Nerd Level Tech logo

Postman Learn how to Improve Your API Testing Skills

Updated: March 27, 2026

#postman#api-testing#developer-tools#recreated
Postman Learn how to Improve Your API Testing Skills

TL;DR

Postman automates API testing through request collections, assertions, and CI/CD integration via Newman. Advanced techniques include mock servers for isolated testing, environment variables for managing configurations, and contract testing to ensure API/client compatibility.

Manual API testing is a bottleneck. Click a button, eyeball the response, click again. It doesn't scale. As your API grows, you need automated testing that runs on every commit, provides consistent results, and catches regressions early.

Postman has long been one of the most widely used API testing tools, and in 2026 it remains powerful — but the landscape has shifted. After Postman removed offline mode in v10 and the company doubled down on cloud-first workflows, a wave of users migrated to lighter, local-first alternatives like Bruno (now ~41K GitHub stars and growing fast) and Hoppscotch. Postman responded by announcing native offline support, local filesystem storage, and Git-based collections, with rollout continuing through 2026. Understanding Postman deeply — plus knowing when to reach for alternatives — makes you a better developer.

This guide takes you from basic request building to advanced workflows: automated testing, CI/CD pipelines, mock servers, and contract testing.

Getting Started: Building Your First Test

Postman's core is the request builder. You specify a URL, headers, and body, then send the request and inspect the response.

POST https://api.example.com/api/users
Content-Type: application/json

{
  "email": "test@example.com",
  "name": "John Doe"
}

But the real power emerges when you add tests — JavaScript code that runs after the response arrives.

Writing Post-Response Tests

In Postman's "Post-response" tab (formerly "Tests" in older versions), you write assertions that validate the response.

// Basic status check
pm.test("Status is 201", function() {
  pm.response.to.have.status(201);
});

// Check response structure
pm.test("Response contains user ID", function() {
  pm.expect(pm.response.json()).to.have.property('id');
});

// Validate response data
pm.test("Email matches request", function() {
  const requestBody = JSON.parse(pm.request.body.raw);
  const responseBody = pm.response.json();
  pm.expect(responseBody.email).to.equal(requestBody.email);
});

// Check response time (performance)
pm.test("Response time is under 500ms", function() {
  pm.expect(pm.response.responseTime).to.be.below(500);
});

These tests are assertions written in JavaScript. Postman uses the Chai assertion library, giving you powerful expressive syntax.

A collection groups related requests into a hierarchy, simulating a user workflow.

Example collection structure:

User Management API
├── Authentication
│   ├── POST /login
│   ├── POST /refresh
│   └── POST /logout
├── Users
│   ├── GET /users
│   ├── POST /users (create)
│   ├── GET /users/:id
│   ├── PUT /users/:id (update)
│   └── DELETE /users/:id
└── Validation
    ├── Invalid email format
    ├── Missing required fields
    └── Duplicate email error

Collections allow you to organize hundreds of requests logically. You can run an entire collection, testing the full workflow in sequence.

Environment Variables: Managing Configuration

Hardcoding URLs and credentials into requests is terrible practice. Use environment variables instead.

Setting up an environment:

Create an environment with variables for your API URL and authentication token:

{
  "base_url": "https://api.example.com",
  "api_key": "sk_live_abc123def456",
  "auth_token": ""
}

Reference variables with {{variable_name}} syntax:

GET {{base_url}}/api/users
Authorization: Bearer {{auth_token}}

Updating variables in tests:

Tests can update environment variables. For example, after a login request, extract the token and store it for subsequent requests:

pm.test("Login successful", function() {
  pm.response.to.have.status(200);
});

// Extract token and save to environment
const token = pm.response.json().token;
pm.environment.set('auth_token', token);

This pattern enables end-to-end workflows: login → get token → use token in subsequent authenticated requests.

Pre-Request Scripts: Setup Before Sending

Pre-request scripts run before a request is sent. Use them for generating dynamic data, timestamps, or signatures.

// Generate current timestamp
pm.environment.set('timestamp', Date.now());

// Generate a unique email for signup tests
const randomId = Math.random().toString(36).substring(7);
pm.environment.set('test_email', `test_${randomId}@example.com`);

// Generate HMAC signature for signed requests
const crypto = require('crypto');
const secret = pm.environment.get('api_secret');
const message = pm.request.body.raw;
const signature = crypto.createHmac('sha256', secret).update(message).digest('hex');
pm.request.headers.add({key: 'X-Signature', value: signature});

Pre-request scripts enable dynamic test data and handle complex authentication schemes.

Mock Servers: Testing Without a Live API

Mock servers simulate an API without needing a backend running. Define mock responses for each endpoint, and Postman serves them.

Benefits:

  • Front-end teams can start development before the backend is ready
  • Test error scenarios (500, 404, 429) without crashing production
  • Isolate API tests from backend reliability
  • Consistent, fast responses

To set up a mock server:

  1. Right-click your collection → "Mock collection"
  2. Define example responses for each endpoint
  3. Postman generates a mock URL (e.g., https://mock.pstmn.io/abc123)
  4. Point your client to the mock server during development

CI/CD Integration with Newman

Newman is Postman's command-line runner. It executes collections automatically in pipelines.

Basic usage:

newman run collection.json --environment env.json

Output:

User API

 POST /login
 ✓ Status is 200
 ✓ Token is present

 GET /users
 ✓ Status is 200
 ✓ Response contains user list

 49 requests | 49 passed | 0 failed

GitHub Actions integration:

name: API Tests
on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run API tests
        run: |
          npm install -g newman
          newman run postman_collection.json \
            --environment postman_env.json \
            --reporters cli,json \
            --reporter-json-export results.json

      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-results
          path: results.json

Now your API tests run on every commit. Failing tests block merges.

Contract Testing: Ensuring API/Client Compatibility

Contract testing verifies that your API and client agree on the interface. It catches breaking changes before they hit production.

Example scenario: Your frontend expects user.id to be a number. You change it to a string. Without contract testing, clients break.

Postman supports contract testing through post-response assertions:

pm.test("User schema matches contract", function() {
  const schema = {
    type: "object",
    properties: {
      id: { type: "integer" },
      email: { type: "string" },
      name: { type: "string" },
      created_at: { type: "string" }
    },
    required: ["id", "email", "name"]
  };

  pm.response.to.have.jsonSchema(schema);
});

This assertion ensures the response matches your expected schema. Change the API response shape, and the test fails — alerting you to breaking changes.

Postman Alternatives

Postman is widely used but no longer unchallenged. Each alternative makes different trade-offs around licensing, storage model, and footprint:

Bruno

  • MIT-licensed, fully open source, ~41K GitHub stars and one of the fastest-growing API clients of 2024-2026
  • Git-native: collections live as plaintext files in your repo, no proprietary cloud sync
  • Supports REST, GraphQL, gRPC, and WebSocket
  • Best fit when your team treats API definitions like source code

Hoppscotch

  • Open source, available as web, desktop, and CLI (active 2026 release cadence)
  • Self-hostable for teams that need on-prem
  • Pre-request and test scripts, plus team workspaces in the cloud edition
  • Strong fit for quick browser-based testing and self-hosted deployments

Insomnia

  • Open source, Kong-owned since 2019
  • Notable history: Insomnia 8.0 (Sept 2023) made cloud sync mandatory and triggered significant backlash; Insomnia 8.3 restored local-only projects, and current versions support Local Vault, Cloud Sync, and Git storage side-by-side
  • Tighter integration with Kong API gateway for teams already on that stack

Thunder Client

  • VS Code extension. Originally free and open source, but transitioned to a paid model in 2024 with key features moved behind a paywall, and the source code is no longer open
  • Still convenient if you live inside VS Code and only need light testing
  • Many users migrated to Bruno or the REST Client extension after the licensing change

Best Practices for API Testing

1. Test happy and sad paths Test not just successful requests, but also:

  • Missing required fields (400 Bad Request)
  • Invalid authentication (401 Unauthorized)
  • Insufficient permissions (403 Forbidden)
  • Non-existent resources (404 Not Found)
  • Rate limit exceeded (429 Too Many Requests)

2. Use data-driven testing Run the same request with multiple input values using CSV or JSON files. This catches edge cases.

3. Keep secrets out of version control Store API keys and tokens in environment files, not in collection exports.

4. Run tests frequently Daily or hourly, not just before releases. Early detection prevents costly bugs.

5. Document expected behavior Leave comments in your requests and tests explaining what they validate.

Conclusion

Postman transforms API testing from manual clicking to automated verification. Start by writing tests for critical endpoints. Progress to environment-driven setups that work across dev/staging/production. Integrate with CI/CD via Newman so tests run on every commit.

As you grow, consider contract testing to catch breaking changes and mock servers to unblock parallel development. And remember: Postman is one tool among several strong options. Postman's Free plan is now limited to a single user as of March 2026 — small teams that previously relied on free collaboration may want to weigh the Solo and Team tiers against open-source alternatives like Bruno or self-hosted Hoppscotch. Choose based on your team's workflow, storage requirements, and budget — not religious attachment to any single platform.

Automated testing is non-negotiable. Whichever client you pick, the patterns in this guide — assertions, environment variables, mock servers, CI integration, contract tests — apply across all of them.

Continue Learning

Related Posts

Web Development Tools With a Focus on git Docker and React

Web Development Tools With a Focus on git Docker and React

gitdocker
Mastering VS Code Customization: From Themes to Workflows

Mastering VS Code Customization: From Themes to Workflows

VS Codedeveloper tools
Mastering IDE Productivity: Pro Tips for Faster, Smarter Coding

Mastering IDE Productivity: Pro Tips for Faster, Smarter Coding

IDEdeveloper productivity
Regex Pattern Mastery: From Basics to Production-Ready Craft

Regex Pattern Mastery: From Basics to Production-Ready Craft

regexpattern matching
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.