What is the purpose of the 'servers' section in an OpenAPI 3.0 specification? Define the base URLs where the API is hosted (e.g., production, staging)
  18. Which HTTP header is used by APIs to indicate which version is being served? X-API-Version or a custom versioning header
  19. What security concern should testers check when introspection is enabled on a production GraphQL API? Exposing the full schema to attackers, revealing sensitive types and mutations
  20. What is the purpose of the OPTIONS HTTP method? Describe communication options for the target
  21. For the json-schema-validator module, which library does REST Assured use? fge library
  22. What is SQL injection in API testing? Injecting malicious SQL through API inputs to manipulate the database
  23. What does 'backward compatibility' mean in API design? New API changes don't break existing client integrations
  24. What is the purpose of an API changelog? Documenting version history and breaking changes for API consumers
  25. What is the recommended structure for API error response bodies? A structured object with error code, message, and details
  26. Which CI/CD integration practice automatically runs API test suites on every code commit? Continuous testing in the pipeline
  27. What is a mock server used for in API test automation? Simulating an API dependency without calling the real service
  28. What is the REST guaranteed default port? 8080
  29. What is the primary HTTP method used to send GraphQL queries and mutations? POST
  30. What does 'virtual users' (VUs) mean in the context of API performance tools like k6? Simulated concurrent clients sending API requests
Turn these facts into recall: