In this chapter, you will practice API testing against TesterRank's live Practice API. Every request hits a real server, returns real responses, and uses real authentication — exactly like testing a production API at your company.
You can use any HTTP client: curl (built into macOS/Linux), Postman, Insomnia, or even a browser extension. All examples in this chapter use curl.
All API endpoints start with your site's base URL followed by /api/v1. If you're running locally, the base URL is http://localhost:3000/api/v1. On the live site, it's https://testerrank.com/api/v1.
Replace BASE_URL in all examples below with your actual base URL. For example: https://testerrank.com/api/v1.
Create your own account. Every user gets a unique JWT token and an API key.
curl -X POST BASE_URL/auth/register \
-H "Content-Type: application/json" \
-d '{
"name": "Your Name",
"email": "you@example.com",
"password": "YourPass@123"
}'Expected response (201 Created):
{
"success": true,
"data": {
"user": {
"id": "usr-6",
"name": "Your Name",
"email": "you@example.com",
"role": "user"
},
"token": "eyJhbGciOiJIUzI1NiIs...",
"apiKey": "qp_live_abc123...",
"tokenType": "Bearer",
"expiresIn": 3600
}
}Copy and save your token from the response. You will need it for every authenticated request. Tokens expire in 1 hour — login again to get a new one.
Already registered? Login with your email and password to get a fresh token.
curl -X POST BASE_URL/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "YourPass@123"
}'Expected response (200 OK):
{
"success": true,
"data": {
"user": {
"id": "usr-6",
"name": "Your Name",
"email": "you@example.com",
"role": "user"
},
"token": "eyJhbGciOiJIUzI1NiIs...",
"tokenType": "Bearer",
"expiresIn": 3600
}
}In all steps below, replace YOUR_TOKEN with the actual token from your register or login response.
Your first authenticated request. Pass the Authorization header with your Bearer token.
curl BASE_URL/auth/me \
-H "Authorization: Bearer YOUR_TOKEN"Expected response (200 OK):
{
"success": true,
"data": {
"id": "usr-6",
"name": "Your Name",
"email": "you@example.com",
"role": "user",
"apiKey": "qp_live_abc123..."
}
}1. Remove the Authorization header and run the same request. What status code and error do you get?
2. Try passing a random string as the token (e.g., Bearer abc123). How does the error differ from no token at all?
Q: What is the difference between authentication and authorization?
A: Authentication verifies who you are (login with credentials). Authorization determines what you can do (admin vs regular user permissions). The Bearer token proves authentication; the server then checks authorization based on your role.