---
title: "REST API Interview Questions (2026): By Level, With Model Answers"
url: https://weworkworldwide.com/rest-api-interview-questions/
description: "REST API interview questions for junior, mid and senior developers — HTTP methods, status codes, versioning and idempotency — with model answers and red flags."
date: 2026-07-04T15:49:14+00:00
source: https://weworkworldwide.com/llms.txt
---

# REST API Interview Questions (2026): By Level, With Model Answers

How to use this

Everyone builds REST APIs; few build them well. These questions check whether a candidate understands HTTP semantics and API design, not just returning JSON.

Hiring a REST API developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.

## Junior REST API interview questions

0–2 years

HTTP fundamentals.

### What makes an API RESTful?

What a strong answer covers

Resources identified by URLs, standard HTTP methods, statelessness, and representations (usually JSON) rather than RPC-style verbs in URLs.

Red flag

Puts actions like `/getUser` in the URL.

### What do the main HTTP methods mean?

What a strong answer covers

GET reads, POST creates, PUT replaces, PATCH partially updates, DELETE removes; they carry semantics you should honour.

Red flag

Uses GET or POST for everything.

### What are the common HTTP status code categories?

What a strong answer covers

2xx success, 3xx redirection, 4xx client error, 5xx server error; using the right code communicates outcomes.

Red flag

Returns 200 with an error message in the body.

### What is the difference between PUT and PATCH?

What a strong answer covers

PUT replaces the whole resource; PATCH updates part of it.

Red flag

Uses PUT for partial updates and wipes fields.

### What are path parameters vs query parameters?

What a strong answer covers

Path params identify a resource (`/users/1`); query params filter, sort or paginate (`?page=2`).

Red flag

Puts filters in the path and ids in the query.

### What is statelessness in REST?

What a strong answer covers

Each request contains all context needed; the server keeps no client session between requests, aiding scalability.

Red flag

Relies on server-side session state between calls.

### What are request and response headers used for?

What a strong answer covers

Metadata like content type, auth, caching and content negotiation.

Red flag

Ignores headers and content types.

### What is the difference between authentication and authorization?

What a strong answer covers

Authentication verifies who you are; authorization decides what you can do.

Red flag

Conflates the two.

## Mid-level REST API interview questions

2–5 years

Design and reliability.

### What does idempotency mean and which methods are idempotent?

What a strong answer covers

An idempotent request has the same effect if repeated; GET, PUT and DELETE should be, POST usually isn’t — important for safe retries.

Red flag

Makes POST retries that double-create records.

### How do you version an API?

What a strong answer covers

URL versioning, headers, or additive, backward-compatible changes with deprecation; the goal is not breaking clients.

Red flag

Breaks existing clients with changes and no versioning.

### How do you design pagination?

What a strong answer covers

Cursor/keyset pagination for large, changing datasets over deep offsets, with clear metadata.

Red flag

Uses large offsets that scan and skip many rows.

### How should errors be structured?

What a strong answer covers

Correct status codes plus a consistent body with a machine-readable code and human message, without leaking internals.

Red flag

Returns stack traces or generic 500s for everything.

### How do you secure a REST API?

What a strong answer covers

Auth (tokens/OAuth), HTTPS, input validation, rate limiting, least-privilege scopes, and no secrets in URLs.

Red flag

Passes tokens in query strings and skips validation.

### What is HATEOAS and is it always needed?

What a strong answer covers

Hypermedia links in responses to drive navigation; it’s part of REST purism but often skipped pragmatically.

Red flag

Presents an opinion with no understanding of the tradeoff.

### How do you handle filtering, sorting and searching?

What a strong answer covers

Query parameters with sensible defaults and limits, validated to prevent abuse.

Red flag

Allows arbitrary, unbounded queries.

### How do you make an API backward compatible?

What a strong answer covers

Add fields rather than remove or rename, default new fields, and deprecate gradually with communication.

Red flag

Renames fields and breaks clients.

## Senior REST API interview questions

5+ years

Scale and architecture.

### How do you design an API for high traffic?

What a strong answer covers

Caching (HTTP/CDN), pagination, rate limiting, statelessness for horizontal scale, and efficient payloads.

Red flag

No caching or rate limiting and unbounded payloads.

### How do you handle rate limiting and abuse?

What a strong answer covers

Per-client limits with a shared store, clear headers communicating limits, and graceful 429 responses.

Red flag

In-memory limits that don’t work across instances.

### How do you handle long-running operations in a REST API?

What a strong answer covers

Return 202 and a status resource to poll, or use webhooks/async patterns rather than blocking the request.

Red flag

Blocks the request until a slow job finishes.

### When would you choose REST vs GraphQL vs gRPC?

What a strong answer covers

REST for broad compatibility and caching, GraphQL for flexible client-driven queries, gRPC for high-performance internal services.

Red flag

Insists one is always right.

### How do you document and contract-test an API?

What a strong answer covers

A spec (OpenAPI) as the contract, generated docs, and contract tests so producers and consumers stay in sync.

Red flag

Docs drift from reality and break integrations.

### How do you ensure consistency across a large API surface?

What a strong answer covers

Style guides, shared conventions for naming, errors and pagination, and automated linting.

Red flag

Every endpoint invents its own conventions.

### How do you handle caching and concurrency (ETags)?

What a strong answer covers

Cache headers for freshness and ETags/If-Match for optimistic concurrency to prevent lost updates.

Red flag

Ignores concurrent updates and overwrites data.

### How do you evolve a public API responsibly?

What a strong answer covers

Deprecation policies, versioning, telemetry on usage, and clear communication so clients migrate smoothly.

Red flag

Makes breaking changes with no notice.

**Skip the screening entirely.**We vet REST API engineers so you don’t have to — embed one in your team, or have us build it.

[Hire REST API developers](https://weworkworldwide.com/outstaffing/)[Compare us](https://weworkworldwide.com/compare/)

Build and score a full interview with our free [interview scorecard tool](https://weworkworldwide.com/developer-interview-scorecard/), browse the [full question hub](https://weworkworldwide.com/interview-questions/), or see [how we interview engineers](https://weworkworldwide.com/how-we-interview-engineers/).
