Web API Interview Questions

🎯 Focus Areas

REST principles, JWT auth flow, HTTP verbs, status codes, Swagger, security. Critical for any backend developer role.

---

Q1: What is REST?

Representational State Transfer — architectural style for APIs.

6 REST constraints:
  1. Client-Server     → UI and data separated
  2. Stateless         → each request has all info needed, no server session
  3. Cacheable         → responses can be cached
  4. Uniform Interface → consistent URL + HTTP verbs
  5. Layered System    → client doesn't know if talking to server or proxy
  6. Code on Demand    → optional (JavaScript download)

REST is NOT a protocol — it is a set of guidelines.

Q2: What are HTTP verbs and when to use each?

GET    → retrieve data (no body, safe, idempotent)
POST   → create new resource (has body, NOT idempotent)
PUT    → replace entire resource (has body, idempotent)
PATCH  → update partial resource (has body)
DELETE → remove resource (no body, idempotent)

Idempotent = same result if called multiple times.
GET /students/1    → always returns same student
PUT /students/1    → always results in same state
DELETE /students/1 → first call deletes, subsequent calls: 404

Q3: What HTTP status codes must you know?

2xx Success:
  200 OK           → GET, PUT success
  201 Created      → POST success (include Location header)
  204 No Content   → DELETE success

4xx Client Error:
  400 Bad Request  → validation failed, malformed JSON
  401 Unauthorized → no token or invalid token
  403 Forbidden    → valid token but no permission
  404 Not Found    → resource doesn't exist
  409 Conflict     → duplicate, business rule violation
  422 Unprocessable→ validation errors (often used instead of 400)

5xx Server Error:
  500 Internal     → unhandled exception in your code
  503 Unavailable  → service down, overloaded

Q4: What is JWT and how does it work?

JSON Web Token — compact, self-contained token for authentication.

3 parts (base64 encoded, separated by .):
  Header.Payload.Signature

Header:  { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1", "name": "Ravi", "role": "Student", "exp": 1234567890 }
Signature: HMACSHA256(header + "." + payload, secret)

Flow:
  1. POST /auth/login  { email, password }
  2. Server validates → creates JWT → returns token
  3. Client stores token (localStorage or httpOnly cookie)
  4. Each request: Authorization: Bearer {token}
  5. Server validates signature → reads claims → authorizes

Q5: What is the difference between Authentication and Authorization?

Authentication → WHO are you? (verify identity — JWT, cookies, API key)
Authorization  → WHAT can you do? (check permissions — roles, policies)

Authentication comes first — you must know who the user is
before checking what they can do.

[Authorize]                        // any authenticated user
[Authorize(Roles = "Admin")]       // admin role only
[Authorize(Policy = "CanGrade")]   // custom policy

Q6: What is Swagger/OpenAPI?

OpenAPI  → specification standard for describing REST APIs (JSON/YAML)
Swagger  → tools built around OpenAPI (UI, editor, codegen)
Swashbuckle → .NET library that generates OpenAPI from C# code

In ASP.NET Core:
  dotnet add package Swashbuckle.AspNetCore
  → auto-generates interactive API docs at /swagger
  → "Try it out" button tests endpoints in browser
  → Should be disabled in production (security risk)

Q7: What is the difference between IActionResult and ActionResult<T>?

// IActionResult — no type info for Swagger
public IActionResult GetStudent(int id)
{
    return Ok(student);  // Swagger doesn't know return type
}

// ActionResult<T> — type info available (better Swagger docs)
public ActionResult<StudentDto> GetStudent(int id)
{
    return Ok(student);  // Swagger knows this returns StudentDto
}

Q8: What is a DTO?

Data Transfer Object — shape of data sent/received by API.
Separate from domain model — controls what is exposed.

Why:
  - Hide internal fields (PasswordHash, internal IDs)
  - Shape data differently for different endpoints
  - Prevent over-posting (mass assignment) attacks
  - Version API independently of database schema

StudentDto { Id, Name, ClassName, Percentage }  // no PasswordHash, no navigation props

Q9: What is CORS?

Cross-Origin Resource Sharing — browser security policy.
Blocks browser JS from calling API on different domain.

// Allow React app on localhost:4200 to call API on localhost:5001
builder.Services.AddCors(o => o.AddPolicy("AllowFrontend", p =>
    p.WithOrigins("http://localhost:4200")
     .AllowAnyMethod()
     .AllowAnyHeader()));

app.UseCors("AllowFrontend");

Q10: What is API versioning?

💻 Try It — Console App

💡 Paste into Program.cs and press F5⌥ GitHub

// URL versioning (most common)
GET /api/v1/students
GET /api/v2/students

// Header versioning
GET /api/students
X-API-Version: 2

// Why version: add breaking changes without breaking existing clients.

💡 Top Web API Interview Questions

1. REST constraints — know all 6
2. HTTP verbs — when to use PUT vs PATCH vs POST
3. JWT flow — draw it end to end
4. Status codes — 400 vs 401 vs 403 vs 404 vs 422
5. Authentication vs Authorization — simple clear answer

🤖Use AI to Learn Faster

Use ChatGPT, Claude, or Copilot to go deeper on Web API REST interview questions. Try these prompts:

• "Ask me 10 Web API interview questions and evaluate my answers"
• "What is the most common wrong answer about JWT in .NET interviews?"
• "Explain the difference between 401 and 403 in a scenario-based question"
• "Quiz me on HTTP status codes — describe a scenario and I give the status code"

💡 Tip: After reading this article, paste your own code into AI and ask "What could go wrong here and why?" — fastest way to find edge cases and deepen understanding.