REST API Interview Questions (2026): By Level, With Model Answers

How to use this

Everyone builds REST APIs; few build them well. These questions check whether a candidate understands HTTP semantics and API design, not just returning JSON.

Hiring a REST API developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.

Junior REST API interview questions

0–2 years

HTTP fundamentals.

What makes an API RESTful?

What a strong answer covers

Resources identified by URLs, standard HTTP methods, statelessness, and representations (usually JSON) rather than RPC-style verbs in URLs.

Red flag

Puts actions like /getUser in the URL.

What do the main HTTP methods mean?

What a strong answer covers

GET reads, POST creates, PUT replaces, PATCH partially updates, DELETE removes; they carry semantics you should honour.

Red flag

Uses GET or POST for everything.

What are the common HTTP status code categories?

What a strong answer covers

2xx success, 3xx redirection, 4xx client error, 5xx server error; using the right code communicates outcomes.

Red flag

Returns 200 with an error message in the body.

What is the difference between PUT and PATCH?

What a strong answer covers

PUT replaces the whole resource; PATCH updates part of it.

Red flag

Uses PUT for partial updates and wipes fields.

What are path parameters vs query parameters?

What a strong answer covers

Path params identify a resource (/users/1); query params filter, sort or paginate (?page=2).

Red flag

Puts filters in the path and ids in the query.

What is statelessness in REST?

What a strong answer covers

Each request contains all context needed; the server keeps no client session between requests, aiding scalability.

Red flag

Relies on server-side session state between calls.

What are request and response headers used for?

What a strong answer covers

Metadata like content type, auth, caching and content negotiation.

Red flag

Ignores headers and content types.

What is the difference between authentication and authorization?

What a strong answer covers

Authentication verifies who you are; authorization decides what you can do.

Red flag

Conflates the two.

Mid-level REST API interview questions

2–5 years

Design and reliability.

What does idempotency mean and which methods are idempotent?

What a strong answer covers

An idempotent request has the same effect if repeated; GET, PUT and DELETE should be, POST usually isn’t — important for safe retries.

Red flag

Makes POST retries that double-create records.

How do you version an API?

What a strong answer covers

URL versioning, headers, or additive, backward-compatible changes with deprecation; the goal is not breaking clients.

Red flag

Breaks existing clients with changes and no versioning.

How do you design pagination?

What a strong answer covers

Cursor/keyset pagination for large, changing datasets over deep offsets, with clear metadata.

Red flag

Uses large offsets that scan and skip many rows.

How should errors be structured?

What a strong answer covers

Correct status codes plus a consistent body with a machine-readable code and human message, without leaking internals.

Red flag

Returns stack traces or generic 500s for everything.

How do you secure a REST API?

What a strong answer covers

Auth (tokens/OAuth), HTTPS, input validation, rate limiting, least-privilege scopes, and no secrets in URLs.

Red flag

Passes tokens in query strings and skips validation.

What is HATEOAS and is it always needed?

What a strong answer covers

Hypermedia links in responses to drive navigation; it’s part of REST purism but often skipped pragmatically.

Red flag

Presents an opinion with no understanding of the tradeoff.

How do you handle filtering, sorting and searching?

What a strong answer covers

Query parameters with sensible defaults and limits, validated to prevent abuse.

Red flag

Allows arbitrary, unbounded queries.

How do you make an API backward compatible?

What a strong answer covers

Add fields rather than remove or rename, default new fields, and deprecate gradually with communication.

Red flag

Renames fields and breaks clients.

Senior REST API interview questions

5+ years

Scale and architecture.

How do you design an API for high traffic?

What a strong answer covers

Caching (HTTP/CDN), pagination, rate limiting, statelessness for horizontal scale, and efficient payloads.

Red flag

No caching or rate limiting and unbounded payloads.

How do you handle rate limiting and abuse?

What a strong answer covers

Per-client limits with a shared store, clear headers communicating limits, and graceful 429 responses.

Red flag

In-memory limits that don’t work across instances.

How do you handle long-running operations in a REST API?

What a strong answer covers

Return 202 and a status resource to poll, or use webhooks/async patterns rather than blocking the request.

Red flag

Blocks the request until a slow job finishes.

When would you choose REST vs GraphQL vs gRPC?

What a strong answer covers

REST for broad compatibility and caching, GraphQL for flexible client-driven queries, gRPC for high-performance internal services.

Red flag

Insists one is always right.

How do you document and contract-test an API?

What a strong answer covers

A spec (OpenAPI) as the contract, generated docs, and contract tests so producers and consumers stay in sync.

Red flag

Docs drift from reality and break integrations.

How do you ensure consistency across a large API surface?

What a strong answer covers

Style guides, shared conventions for naming, errors and pagination, and automated linting.

Red flag

Every endpoint invents its own conventions.

How do you handle caching and concurrency (ETags)?

What a strong answer covers

Cache headers for freshness and ETags/If-Match for optimistic concurrency to prevent lost updates.

Red flag

Ignores concurrent updates and overwrites data.

How do you evolve a public API responsibly?

What a strong answer covers

Deprecation policies, versioning, telemetry on usage, and clear communication so clients migrate smoothly.

Red flag

Makes breaking changes with no notice.

Skip the screening entirely.We vet REST API engineers so you don’t have to — embed one in your team, or have us build it.

Hire REST API developersCompare us

Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.

Share