Skip to main content
Developer Documentation

API Testing
with Postman.

A hands-on guide for beginners — install Postman, send HTTP requests, understand status codes, and practice on safe sandbox APIs without touching production secrets.

What is API testing?

An API (Application Programming Interface) lets software systems talk to each other over HTTP. When you open a weather app, your phone calls a weather API. When you submit a contact form, the browser sends a POST request to a messages API. API testing means sending those requests deliberately — with different methods, headers, and bodies — to confirm the server responds correctly.

Postman is one of the most popular tools for this because you do not need to write code first. You pick a method (GET, POST, PUT, DELETE), enter a URL, add headers or a JSON body, and click Send. The response panel shows the status code, headers, and body so you can learn how REST APIs behave in the real world.

GETPOSTPUTDELETEHeadersBearer AuthJSONStatus Codes
Start here

Recommended learning path

Complete these five steps in order. Each builds on the previous one and uses sandbox APIs before touching any production endpoint.

  1. 1

    Confirm Postman works

    Send GET https://elangodev.com/api/test/hello and expect HTTP 200 with success: true. Jump to example →

  2. 2

    Practice POST with JSON

    Create a demo user at POST /api/test/user. Try omitting email once to see a 400 response. Jump to example →

  3. 3

    Try PUT and DELETE

    Update the same user with PUT, then delete with DELETE ?id=demo-user-1. Jump to example →

  4. 4

    Add Bearer authentication

    Call GET /api/test/auth with Authorization: Bearer demo-token, then without it to compare 401. Jump to example →

  5. 5

    Test a real site endpoint

    Fetch blog JSON with Accept: application/json, or POST a test contact message with fake data. Jump to example →

Installation

Install Postman on your system

Pick your operating system below. All links point to official Postman download and documentation pages.

Download Postman Official install docs

Windows

Windows 10 or 11 (64-bit)

  1. Open the official Postman downloads page and click Download for Windows.
  2. Run Postman-win64-Setup.exe from your Downloads folder.
  3. Follow the installer wizard — default options are fine for learning.
  4. Launch Postman from the Start menu and create a free account to sync workspaces.
Download page Install guide Postman for Windows (Microsoft Store)

Tip: If SmartScreen blocks the installer, choose More info → Run anyway. The file is published by Postman, Inc.

macOS

Apple Silicon (M1/M2/M3) or Intel Mac

  1. Open the Postman downloads page and choose the Mac build that matches your chip (Apple chip or Intel).
  2. Open the downloaded Postman for macOS.zip file.
  3. Drag the Postman app into your Applications folder.
  4. Open Postman from Applications. If macOS blocks the app, go to System Settings → Privacy & Security → Open Anyway.
  5. Sign in with a free Postman account when prompted.
Download page Install guide

Tip: On Apple Silicon Macs, pick the Apple chip download for best performance and battery life.

Ubuntu

Ubuntu 20.04, 22.04, 24.04 LTS

  1. Recommended: install via Snap — Ubuntu includes snapd by default on desktop editions.
  2. Run the snap install command below in Terminal (requires sudo).
  3. Launch Postman from the app menu or by typing postman in Terminal.
  4. Alternative: download the Linux 64-bit .tar.gz from the Postman site, extract to /opt, and create a desktop shortcut.

Terminal commands

JSON
sudo snap install postman
Download page Install guide Postman on Snap Store

Tip: If snap is unavailable, use the manual Linux install steps in the Linux section below.

Linux

Fedora, Debian, Arch, and other distributions

  1. Option A — Snap (easiest on most distros): install snapd, then run the snap command below.
  2. Option B — Manual install: download Linux 64-bit from the Postman downloads page.
  3. Extract the archive, move the Postman folder to /opt, and symlink the binary to your PATH.
  4. Launch with the postman command or create a .desktop entry for your application menu.

Terminal commands

JSON
# Snap install (if snapd is installed)
sudo snap install postman

# Manual install from official .tar.gz
cd ~
wget -O postman.tar.gz 'https://dl.pstmn.io/download/latest/linux64'
sudo tar -xzf postman.tar.gz -C /opt
sudo ln -sf /opt/Postman/Postman /usr/local/bin/postman
postman
Download page Install guide Postman on Snap Store Install snapd (Snap documentation)

Tip: Flatpak and distro-specific packages exist unofficially — the Snap or official .tar.gz from postman.com/downloads are the supported options.

Setup Guide

Postman setup — step by step

Follow these steps in order. By step four you will have sent your first successful API request.

1. Install Postman
Choose your operating system in the Install Postman section above (Windows, macOS, Ubuntu, or Linux). Download from postman.com/downloads or use Snap on Ubuntu/Linux. Create a free account so you can sync workspaces across devices.
2. Create a workspace
Open Postman and click Workspaces → Create Workspace. Name it something like API Learning. Workspaces keep your practice requests organized and separate from work projects.
3. Create your first request
Click New → HTTP Request. You will see a method dropdown (GET by default), a URL bar, and tabs for Params, Authorization, Headers, and Body. Save requests into a Collection so you can rerun them later.
4. Send a GET request
Select GET, paste https://elangodev.com/api/test/hello into the URL bar, and click Send. The response panel below shows status code, response time, and the JSON body.
5. Send a POST request with JSON
Select POST, set the URL to https://elangodev.com/api/test/user, open the Body tab, choose raw and JSON, then paste {"name":"John","email":"john@example.com"}. Add Content-Type: application/json under Headers if Postman does not add it automatically.
6. Send PUT and DELETE requests
PUT updates a resource. Use PUT on /api/test/user with the same JSON body shape as POST. DELETE removes a resource — try DELETE https://elangodev.com/api/test/user?id=demo-user-1 with no body.
7. Add headers
Open the Headers tab. Common headers include Content-Type: application/json for JSON bodies and Authorization: Bearer <token> for protected endpoints. Headers are case-insensitive, but use the standard spelling shown in documentation.
8. Add authorization tokens
For Bearer tokens, either use the Authorization tab (Type: Bearer Token) or add Authorization: Bearer demo-token manually in Headers. Never paste production API keys into public screenshots or tutorials.
9. Read API responses
After clicking Send, inspect three things: the status code (top-right of the response panel), the response body (Pretty JSON view), and response headers. Compare your result to the documented success and failure examples on this page.
10. Save a Postman Collection
Group your practice requests into a Collection named Elango API Learning. Add the hello, user, auth, and blog requests from this page. Collections let you rerun the full learning path in order and share it with teammates.
11. Try curl from a terminal
Every documented endpoint on this page has a matching curl command in the curl examples section. curl is built into macOS and Linux terminals and is useful for CI pipelines and quick one-off tests.
Core Concepts

HTTP methods, headers, and bodies

GET — read data

GET requests fetch data without changing anything on the server. They typically have no body. Example: GET /api/test/hello returns a greeting JSON object.

POST — create data

POST sends data to the server, usually as JSON in the request body. Example: POST /api/test/user with name and email creates a sample user response.

PUT — update data

PUT replaces or updates an existing resource. Use the same JSON fields as POST. Example: PUT /api/test/user updates the demo user record.

DELETE — remove data

DELETE removes a resource. It often uses query parameters instead of a body. Example: DELETE /api/test/user?id=demo-user-1.

Headers

Headers carry metadata. Content-Type: application/json tells the server your body is JSON. Authorization: Bearer demo-token sends an access token for protected routes.

JSON request bodies

JSON uses double-quoted keys and string values. In Postman, choose Body → raw → JSON. Invalid JSON (trailing commas, single quotes) causes 400 errors.

Authentication

Adding authorization tokens

Many APIs require proof that you are allowed to access them. The most common pattern for learning is a Bearer token in the Authorization header. The server reads the header, validates the token, and returns 200 if valid or 401 if not.

Authorization header (demo only)

JSON
Authorization: Bearer demo-token

Security note: demo-token is a public sample for this tutorial only. Never publish real API keys, admin tokens, or database credentials in documentation, screenshots, or GitHub repos.

Try it: GET /api/test/auth with and without the header to see success vs 401.

Reference

Understanding HTTP status codes

The status code is the first signal of success or failure. Always check it before reading the JSON body.

200OK

The request succeeded. The response body usually contains the data you asked for.

Example: GET /api/test/hello returns 200 with a greeting message.

201Created

A new resource was created successfully.

Example: POST /api/test/user returns 201 when name and email are valid.

400Bad Request

The server could not understand the request — often invalid JSON or missing required fields.

Example: POST /api/test/user without an email returns 400.

401Unauthorized

Authentication failed or was missing.

Example: GET /api/test/auth without Bearer demo-token returns 401.

403Forbidden

You are authenticated but not allowed to access this resource.

Example: GET /api/messages with a non-admin token returns 403.

404Not Found

The URL or resource does not exist.

Example: GET /api/blog/nonexistent-slug/content returns 404.

500Internal Server Error

Something went wrong on the server. Retry later or check server logs if you own the API.

Example: Rare on demo endpoints; more common when upstream services fail.

Full reference

API inventory on elangodev.com

Every route handler under /api/ on this site. Sandbox and safe-to-try endpoints are documented below with Postman walkthroughs; protected routes are listed for context only.

MethodPathScopeWrites data
GET/api/test/helloSandboxNo
POST/api/test/userSandboxNo
PUT/api/test/userSandboxNo
DELETE/api/test/userSandboxNo
GET/api/test/authSandboxNo
OPTIONS/api/test/*SandboxNo
GET/api/chatHealth checkNo
GET/api/blog/{slug}/contentPublic readNo
POST/api/messagesContact formYes
GET/api/messagesAdmin onlyNo
POST/api/chatAI streamingNo
POST/api/chat/sendAuthenticated chatYes
GET/api/chat/statusChat utilityNo
POST/api/dropFile uploadYes
POST/api/uploadDashboard uploadYes
POST/api/blog/generateAdmin AIYes
Sandbox APIs

Demo APIs for hands-on practice

These endpoints are safe for learning. They return sample data only and never modify production systems.

GETSandbox

Hello — GET demo

The simplest possible API call. Use this to confirm Postman is working before trying POST or authentication.

URL

https://elangodev.com/api/test/hello

curl

JSON
curl -X GET "https://elangodev.com/api/test/hello"
Postman
GET
https://elangodev.com/api/test/hello
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "success": true,
  "message": "Hello from API"
}

Common mistakes

  • Using POST instead of GET
  • Adding a request body to a GET request (unnecessary here)
POSTSandbox

Create user — POST demo

Sends a JSON body with name and email. Returns 201 Created on success or 400 when validation fails.

URL

https://elangodev.com/api/test/user

Headers

JSON
Content-Type: application/json

Request Body

JSON
{
  "name": "John",
  "email": "john@example.com"
}

curl

JSON
curl -X POST "https://elangodev.com/api/test/user" \
  -H "Content-Type: application/json" \
  -d '{"name":"John","email":"john@example.com"}'
Postman
POST
https://elangodev.com/api/test/user
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 201

JSON
{
  "success": true,
  "message": "User created",
  "data": {
    "name": "John",
    "email": "john@example.com"
  }
}

Failure — HTTP 400

JSON
{
  "success": false,
  "message": "Email is required"
}

Common mistakes

  • Omitting the email field
  • Sending form-data instead of raw JSON
  • Invalid email format
PUTSandbox

Update user — PUT demo

Practice updating a resource. Same JSON shape as POST; optional id field is echoed back in the response.

URL

https://elangodev.com/api/test/user

Headers

JSON
Content-Type: application/json

Request Body

JSON
{
  "id": "demo-user-1",
  "name": "Jane",
  "email": "jane@example.com"
}

curl

JSON
curl -X PUT "https://elangodev.com/api/test/user" \
  -H "Content-Type: application/json" \
  -d '{"id":"demo-user-1","name":"Jane","email":"jane@example.com"}'
Postman
PUT
https://elangodev.com/api/test/user
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "success": true,
  "message": "User updated",
  "data": {
    "id": "demo-user-1",
    "name": "Jane",
    "email": "jane@example.com"
  }
}

Failure — HTTP 400

JSON
{
  "success": false,
  "message": "Name is required"
}

Common mistakes

  • Using POST instead of PUT
  • Missing required name or email fields
DELETESandbox

Delete user — DELETE demo

Practice DELETE with a query parameter. No request body is needed.

URL

https://elangodev.com/api/test/user?id=demo-user-1

Query Params

id=demo-user-1

curl

JSON
curl -X DELETE "https://elangodev.com/api/test/user?id=demo-user-1"
Postman
DELETE
https://elangodev.com/api/test/user?id=demo-user-1
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "success": true,
  "message": "User deleted",
  "data": {
    "id": "demo-user-1"
  }
}

Failure — HTTP 400

JSON
{
  "success": false,
  "message": "Query parameter 'id' is required"
}

Common mistakes

  • Forgetting the ?id= query parameter
  • Sending DELETE with a JSON body instead of query param
GETSandbox

Bearer authentication — GET demo

Protected endpoints require an Authorization header. This demo accepts only the public sample token demo-token.

URL

https://elangodev.com/api/test/auth

Headers

JSON
Authorization: Bearer demo-token

curl

JSON
curl -X GET "https://elangodev.com/api/test/auth" \
  -H "Authorization: Bearer demo-token"
Postman
GET
https://elangodev.com/api/test/auth
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "success": true,
  "message": "Authenticated"
}

Failure — HTTP 401

JSON
{
  "success": false,
  "message": "Invalid token"
}

Common mistakes

  • Omitting the Bearer prefix
  • Using a typo in the token string
  • Putting the token in the body instead of the header
Site APIs

Selected public APIs on this site

These are real endpoints with read-only or clearly scoped behavior. Admin, upload, and AI chat routes are intentionally excluded from this guide.

GETRead / test carefully

AI route health check

A read-only production health endpoint. Useful for checking that the API server is reachable. Does not invoke AI or consume quota.

URL

https://elangodev.com/api/chat

curl

JSON
curl -X GET "https://elangodev.com/api/chat"
Postman
GET
https://elangodev.com/api/chat
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "status": "AI Route is UP"
}

Common mistakes

  • Sending POST to a GET-only health endpoint
GETRead / test carefully

Blog article content — GET

Fetches a published blog post as JSON when Accept: application/json is set. Replace {slug} with a real post slug from /blog.

URL

https://elangodev.com/api/blog/your-article-slug/content

Headers

JSON
Accept: application/json

curl

JSON
curl -X GET "https://elangodev.com/api/blog/your-article-slug/content" \
  -H "Accept: application/json"
Postman
GET
https://elangodev.com/api/blog/your-article-slug/content
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 200

JSON
{
  "title": "Example Article Title",
  "slug": "example-slug",
  "excerpt": "Short summary of the article.",
  "content": "Plain-text article body.",
  "html": "<p>Rendered HTML article body.</p>",
  "tags": [
    "nextjs",
    "api"
  ],
  "published_at": "2026-01-15T00:00:00.000Z",
  "url": "https://elangodev.com/blog/example-slug"
}

Failure — HTTP 404

JSON
{
  "message": "Article not found"
}

Common mistakes

  • Using a slug that does not exist
  • Omitting Accept: application/json (returns HTML instead of JSON)
POSTRead / test carefully

Contact message — POST

Public contact form API. Saves a real message to the database — use clearly fake test data only. Do not abuse this endpoint.

URL

https://elangodev.com/api/messages

Headers

JSON
Content-Type: application/json

Request Body

JSON
{
  "fullname": "Test User",
  "email": "test@example.com",
  "message": "This is a practice message from the API testing guide."
}

curl

JSON
curl -X POST "https://elangodev.com/api/messages" \
  -H "Content-Type: application/json" \
  -d '{"fullname":"Test User","email":"test@example.com","message":"This is a practice message from the API testing guide."}'
Postman
POST
https://elangodev.com/api/messages
Send
BodyHeadersAuth
Configure request in Postman desktop app

Success — HTTP 201

JSON
{
  "success": true,
  "message": "Message sent successfully"
}

Failure — HTTP 400

JSON
{
  "success": false,
  "error": "Email, fullname, and message are required"
}

Common mistakes

  • Missing fullname, email, or message
  • Using this endpoint for load testing (it writes real data)
Command line

curl examples for every documented API

Copy any command into your terminal. These match the Postman examples above and work on macOS, Linux, and Windows with curl installed.

GETHello — GET demo
JSON
curl -X GET "https://elangodev.com/api/test/hello"
POSTCreate user — POST demo
JSON
curl -X POST "https://elangodev.com/api/test/user" \
  -H "Content-Type: application/json" \
  -d '{"name":"John","email":"john@example.com"}'
PUTUpdate user — PUT demo
JSON
curl -X PUT "https://elangodev.com/api/test/user" \
  -H "Content-Type: application/json" \
  -d '{"id":"demo-user-1","name":"Jane","email":"jane@example.com"}'
DELETEDelete user — DELETE demo
JSON
curl -X DELETE "https://elangodev.com/api/test/user?id=demo-user-1"
GETBearer authentication — GET demo
JSON
curl -X GET "https://elangodev.com/api/test/auth" \
  -H "Authorization: Bearer demo-token"
GETAI route health check
JSON
curl -X GET "https://elangodev.com/api/chat"
GETBlog article content — GET
JSON
curl -X GET "https://elangodev.com/api/blog/your-article-slug/content" \
  -H "Accept: application/json"
POSTContact message — POST
JSON
curl -X POST "https://elangodev.com/api/messages" \
  -H "Content-Type: application/json" \
  -d '{"fullname":"Test User","email":"test@example.com","message":"This is a practice message from the API testing guide."}'
Not for practice

APIs intentionally excluded from this guide

These routes exist on the site but are omitted from hands-on exercises because they require authentication, stream binary data, or write to production systems.

/api/chat (POST), /api/chat/send, /api/chat/edit, /api/chat/delete

These routes power the live AI assistant and authenticated chat. They require session tokens, may stream responses, and write to production databases.

/api/drop, /api/upload, /api/moments/upload

File upload routes issue S3 presigned URLs and accept binary payloads. They are not suitable for beginner Postman exercises without real credentials.

/api/blog/generate, /api/blog/suggest

Admin-only AI content tools that call Gemini and modify blog data. Protected by authentication and API quotas.

GET /api/messages

Returns all contact messages and requires a valid admin Bearer token from Supabase auth. Documented here for awareness only — do not attempt without authorization.

Related concepts from the site

Deeper explanations live in the Engineering Handbook and technical blog.

Manual Testing Guide

UI-focused QA — test cases, smoke checks, browser DevTools, and practice scenarios on this site's public pages. Pairs with API testing when forms fail.

Read more

CORS

Browsers block cross-origin fetch() calls unless the server sends Access-Control-Allow-Origin. Postman ignores CORS — if Postman works but your browser does not, CORS is the likely cause.

Read more

JWT / Bearer tokens

Bearer tokens prove identity in the Authorization header. Demo endpoints use demo-token; production admin routes expect a real Supabase session JWT.

Read more

REST vs streaming

Most examples here are REST JSON. The homepage AI assistant uses POST /api/chat with Server-Sent Events streaming — a different protocol pattern.

Read more
Pitfalls

Common mistakes

Forgetting Content-Type on POST

If you send JSON without Content-Type: application/json, some servers cannot parse the body. In Postman, pick raw → JSON and Postman usually sets the header for you.

Missing Bearer prefix

Authorization headers for JWT-style tokens must use the format Bearer <token>, not just the token string. A common mistake is pasting demo-token without the Bearer prefix.

Invalid JSON syntax

Trailing commas, single quotes, or unquoted keys break JSON. Use a JSON formatter if you are unsure — invalid JSON often produces a 400 Bad Request.

Wrong HTTP method

Sending GET to an endpoint that expects POST will fail or return unexpected results. Always match the method documented for each endpoint.

Ignoring status codes

A response body with success: false may still come with HTTP 400 or 401. Read both the status code and the JSON message field to understand what happened.

Troubleshooting

When something goes wrong

Could not get any response / network error
Check your internet connection and that the URL is spelled correctly. Ensure you are using https:// and the full domain (elangodev.com). Corporate proxies sometimes block Postman — try from another network.
SSL certificate errors
Postman should trust public HTTPS certificates automatically. If you see certificate errors, verify the date on your computer and avoid disabling SSL verification except in local development.
Empty response body
Some errors return plain text instead of JSON. Switch the response view from JSON to Raw. A 404 may return a short text message rather than structured JSON.
CORS errors in the browser only
Browsers enforce CORS; Postman does not. If fetch() fails in the browser but Postman works, the issue is browser cross-origin policy, not the API itself. For learning, Postman is the right tool.

Frequently asked questions

Quick answers for beginners getting started with Postman and REST APIs.

What is API testing?
API testing verifies that an application programming interface returns the correct data, status codes, and error messages for different inputs. Tools like Postman let you send HTTP requests without writing code, which makes them ideal for beginners learning how REST APIs work.
Is Postman free for learning?
Yes. Postman offers a free tier that includes workspaces, collections, and request history — more than enough for learning GET, POST, PUT, DELETE, headers, and authentication. Download it from https://www.postman.com/downloads/ for Windows, macOS, or Linux.
Are the demo APIs on this page safe to test?
Yes. The /api/test/* endpoints are sandbox APIs designed for learning. They do not read or write production data, do not require real API keys, and use sample tokens like demo-token only.
Why do I get a 401 Unauthorized response?
A 401 means the server rejected your credentials. For the auth demo, confirm the Authorization header is exactly Bearer demo-token (note the space after Bearer). Typos, missing headers, or using a real secret instead of the demo token will fail.
Why is my POST request returning 400 Bad Request?
400 usually means the server could not process your request body. Check that Content-Type is application/json, the body is valid JSON, and all required fields (such as name and email on /api/test/user) are present.
Can I use curl instead of Postman?
Absolutely. Every example on this page can be translated to curl, fetch, or any HTTP client. Postman is recommended here because its visual layout helps beginners see method, URL, headers, and body in one place.
Do these APIs modify my website or database?
No. Demo endpoints under /api/test/ are stateless and return sample responses only. The contact messages API (POST /api/messages) does save real contact form data — use test values if you try it, and do not spam the endpoint.
What HTTP status code should I expect for success?
GET requests typically return 200 OK. Successful resource creation often returns 201 Created. Always read both the status code and the JSON body — a 200 with success: false still means the operation failed logically.
What is an OPTIONS request?
Browsers send OPTIONS as a CORS preflight before POST, PUT, or DELETE from another origin. Sandbox routes under /api/test/ respond to OPTIONS with 204 No Content. Postman usually skips preflight, but understanding OPTIONS helps when debugging browser fetch errors.
How do I get JSON from the blog content API?
Send GET /api/blog/{slug}/content with the header Accept: application/json. Without that header, the same URL returns an HTML article page instead of JSON. Replace {slug} with a real post slug from elangodev.com/blog.
Where is the contact form API used on this site?
The /contact page submits to POST /api/messages with fullname, email, and message fields — the same shape documented in the Site APIs section. The optional subject line on the form is prepended to the message text.

Keep learning

Explore the Engineering Handbook for deeper technical concepts, or read blog articles about building production APIs with Next.js.

Engineering Handbook Technical Blog