The first thing you check in any API response is the status code. Not the body. Not the headers. The status code. It tells you if the request succeeded, failed, or hit an error — in one number. If the status code is wrong, nothing else matters.
// Most common — check for exact status code
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});
// You can also check by status text
pm.test("Status is OK", function () {
pm.response.to.have.status("OK");
});| Code | Meaning | When You See It | Test Example |
|---|---|---|---|
| 200 | OK | GET request succeeded | pm.response.to.have.status(200) |
| 201 | Created | POST created a new resource | pm.response.to.have.status(201) |
| 204 | No Content | DELETE succeeded, no body returned | pm.response.to.have.status(204) |
| 400 | Bad Request | Invalid input / missing fields | pm.response.to.have.status(400) |
| 401 | Unauthorized | No token or expired token | pm.response.to.have.status(401) |
| 403 | Forbidden | Token valid but no permission | pm.response.to.have.status(403) |
| 404 | Not Found | Resource doesn't exist | pm.response.to.have.status(404) |
| 500 | Server Error | Backend crashed | pm.response.to.have.status(500) |
Sometimes an API can return multiple valid codes. A search endpoint might return 200 with results or 204 with no results. Both are valid.
// Check if status code is one of multiple valid codes
pm.test("Status code is 200 or 204", function () {
pm.expect(pm.response.code).to.be.oneOf([200, 204]);
});
// Check status code is in the 2xx range (any success)
pm.test("Status code is 2xx (success)", function () {
pm.expect(pm.response.code).to.be.within(200, 299);
});
// Negative test — verify invalid input returns 400
pm.test("Invalid input returns 400", function () {
pm.response.to.have.status(400);
});Key Point: Always test BOTH happy path and error path status codes. If you only test 200s, you'll never know if your API correctly returns 400 for bad input or 401 for missing auth.
For a login endpoint, you'd have at least 4 requests testing different scenarios — each asserting a different status code.
// Request 1: Valid login — POST /login with correct credentials
pm.test("Valid login returns 200", function () {
pm.response.to.have.status(200);
});
// Request 2: Wrong password — POST /login with wrong password
pm.test("Wrong password returns 401", function () {
pm.response.to.have.status(401);
});
// Request 3: Missing email field — POST /login with no email
pm.test("Missing email returns 400", function () {
pm.response.to.have.status(400);
});
// Request 4: Server is down — (simulate by hitting wrong port)
pm.test("Server error returns 500", function () {
pm.response.to.have.status(500);
});Create separate requests for each test scenario. Don't try to test 200 and 400 in the same request — that's impossible since one request gives one status code. Duplicate the request, change the input, and assert the expected error code.
Q: How do you validate status codes in Postman? Give an example of negative testing.
A: I use pm.response.to.have.status(code) for exact checks and pm.expect(pm.response.code).to.be.oneOf([]) for multiple valid codes. For negative testing, I duplicate the request with invalid inputs — like missing required fields, invalid tokens, or out-of-range values — and assert the expected error codes (400, 401, 403, 404). For example, sending a POST /users with an empty body should return 400, and I write pm.response.to.have.status(400) to verify the API rejects it properly.
Key Point: Status code is the first assertion in every test. Test both success (2xx) and error (4xx, 5xx) paths.