HTTP Methods, Status Codes & Headers

HTTP Methods, Status Codes & Headers

API testing requires fluency in HTTP. Understanding what each method, status code, and header means — and when each should appear — lets you design comprehensive API test cases systematically.

The Four Core HTTP Methods

GET — Retrieve. Safe and idempotent. Never modify state with GET. POST — Create. Not idempotent — calling twice creates two resources. PUT — Replace entirely. Idempotent — calling twice produces the same result. DELETE — Remove. Idempotent after the first call (subsequent calls return 404 or 204).

PATCH is used for partial updates and is not guaranteed to be idempotent.

The Status Codes You Will Use Every Day

2xx Success

• 200 OK — request succeeded, body contains result
• 201 Created — resource created, Location header points to it
• 204 No Content — succeeded, no body (common for DELETE)

4xx Client Error

• 400 Bad Request — malformed request (invalid JSON, missing required field)
• 401 Unauthorized — missing or invalid authentication token
• 403 Forbidden — authenticated but not authorised
• 404 Not Found — resource does not exist
• 422 Unprocessable Entity — valid format, invalid semantics (e.g., end date before start date)
• 429 Too Many Requests — rate limit exceeded

5xx Server Error

• 500 Internal Server Error — unhandled exception (never acceptable in production)
• 503 Service Unavailable — server is down or overloaded

Headers You Must Assert in API Tests

Always verify Content-Type: application/json in responses — if the server sends HTML on error, your parser will break in unexpected ways.

For authenticated endpoints, test with:

1. No token → expect 401
2. Invalid/expired token → expect 401
3. Valid token, wrong role → expect 403
4. Valid token, correct role → expect 200/201