Top REST API Interview Questions and Answers (2026)

Beginner Questions on REST APIs

1. What is a REST API?

A REST API follows REST principles. It exposes resources through URLs and uses HTTP methods such as GET, POST, PUT, PATCH, and DELETE.

Example: GET /users/101 fetches the user with ID 101.

2. What are resources in REST?

A resource is any object or data entity that can be accessed through an API. Examples include users, orders, invoices, products, or comments.

Good resource names use nouns.

3. What are common HTTP methods in REST?

4. What is CRUD in REST?

CRUD means Create, Read, Update, and Delete. These operations map to HTTP methods.

Create maps to POST. Read maps to GET. Update maps to PUT or PATCH. Delete maps to DELETE.

5. What does statelessness mean in REST?

Statelessness means the server does not store client session data between requests. Every request must contain all information needed to process it.

For example, a request should carry an access token. The server should not depend on a previous request to identify the user.

6. What is the difference between PUT and PATCH?

PUT replaces the complete resource. PATCH updates only selected fields.

Example:

PUT /users/7 may replace the full user object.

PATCH /users/7 may update only the user’s phone number.

7. What are common REST status codes?

8. What is the difference between 401 and 403?

401 means the client is not authenticated. 403 means the client is authenticated but does not have permission.

Example: A logged-out user gets 401. A logged-in user trying to access admin data gets 403.

9. What is JSON in REST APIs?

JSON is a lightweight data format used to send and receive data. It is easy for humans to read and easy for applications to parse.

Example:

{

  "id": 101,

  "name": "Riya",

  "role": "developer"

}

10. What makes an API RESTful?

An API is RESTful when it uses resources, standard HTTP methods, stateless requests, proper status codes, and consistent URL design. It should also separate client and server concerns.

Explore the AI-Powered Full Stack Developer Program to learn modern web development, APIs, databases, cloud deployment, and AI-powered application development.

Intermediate Questions on REST APIs

1. What is authentication in REST APIs?

Authentication verifies who the user or client is. Common methods include API keys, basic authentication, OAuth 2.0, and JSON Web Tokens.

A production API should use HTTPS and avoid sending credentials in plain text.

2. What is authorization?

Authorization checks what an authenticated user can access. It answers the question: “Is this user allowed to perform this action?”

Example: A user may view their own order but not another user’s order.

3. What is API pagination?

Pagination breaks large results into smaller pages. It improves response time and reduces server load.

Example:

GET /products?page=2&limit=20

For large datasets, cursor-based pagination is often better.

GET /products?cursor=eyJpZCI6MTAw&limit=20

4. Offset vs cursor pagination: Which is better?

5. What is caching in REST APIs?

Caching stores responses so future requests can be served faster. It reduces latency and backend load.

Common headers include Cache-Control, ETag, and Last-Modified.

Example: Product categories can be cached because they do not change often. Cart totals should not be cached without strict rules in place.

6. What is idempotency?

An operation is idempotent if repeating it gives the same final result.

GET, PUT, and DELETE are usually idempotent. POST is usually not idempotent because it may create a new resource each time.

Example: Retrying PUT /users/5 with the same body should still leave the user in the same state.

7. How do you handle duplicate POST requests?

Use an idempotency key. The client sends a unique key with the request. The server stores the result for that key and returns the same result on subsequent requests.

This is common in payment APIs.

8. What is content negotiation?

Content negotiation allows the client and server to agree on the response format. Clients use headers such as Accept: application/json.

The server can return JSON, XML, or another supported format.

9. What are query parameters used for?

Query parameters help filter, sort, search, and paginate data.

Examples:

GET /products?category=shoes

GET /orders?status=paid&sort=created_at

They should not be used for sensitive data such as passwords or tokens.

10. How should errors be returned in REST APIs?

Errors should be clear, consistent, and machine-readable.

Example:

{

  "error": {

    "code": "INVALID_EMAIL",

    "message": "Please enter a valid email address."

  }

}

A good API should not expose stack traces or internal database details.

Advanced Questions on REST APIs

1. What is an API gateway?

An API gateway is a layer between clients and backend services. It handles routing, authentication, rate limiting, logging, request transformation, and sometimes caching.

What the interviewer checks: They want to know if you understand gateway-level control in microservices.

2. Why is rate limiting important?

Rate limiting controls how many requests a client can make in a time window. It protects APIs from abuse, accidental traffic spikes, scraping, and denial-of-service patterns.

Example: Allow 100 requests per user per minute.

Return 429 Too Many Requests when the limit is crossed.

3. How would you design rate limiting?

Use a token bucket, a leaky bucket, or a fixed-window algorithm. Store counters in a fast system such as Redis. Apply limits by user ID, IP address, API key, or tenant.

What the interviewer checks: They want to see whether you consider distributed counters, fairness, and burst traffic.

4. What is API versioning?

API versioning manages changes without breaking existing clients.

Common approaches:

URL versioning is simple. Header versioning is cleaner but harder to test manually.

5. How do you scale a high-traffic REST API?

Use horizontal scaling, load balancing, caching, database indexing, asynchronous processing, and CDN support where applicable. Keep APIs stateless so requests can be handled by any server instance.

What the interviewer checks: They look for system thinking, not just “add more servers.”

6. How do REST APIs work in distributed systems?

In distributed systems, REST APIs often connect multiple services. Each service owns a specific business capability. APIs must handle latency, partial failures, retries, timeouts, and data consistency.

A strong answer should mention circuit breakers, correlation IDs, retries with backoff, and eventual consistency.

7. How do you secure REST APIs?

Use HTTPS, strong authentication, short-lived tokens, authorization checks, input validation, rate limits, audit logs, and secure headers. Sensitive secrets should be stored in a vault, not in code.

OWASP ranks broken object-level authorization as a leading API security risk. So every endpoint that accesses an object by ID must verify ownership and permission.

8. What is observability in REST APIs?

Observability helps teams understand what is happening inside the API. It includes logs, metrics, and traces.

Important signals include request count, latency, error rate, saturation, p95 latency, p99 latency, and dependency failures.

Scenario-Based Questions on REST APIs

1. REST API becomes slow during peak traffic. What will you check?

Start with metrics. Check latency, error rate, CPU, memory, database queries, cache hit ratio, thread pools, and downstream service latency.

Then isolate the bottleneck. If the database is slow, add indexes or optimize queries. If traffic is high, add caching and scale horizontally. If one endpoint is heavy, move long-running work to a queue.

2. How would you handle retries safely?

Use retries only for transient failures such as network timeouts or 503 errors. Add exponential backoff and jitter. Avoid retrying non-idempotent POST requests unless the API supports idempotency keys.

Production example: A payment request should not charge the customer twice because the client retried after a timeout.

3. How would you design a secure public API?

Use OAuth 2.0 or signed API keys, HTTPS, rate limits, request validation, schema validation, audit logs, and clear error responses. Add scopes for permissions.

For example, a partner API may use scopes such as orders:read and orders:write.

4. What is the difference between public and private APIs?

A private API still needs security. Internal does not mean trusted by default.

5. How would you design an API for millions of users?

Use stateless services behind a load balancer. Add CDN caching for public content. Use read replicas for heavy reads. Use queues for asynchronous tasks. Apply rate limiting at the gateway. Use distributed tracing to debug issues across services.

This is where RESTful API interview questions often move from syntax to architecture.

6. How do you handle backward compatibility?

Do not remove fields suddenly. Add new optional fields first. Keep old versions active for a defined period. Announce deprecations clearly. Track client usage before removing old endpoints.

Interview questions test your fundamentals. Employers value candidates who can also build complete applications. Learn how full-stack developers combine frontend, backend, databases, cloud services, and AI tools to create production-ready software with out AI-Powered Full Stack Developer Program.

REST API Design Questions

1. What are good REST resource naming practices?

Use nouns, plural names, lowercase letters, and hyphens where needed.

Good examples:

/users

/orders/45/items

Avoid verbs:

/getAllUsers

/createNewOrder

2. How should nested resources be designed?

Use nesting when the child resource clearly belongs to the parent.

Good:

GET /users/10/orders

Avoid deep nesting:

/companies/1/departments/2/teams/3/users/4/tasks/5

Deep nesting makes APIs hard to maintain. Use filters instead.

3. How do filtering and sorting work?

Use query parameters.

Examples:

GET /products?category=books

GET /products?sort=price_desc

GET /employees?department=engineering&status=active

Keep parameter names consistent across APIs.

4. What are examples of good and bad API design?

Good design is predictable. Developers should guess the next endpoint correctly after seeing a few examples.

5. How should APIs handle partial responses?

Allow clients to request only the required fields.

Example:

GET /users/10?fields=id,name,email

This reduces payload size and improves performance, especially for mobile clients.

6. What should API documentation include?

API documentation should include endpoint URLs, methods, request parameters, headers, authentication rules, status codes, error examples, sample responses, rate limits, and versioning notes.

Good documentation reduces support tickets and helps developers integrate faster.

Questions on REST APIs for Experienced Developers

For senior roles, interviewers expect more than definitions. They want proof that you can design, operate, secure, and debug APIs in production. This section is useful for REST API interview questions for 10 years of experience, where answers must include trade-offs.

1. How do you design REST APIs for scalability?

Start with stateless services. Add load balancing, caching, pagination, asynchronous processing, and database optimization. Separate read-heavy and write-heavy paths where needed.

For example, order creation can be synchronous until payment confirmation, but invoice generation can be asynchronous.

2. How do you protect APIs from broken object-level authorization?

Never trust object IDs from the client. Always check whether the authenticated user has access to that object.

Bad flow: GET /orders/123 returns the order because the ID exists.

Good flow: The API checks that order 123 belongs to the logged-in user before returning it.

3. How do you monitor API health?

Track RED metrics: rate, errors, and duration. Also track saturation, dependency latency, queue depth, database connection usage, and cache hit ratio.

Use structured logs and correlation IDs. This helps trace one request across multiple services.

4. How would you manage API contracts across teams?

Use OpenAPI specifications, contract testing, API linting, and review workflows. Each change should be backward compatible unless a new version is released.

For microservices, consumer-driven contract testing helps detect breaking changes before deployment.

5. How do you choose between REST and GraphQL?

Use REST when resources are clear, caching is important, and the API needs simple integration. Use GraphQL when clients need flexible data selection from multiple related resources.

REST is easier to cache and monitor. GraphQL can reduce over-fetching, but needs stronger query complexity controls.

Also Read: GraphQL vs REST API

6. How do you handle long-running operations?

Do not keep the HTTP request open for too long. Return 202 Accepted with a job ID.

Example:

POST /reports

Response:

{

  "jobId": "rep_123",

  "statusUrl": "/reports/jobs/rep_123"

}

The client can poll the status endpoint or receive a webhook when the job is complete.

7. What mistakes should experienced developers avoid?

Common mistakes include weak authorization, unclear error responses, no rate limiting, poor pagination, leaking internal errors, inconsistent naming, and a lack of observability.

Senior developers should also avoid designing APIs only for today’s use case. Good APIs remain stable as products grow.

Planning Your Software Engineering Career? Cracking the interview is the first step. Understanding what skills to learn next can help you move from fresher roles to software engineer, developer, and solution-building positions faster. Explore our Software Engineer Roadmap to learn the technologies, projects, and skills employers expect in 2026.

Key Takeaways

• REST API interviews test both fundamentals and real-world judgment. Beginners should know HTTP methods, status codes, CRUD, statelessness, and JSON. 
• Intermediate candidates should explain authentication, pagination, caching, idempotency, and error handling with examples. 
• Advanced candidates should connect API design with gateways, distributed systems, rate limiting, observability, and security.
• These rest interview questions are best answered with short, practical, and example-led responses.
• Do not only define the term. Explain where it is used, what can go wrong, and how you would handle it in production.