400 Rest API Interview Questions with Answers 2026

Data Handling: Content negotiation, JSON standards, and Serialization.

API Security: JWT, OAuth 2.0, Rate Limiting, and CORS.

Optimization: Caching strategies, Pagination, and API Gateways.

DevOps & Testing: OpenAPI/Swagger, Postman, and Contract Testing.

B) PATCH

C) DELETE

D) GET

E) CONNECT

F) TRACE

Correct Answer: D & F (Note: In standard MCQ, choose D as the primary answer).

Overall Explanation: Safety refers to methods that do not modify the resource state, while idempotency means multiple identical requests have the same effect as a single request.

Option Explanations:

B) Incorrect: PATCH is not idempotent; repeated applications can change state differently.

C) Incorrect: DELETE is idempotent but not safe (it modifies state by removing it).

D) Correct: GET is safe (read-only) and idempotent.

E) Incorrect: CONNECT is used for tunneling and is not safe.

F) Correct: TRACE is safe and idempotent as it merely echoes the received request.

When implementing an OAuth 2.0 flow for a Single Page Application (SPA) with no backend, which grant type is currently recommended by best security practices?

B) Resource Owner Password Credentials

C) Authorization Code Flow with PKCE

D) Client Credentials Flow

E) Refresh Token Flow

F) Device Code Flow

Correct Answer: C

Overall Explanation: Due to security vulnerabilities in the Implicit Flow, the Authorization Code Flow with Proof Key for Code Exchange (PKCE) is now the industry standard for public clients.

Option Explanations:

B) Incorrect: This requires the user to share their password directly with the app, which is insecure.

C) Correct: PKCE provides a cryptographically strong mechanism to prevent authorization code interception.

D) Incorrect: This is for machine-to-machine communication, not user-facing SPAs.

E) Incorrect: This is used to obtain new access tokens, not for initial authentication.

F) Incorrect: This is designed for input-constrained devices like Smart TVs.

If a client requests a resource representation format that the server does not support (e.g., requesting 'application/xml' when only 'application/json' is available), which HTTP status code should I return?

B) 403 Forbidden

C) 404 Not Found

D) 405 Method Not Allowed

E) 406 Not Acceptable

F) 415 Unsupported Media Type

Correct Answer: E

Overall Explanation: Content negotiation is handled via the 'Accept' header; when the server cannot fulfill this, it triggers a 406 error.

Option Explanations:

B) Incorrect: 403 is for permission issues.

C) Incorrect: 404 means the URI itself does not exist.

D) Incorrect: 405 means the HTTP Verb (like PUT) isn't allowed on that URI.

E) Correct: 406 specifically indicates the server cannot produce a response matching the 'Accept' headers.

F) Incorrect: 415 is used when the client sends a payload format (Content-Type) that the server cannot process.

This is a huge original question bank

You get support from instructors if you have questions

Each question has a detailed explanation

Mobile-compatible with the Udemy app

30-day money-back guarantee if you're not satisfied