Every API call has two parts: what you send (request) and what you get back (response). To test APIs properly, you need to understand every piece of both. Let's break them down.
This confuses beginners. Both pass data in the URL, but they serve different purposes.
# Path params — identify WHICH resource
GET /api/banking/accounts/ACC-001
^^^^^^^^ path param (which account)
GET /api/banking/accounts/ACC-001/transactions/TXN-123
^^^^^^^^ ^^^^^^^ both are path params
# Query params — filter/sort/paginate
GET /api/banking/accounts/ACC-001/transactions?page=2&limit=10&sort=date
^^^^^^ ^^^^^^^^ ^^^^^^^^^
all query params (optional filters)Headers carry information ABOUT the request, not the data itself. Think of them like the label on a courier package — who sent it, what's inside, how to handle it.
| Header | Purpose | Example Value |
|---|---|---|
| Content-Type | What format the body is in | application/json |
| Accept | What format you want the response in | application/json |
| Authorization | Your identity/credentials | Bearer eyJhbGciOiJIUzI1... |
| Cache-Control | Caching rules | no-cache |
| User-Agent | What client is making the call | PostmanRuntime/7.29.0 |
| X-Request-ID | Unique ID to track this request | req-abc-123-def |
// Full HTTP Response — every part labeled
// 1. Status Line
HTTP/1.1 200 OK
// 2. Response Headers
Content-Type: application/json; charset=utf-8
X-Request-ID: req-abc-123-def
X-RateLimit-Remaining: 98
Cache-Control: no-store
// 3. Response Body (the actual data)
{
"id": "ACC-001",
"type": "savings",
"holder": "Priya Sharma",
"balance": 45000.00,
"currency": "INR",
"createdAt": "2024-01-15T10:30:00Z"
}Status code — is it the expected code? (200, 201, 400, etc.)
Response body — does the data match what you expected?
Data types — is "balance" a number or accidentally a string?
Required fields — are all expected fields present? No missing keys?
No extra fields — is the API leaking sensitive data (password, internal IDs)?
Headers — Content-Type correct? Rate limit headers present?
Response time — did it respond within acceptable limits (under 2 seconds)?
Many testers only check status code and one field in the body. That's not enough. Check ALL fields. Check data types. Check that sensitive data (password, SSN, token) is NOT in the response. This is where real bugs hide.
Q: What is the difference between path parameters and query parameters?
A: Path parameters are part of the URL path and identify a specific resource — like /users/42 where 42 is the user ID. They're required. Query parameters come after the ? and are used for filtering, sorting, or pagination — like /users?role=admin&page=2. They're usually optional. Simple rule: path params say WHICH resource, query params say HOW to filter them.
Key Point: A request has method, URL, headers, and body. A response has status code, headers, and body. Test every piece — not just the body.