Skip to main content
Postman Testing
CHAPTER 09 Beginner

Understanding API Responses and Status Codes

Updated: May 13, 2026
20 min read

# CHAPTER 9

Understanding API Responses and Status Codes

1. Introduction

API Testing is a two-way street. Building the perfect request is only half the job. The other half is analyzing the server's reply. When you click "Send" in Postman, the server communicates success, failure, or confusion through HTTP Status Codes and the Response Body. In this chapter, we will learn how to read the Postman Response Viewer, decode the most common HTTP status codes, and understand what the server is trying to tell us when things break.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Locate and interpret the Status Code, Time, and Size in the Response Viewer.
  • Categorize HTTP Status Codes by their leading digit (2xx, 3xx, 4xx, 5xx).
  • Identify the meaning of common codes: 200, 201, 400, 401, 404, and 500.
  • Differentiate between a Client Error and a Server Error.

3. Beginner-Friendly Explanation

Imagine applying for a loan at a bank. You hand your application (the Request) to the teller. The teller takes it to the back room (the Server).

When the teller returns, they give you two things:

  1. 1. A quick verbal summary (The Status Code): "Approved!", "Denied!", or "The computer system crashed." This is an instant, standardized summary of what happened.
  1. 2. The paperwork (The Response Body): A detailed document explaining exactly *why* you were approved or denied, or the specifics of your new account.

In Postman, the Status Code is the green, yellow, or red number at the top right of the Response pane. The Body is the JSON text below it.

4. Real-World Examples

  • The Typo (404): A frontend developer makes a typo in their code, requesting /usr instead of /users. The server immediately returns a 404 Not Found status.
  • The Bad Password (401): A user tries to log in with the wrong password. The API returns a 401 Unauthorized status.
  • The Crash (500): A million people try to buy concert tickets at the exact same second. The database overloads. The API returns a 500 Internal Server Error.

5. Categorizing Status Codes

HTTP status codes are three-digit numbers categorized by their first digit:
  • 1xx (Informational): "Hang on, I'm processing." (Rarely seen in daily API testing).
  • 2xx (Success): "Everything went perfectly!"
  • 3xx (Redirection): "That data moved, go look over there."
  • 4xx (Client Error): "YOU made a mistake. Fix your request and try again."
  • 5xx (Server Error): "I (the server) made a mistake or crashed. Your request was fine, but I broke."

6. The Most Important Codes to Memorize

As an API tester, these are the codes you will see daily:
CodeNameMeaning & Typical Use Case
200OKStandard success. Data retrieved successfully (GET).
201CreatedSuccess! A new record was added to the database (POST).
204No ContentSuccess! Action completed (like DELETE), but there is no data to return.
400Bad RequestThe JSON you sent was malformed or missing required fields.
401UnauthorizedYou are not logged in / missing an API token.
403ForbiddenYou are logged in, but you don't have permission (e.g., you are not an Admin).
404Not FoundThe URL does not exist, or the specific ID (e.g., user 9999) does not exist.
405Method Not AllowedYou tried to use POST on a URL that only accepts GET.
500Internal Server ErrorThe backend code threw a fatal exception. Alert the developers!

7. Step-by-Step Tutorial (Triggering Errors)

Let's intentionally trigger some errors in Postman using JSONPlaceholder.

Triggering a 404:

  1. 1. Send a GET request to https://jsonplaceholder.typicode.com/posts/999999.
  1. 2. Look at the Status Code. It will be 404 Not Found because post 999999 doesn't exist.

Triggering a 404 (Bad URL):

  1. 1. Send a GET request to https://jsonplaceholder.typicode.com/wrongendpoint.
  1. 2. Again, 404 Not Found.

Triggering a 201:

  1. 1. Send a POST request to https://jsonplaceholder.typicode.com/posts with valid JSON body.
  1. 2. The status is 201 Created.

8. The Response Body is Still Important

A status code tells you the category of the problem, but the body gives you the details. If an API returns a 400 Bad Request, you must read the JSON body. A well-designed API will return something like:
json
1234 
{
  "error": "Validation Failed",
  "message": "The 'email' field cannot be blank."
}

*Rule of thumb: Always read the body if you get a 4xx or 5xx error!*

9. Best Practices

  • Verify Both Code and Body: When writing Postman tests, always assert that the status code is what you expect (e.g., 200) AND that the body contains the specific data you need.
  • Log 500 Errors: If you hit a 500 error while testing a company API, take a screenshot of the response and the URL. 500 errors are considered "bugs" in the backend code and must be reported.

10. Common Mistakes

  • Assuming 404 only means "Bad URL": In REST, /users/15 represents a specific resource. If User 15 is deleted, a GET request to that URL will return 404. It means the *data* is not found, not just that the endpoint is broken.
  • Blaming the Server for 400 errors: Remember, 4xx codes are Client Errors. If you get a 400 or 401, do not report a bug to the backend team until you have double-checked your JSON syntax, headers, and spelling. It is almost always your fault.

11. Mini Exercises

  1. 1. If you try to access a premium API endpoint without an API key, what 4xx status code should you expect?
  1. 2. You send a perfectly formatted JSON POST request, but the server crashes and returns HTML instead of JSON. What category (number range) of status code will be returned?

12. Coding/Testing Challenges

Challenge 1: In Postman, try sending a DELETE request to https://jsonplaceholder.typicode.com/posts (Notice: no ID is provided at the end of the URL, just /posts). What status code do you receive? Look up what this code means on Google. *(Hint: It's likely a 404 or a 405 because you can't delete the entire list of posts).*

13. MCQs with Answers

Question 1

Which category of HTTP Status Codes indicates that the client (you) made a mistake in the request?

Question 2

Which HTTP Status Code specifically means "Unauthorized" (you are missing valid authentication credentials)?

Question 3

If a backend developer writes a PHP script with a fatal syntax error, what status code will the API likely return when tested?

14. Interview Questions

  • Q: Explain the difference between a 401 Unauthorized and a 403 Forbidden status code.
  • Q: As a QA Engineer, you are testing a new API endpoint. You send a valid request, but receive a 500 Internal Server Error. What is your next step?
  • Q: What does a 201 Created status code indicate, and which HTTP method is it most commonly associated with?

15. FAQs

Q: Can developers fake status codes? A: Yes. A backend developer *can* manually write code that returns 200 OK even if a database query fails. However, this is considered a terrible anti-pattern in REST API design and makes testing very difficult.

16. Summary

In this chapter, we learned to decode the language of web servers: HTTP Status Codes. We discovered that 2xx codes mean success, 4xx codes mean the client (we) made an error, and 5xx codes mean the server crashed. We memorized the crucial codes (200, 201, 400, 401, 404, 500) and learned to always read the JSON response body to find the exact details of why a request failed.

17. Next Chapter Recommendation

Up to this point, we have been hardcoding our URLs (typing https://jsonplaceholder... every time). This is tedious and violates the DRY (Don't Repeat Yourself) principle. Proceed to Chapter 10: Using Environment Variables to learn how to make your Postman requests dynamic and professional.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Working with JSON Request Bodies
Next Chapter Using Environment Variables

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5