API Cheat Sheet 2026
The 30 highest-yield API facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
60 min time limit
70% to pass
- What is Pytest's mechanism for executing code before each test method? → Pytest fixtures
- What is the 'N+1 query problem' in GraphQL testing? → Fetching a list then making N additional queries for each item's related data
- Which HTTP header specifies the format of the request body? → Content-Type
- What HTTP status code indicates a resource was successfully created? → 201 Created
- Which attack involves injecting malicious scripts through API inputs that are reflected in responses? → Cross-Site Scripting (XSS)
- What does OAuth 2.0 authorization code flow primarily protect against compared to the implicit flow? → Exposing access tokens in the browser URL
- What is the BDD approach in API test automation? → Behavior-Driven Development using human-readable scenarios to define tests
- What does 'idempotent test setup' mean in API test automation best practices? → Setup that produces the same starting state regardless of how many times it runs
- What does a 408 Request Timeout status code mean? → The client didn't send a request within the server's timeout period
- What does a 503 Service Unavailable response indicate? → The server is temporarily unable to handle the request
- What does JWT stand for? → JSON Web Token
- What does it mean for a REST API to be 'stateless'? → Each request contains all information needed to process it
- Which attack involves sending malicious data in API input fields to manipulate backend database queries? → SQL Injection
- What isn't a method for designing dynamic tests? → Audit
- What does 'contract testing' verify in a microservices API architecture? → Consumer and provider agree on the API interface format
- What does 'connection pooling' do to improve API performance testing results? → Reuses database connections instead of creating new ones per request
- What is the purpose of the 'servers' section in an OpenAPI 3.0 specification? → Define the base URLs where the API is hosted (e.g., production, staging)
- Which HTTP header is used by APIs to indicate which version is being served? → X-API-Version or a custom versioning header
- What security concern should testers check when introspection is enabled on a production GraphQL API? → Exposing the full schema to attackers, revealing sensitive types and mutations
- What is the purpose of the OPTIONS HTTP method? → Describe communication options for the target
- For the json-schema-validator module, which library does REST Assured use? → fge library
- What is SQL injection in API testing? → Injecting malicious SQL through API inputs to manipulate the database
- What does 'backward compatibility' mean in API design? → New API changes don't break existing client integrations
- What is the purpose of an API changelog? → Documenting version history and breaking changes for API consumers
- What is the recommended structure for API error response bodies? → A structured object with error code, message, and details
- Which CI/CD integration practice automatically runs API test suites on every code commit? → Continuous testing in the pipeline
- What is a mock server used for in API test automation? → Simulating an API dependency without calling the real service
- What is the REST guaranteed default port? → 8080
- What is the primary HTTP method used to send GraphQL queries and mutations? → POST
- What does 'virtual users' (VUs) mean in the context of API performance tools like k6? → Simulated concurrent clients sending API requests
Turn these facts into recall: