QA Practice API for Students

TestAPI
testapi.in

A production-grade REST API built for learning
Postman & Playwright API testing.
4 modules · 5 auth types · 3 roles · 50+ endpoints_

👑 Admin
admin@testapi.in
admin@123
🏪 Seller
seller@testapi.in
seller@123
🛒 Customer
customer@testapi.in
customer@123
🔑 API Key
X-API-Key header
testapi-key-2026-xyz
📖 Swagger Docs ⚡ Quick Start 📡 Endpoints
35+
Endpoints
4
Auth Types
3
User Roles
200+
Seed Records
// 01 — modules

All Endpoints

4 modules with full CRUD. Public routes need no auth. Protected routes need Bearer token.

🔐 Authentication 5 endpoints
POST /auth/register Register new user → get JWT tokens Public
POST /auth/login Login → access token + refresh token Public
POST /auth/refresh Get new access token via refresh token Public
POST /auth/logout Invalidate token on server Bearer
GET /auth/me Get current logged-in user profile Bearer
👤 Users 6 endpoints
GET /users?page=1&limit=10&role=&search= Get all users with pagination + filter Admin
GET /users/:id Get user by ID Bearer
POST /users Create new user Admin
PUT /users/:id Full update user Bearer
PATCH /users/:id Partial update user Bearer
DELETE /users/:id Delete user (returns 204) Admin
📦 Products 6 endpoints · GET is public
GET /products?category=&search=&sort=price&order=asc&minPrice=&maxPrice= Get all products — filter, sort, search Public
GET /products/:id Get single product Public
POST /products Create product Seller
PUT /products/:id Full update product Seller
PATCH /products/:id Partial update (e.g. just price/stock) Seller
DELETE /products/:id Delete own product Seller
🛒 Orders 7 endpoints
GET /orders?status=pending&page=1 Get all orders Admin
GET /orders/:id Get order by ID Bearer
GET /orders/user/:userId Get all orders of a user Bearer
POST /orders Place new order (reduces stock) Customer
PATCH /orders/:id/status Update order status Admin
PATCH /orders/:id/address Update delivery address (pending only) Bearer
DELETE /orders/:id Cancel order Bearer
🏨 Bookings 6 endpoints
GET/bookingsGet all bookingsAdmin
GET/bookings/:idGet booking by IDBearer
POST/bookingsCreate bookingBearer
PUT/bookings/:idFull update bookingBearer
PATCH/bookings/:idPartial update bookingBearer
DELETE/bookings/:idCancel booking (204)Bearer
🔒 Special Auth Endpoints 4 endpoints
GET/basic/usersGet users via Basic AuthBasic
GET/basic/profileBasic auth profile checkBasic
GET/apikey/products?api_key=Products via API Key (header or query)API Key
GET/apikey/validateValidate your API keyAPI Key
// 02 — authentication

Auth Types

Practice all auth patterns used in real companies — JWT, Refresh Tokens, Basic Auth, API Keys.

Bearer Token (JWT)
JWT Authentication
Login → get access token → send as Authorization header. Used by most modern APIs like Swiggy, Zomato, etc.
POST /auth/login
body: { email, password }
header: Authorization: Bearer <token>
expires: 15 minutes
Refresh Token
Token Refresh Flow
Access token expires in 15min. Use refresh token (7 days) to get a new one without logging in again. Used by Amazon, Netflix.
POST /auth/refresh
body: { refreshToken: "..." }
returns: new accessToken
refresh expires: 7 days
Basic Auth
HTTP Basic Authentication
Legacy auth using Base64 encoded credentials. Still used in internal tools, Jenkins, and older enterprise APIs.
GET /basic/users
username: basicuser
password: basic@123
Authorization: Basic YmFzaWN1c2VyOmJhc2ljQDEyMw==
API Key
API Key Authentication
Send a static key via header or query param. Used by Razorpay, Google Maps, Stripe, Twilio, SendGrid, etc.
GET /apikey/products
X-API-Key: testapi-key-2026-xyz
or via query param:
?api_key=testapi-key-2026-xyz
// 03 — error handling

HTTP Status Codes

Every error returns a consistent JSON structure with status, error name, message, and timestamp.

Error Response Format
{
  "status": 401,
  "error": "Unauthorized",
  "message": "Token is missing or invalid",
  "timestamp": "2026-03-21T10:00:00Z"
}
Validation Error (422)
{
  "status": 422,
  "error": "Unprocessable Entity",
  "message": "Validation failed",
  "details": [{ "field": "email", "message": "Valid email required" }]
}
200
OK
Request successful. Data returned.
201
Created
Resource created successfully.
204
No Content
Delete successful. No body returned.
400
Bad Request
Missing or invalid fields in request body.
401
Unauthorized
No token, wrong token, or expired token.
403
Forbidden
Valid token but wrong role. (e.g. customer hitting admin route)
404
Not Found
Resource or route doesn't exist.
409
Conflict
Duplicate email on register.
422
Unprocessable
Validation failed. Check details array.
429
Too Many Requests
Rate limit exceeded. Max 100 req/hour.
500
Server Error
Something went wrong on the server.
// 04 — quick start

Start Testing in 5 Minutes

Open Postman and follow these steps. No setup required.

1

Login and Get Token

POST /auth/login with customer@testapi.in / customer@123
Copy accessToken from response.

2

Set Bearer Token in Postman

Authorization tab → Bearer Token → paste accessToken. Now all requests use it.

3

Browse Public Products

GET /products — no auth needed. Add ?category=electronics or ?search=laptop to filter.

4

Trigger 401 and 403 Errors

No token → 401. Customer token on admin route → 403. Great for negative testing!

5

Practice Refresh Token Flow

Use POST /auth/refresh with your refreshToken to get a new accessToken when it expires.

6

Test Basic Auth + API Key

GET /basic/users with Basic Auth. GET /apikey/products with X-API-Key header or ?api_key= param.

Sample: Login Response
{
  "message": "Login successful",
  "user": {
    "id": "65f2a...",
    "name": "Customer User",
    "role": "customer"
  },
  "accessToken": "eyJhbGci...",
  "refreshToken": "eyJhbGci...",
  "expiresIn": "15m"
}
Sample: Pagination Response
{
  "data": [...],
  "pagination": {
    "total": 50,
    "page": 1,
    "limit": 10,
    "totalPages": 5
  }
}
// 05 — seed data

Pre-loaded Test Data

Auto-seeded on first startup. Start testing immediately — no need to create data manually.

👥
53
Users (all roles)
📦
50
Products (8 categories)
🛒
100
Orders (all statuses)
🏨
50
Hotel Bookings