HOME

1. What is API?

API stands for Application Programming Interface. APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. Example of an API is the Twitter API. It enables developers to access and interact with Twitter’s platform programmatically. Developers can use the Twitter API to retrieve tweets. They can also post tweets, search for tweets, and manage user accounts. Additionally, developers can perform various other actions related to Twitter’s services.

API architecture is usually explained in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server.

2. What is API Testing?

API testing is a type of software testing that focuses on verifying the functionality, reliability, performance, and security of an application programming interface (API). Since APIs don’t have a GUI, API testing is performed at the message layer of the system. 

3. What are the advantages of API Testing?

1. Independent of UI – API testing can detect issues in the early stages of development. It is independent of the GUI. This allows for timely resolution and prevents more significant problems later on.

2. Faster Execution – API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled.

3. Integration with CI/CD Pipelines – API testing can be easily automated. It can be integrated into continuous integration (CI) pipelines. This enables rapid feedback and faster release cycles.

4. Ensures Security – API testing allows for thorough security testing. It includes authentication, authorization, data encryption, and protection against common security vulnerabilities.

5. Language Independent – An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent; therefore, you can use any programming language when writing automated tests for your API.

4. How is API testing different from UI testing?

5. What are the types of APIs?

SOAP APIs 

These APIs use Simple Object Access Protocol. Client and server exchange messages using XML. This is a less flexible API that was more popular in the past.

RPC APIs

These APIs are called Remote Procedure Calls. In RPC communication, the client program sends a request to the server program, specifying the procedure or function to be executed and any required parameters. The server receives the request, executes the specified procedure, and sends back the result to the client.

RPC APIs can use various communication protocols for transmitting data between the client and server, including HTTP, TCP/IP, and UDP. Examples of RPC APIs include XML-RPC, JSON-RPC, gRPC, and Microsoft’s Distributed Component Object Model (DCOM).

Websocket APIs

Websocket API is another modern web API development that uses JSON objects to pass data. A WebSocket API supports two-way communication between client apps and the server. The server can send callback messages to connected clients, making it more efficient than REST API.

REST APIs

These are the most popular and flexible APIs found on the web today. The client sends requests to the server as data. The server uses this client input to start internal functions and returns output data back to the client.

GraphQL APIs

GraphQL is a query language and runtime for APIs developed by Facebook. GraphQL APIs enable clients to request only the data they need using a single endpoint and a flexible query syntax. They provide more flexibility and efficiency compared to traditional REST APIs for fetching and manipulating data.

Database APIs

These APIs provide access to databases, allowing applications to perform CRUD (Create, Read, Update, Delete) operations on data stored in the database. Examples include JDBC (Java Database Connectivity) for Java applications and SQLAlchemy for Python applications.

6. Mention a few common tools used for API testing.

1. Postman: A popular tool for designing, testing, and documenting APIs. It provides a user-friendly interface for sending requests, inspecting responses, and automating tests.

2. Swagger: A widely used tool for designing, building, and documenting RESTful APIs. It provides a visual editor for designing API contracts and generating documentation.

3. SoapUI/ReadyAPI: It is a comprehensive tool for testing SOAP and RESTful APIs. It supports various protocols, message formats, and authentication methods and provides advanced testing features such as data-driven testing and security testing.

4. JMeter: Apache JMeter is a popular open-source tool for performance testing and load testing of web applications, including APIs. While it’s primarily known for its performance testing capabilities, JMeter can also be used for API testing by sending HTTP requests and analyzing responses.

5. REST Assured: REST Assured is a Java library for testing RESTful APIs. It provides a domain-specific language (DSL) for writing expressive and readable API tests, making it popular among Java developers for automated API testing.

7. What is the difference between RESTful API and SOAP API?

8. What is an API endpoint?

An API endpoint is a specific URL that is exposed by an API to allow applications to interact with a system by performing various operations, such as creating, reading, updating, or deleting data. Each endpoint represents a unique path to a resource or a set of resources within the system that the API provides access to.

Characteristics of API Endpoint

1. URL Path: A specific URL for accessing resources or performing actions in an API. Example: “https://api.example.com/users“ 
2. HTTP Methods: Different methods (GET, POST, PUT, DELETE) define actions on the endpoint.
3. Parameters: Endpoints can include query, path parameters, headers, and request bodies.  Example: “https://api.example.com/users?page=2&limit=20“ uses query parameters to paginate the list of users.
4. Responses: Contain status codes and data returned by the server.

9. What are the core components of an HTTP request?

An HTTP request contains five key elements:

An action showing HTTP methods like GET, PUT, POST, and DELETE.

Uniform Resource Identifier (URI), which is the identifier for the resource on the server.

https://www.qaautomation.expert

HTTP Version, which indicates HTTP version, for example-HTTP v1.1.

Request Header, which carries metadata (as key-value pairs) for the HTTP Request message. Metadata could be a client (or browser) type, format supported by the client, format of a message body format, cache settings, and so on.

Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html

Request Body, which indicates the message content or resource representation.

  {
     "username": "exampleuser",
     "password": "examplepassword"
   }
   

9. Mention common HTTP methods used in API testing

• GET: Used to retrieve data or resources from an API.
• POST: Used to create new data or resources on an API.
• PUT: Used to update existing data or resources on an API.
• DELETE: Used to delete data or resources from an API.
• PATCH: Used to update existing data or resources on an API partially.

10. What is the difference between POST and PUT?

11. What is the purpose of HTTP status codes in API testing?

The purpose of HTTP status codes in API testing is to indicate the outcome of an API request that whether the request is successfully processed, encountered an error or needs further action. Status codes are three-digit numbers included in the response message from the server to provide information about the result of the request.

HTTP status codes clearly communicate the outcome of an HTTP request. They enable clients and APIs to understand the result of their interactions without ambiguity.

• 1xx (100 – 199): The response is informational
• 2xx Success: The request was successfully received, understood, and accepted (e.g., 200 OK, 201 Created).
• 3xx Redirection: Further action is needed to fulfill the request (e.g., 301 Moved Permanently, 302 Found).
• 4xx Client Errors: The request contains incorrect syntax or cannot be fulfilled (e.g., 400 Bad Request, 401 Unauthorized).
• 5xx Server Errors: The server failed to fulfill a valid request (e.g., 500 Internal Server Error, 503 Service Unavailable).

12. What is the purpose of authentication in API testing?

Authentication in API testing is a critical component that ensures secure and controlled access to the API endpoints.

 Authentication prevents unauthorized users or systems from accessing the API, thereby protecting sensitive data and operations. Ensures that data is only accessible to authenticated users, protecting it from unauthorized exposure.

Supports compliance with regulations that require user authentication, such as GDPR, HIPAA, and others.

13. What are some common authentication methods used in API testing?

1.Basic Authentication: This involves sending the username and password as part of the API request headers, encoded in base64 format.

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

2. Token-Based Authentication: This method issues a token to the client after successful authentication. The client then includes this token in subsequent API requests for authorization.

3. OAuth: This is a widely used authorization framework. It allows for the delegation of access rights from one entity to another. Credentials are not shared. It uses access tokens obtained via authorization servers.

4. API Keys: It is simple tokens that map to a specific user or application. It is sent as a header, query parameter, or part of the request body.

 x-api-key: YOUR_API_KEY

14.  What are the different types of error responses in API testing?

1. HTTP error status codes: These are standard HTTP status codes, such as 4xx and 5xx codes, that indicate errors in the API request or response. Some of the examples are

400 Bad Request: The server could not understand the request due to invalid syntax. Possible reasons include malformed request syntax, invalid request message framing, or deceptive request routing.

401 Unauthorized: The request requires user authentication. This means the request lacks valid authentication credentials for the target resource.

403 Forbidden: The server understood the request but refuses to authorize it. This is usually due to insufficient permissions.

404 Not Found: The server cannot find the requested resource. This could mean the endpoint is incorrect or the resource has been deleted.

405 Method Not Allowed: The request method is known by the server but has been disabled and cannot be used. For example, a request method is not supported by that resource.

409 Conflict: There is a conflict with the current state of the resource. This code is used in situations where the request could not be processed because of conflict in the request.

429 Too Many Requests: The user has sent too many requests in a given amount of time (“rate limiting”).

2. Custom error responses: These are custom error messages or error objects returned by the API in case of errors or exceptions. These custom responses provide meaningful and detailed information that helps users and developers understand the nature of the error, the possible cause, and potential ways to resolve it. Example: Providing guidance like “Invalid input: Email field cannot be empty” is more helpful than a vague error message.

15. What is API mocking, and why is it used in API testing?

API mocking simulates the behavior of an API endpoint during testing. It does this without actually invoking the real API. This mock API can be configured to return predefined responses for specified requests. API mocking is particularly useful in various scenarios for both development and testing purposes.

1. Independent Development: Mock APIs allow front-end developers to work independently from back-end developers. They can simulate responses from the back end before the actual API is fully developed or functional.

2. Cost Management: When dealing with third-party APIs that bill based on usage, it can be cost-effective to use mock APIs during development. This approach reduces unnecessary expenses.

3. Simulation of Edge Cases: Mocking can be used to simulate different scenarios, including error cases and rare conditions that may be complex to reproduce with the actual API.

16. How do you perform load testing on APIs?

Load testing on APIs can be performed by simulating a large number of concurrent users or requests to the API endpoint using load testing tools or frameworks. The goal is to ensure that the API remains responsive and functional under stress. 

Tools such as JMeter, Gatling, and k6 are popular open source tool for load testing APIs.

Tools like LoadRunner, BlazeMeter, and NeoLoad offer advanced features and support for various protocols.

Load Testing is used to identify performance bottlenecks, such as slow database queries, resource contention, or inefficient code. Implement fixes or optimizations based on the findings and rerun load tests to verify improvements.

Integrate load testing into the continuous integration/continuous deployment (CI/CD) pipeline to run tests automatically with each release.

Generate detailed reports summarizing the test results, including metrics, observations, and insights.

17. What is API security testing, and why is it important?

API security testing is a process of carefully evaluating API endpoints to identify and remediate vulnerabilities such as fuzzy input, parameter tampering, or injection attacks. 

Why is API Security Testing Important?

1.Protection of Sensitive Data: APIs often handle sensitive information (user data, payment details). Security testing ensures compliance with data protection laws (e.g., GDPR, HIPAA). This protects data integrity and avoids potential reputational damage and the loss of customer trust.

2.Ensuring Service Availability: Malicious actors can exploit vulnerabilities to launch Denial-of-Service (DoS) attacks. They can overwhelm your APIs, making them unavailable to legitimate users. Securing APIs helps prevent downtime or service interruptions caused by security incidents.

3. Improving Stakeholder Trust: Customers and partners entrust the company with their data when they interact with their APIs. Regular security testing demonstrates your commitment to data protection, strengthening business relationships, and fostering customer confidence in your services.

18. What are the common security vulnerabilities found in API?

1. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.

2. Brute Force Attacks: These attacks involve attempting various combinations of user credentials to gain unauthorized access. XML-RPC can be easily leveraged as an entry point for attacks and can execute multiple login attempts rapidly, leading to brute-force attacks.

3. Session Management Issues: Inadequate Session Management issues can lead to Authorization vulnerabilities. 

4. Cross-Site Scripting (XSS): Injecting malicious scripts into API responses that can be executed in the client’s browser. An attacker injecting JavaScript into a response that steals session cookies.

5. WSDL Exposure: If the WSDL file is exposed to the attackers, they can view detailed information about the API structure. This information includes the operations. This allows attackers to craft more targeted attacks.

6. Cross-Site Request Forgery: This attack tricks a user into unknowingly executing unwanted actions. It happens on a web application where they are authenticated. It leverages the trust that a website has in the user’s browser. This can result in unauthorized actions like changing account settings, transferring funds, or deleting data.

7. Introspection Attack: It exploits an API’s introspection endpoint to gather information about access tokens, exposing sensitive details that attackers can use to compromise security. Introspection endpoints are designed to validate and retrieve metadata about tokens, such as their scopes, expiration, and the user they represent. If improperly secured, attackers can leverage them to gain unauthorized access or manipulate token data.

19. How to perform API Security testing?

1.SQL Injection – SQL Injection attacks are successful when the database processes the unsanitized API input. Hence, testing the REST API for any SQL Injection bugs is important. Try providing SQL commands in the input like:

'or 1=1--
"and 1=1--

2. Command Injection: Various OS commands can also inject API inputs, which are then executed on the server. However, the commands for different Operating systems(Windows, Linux, etc.) would differ. For Example, Redirecting output or appending data to files.

echo "malicious" >> /var/www/html/index.html

rm file.txt; cat /etc/passwd

The shell executes rm file.txt, deleting file.txt from the system. After deleting the file, the shell executes cat /etc/passwd, displaying the contents of the /etc/passwd file in the terminal.

3. Authentication Testing – Test whether the API properly implements authentication. Try to access the endpoint without using the authentication or invalid credentials.

JWT: Ensure tokens are signed, valid, and not modifiable

Basic Authentication: Validate if credentials are encrypted.

OAuth2/OpenID Connect: Verify token management (generation, expiration, and revocation).

4. Authorization Testing – Make sure that the users can only access resources they are authorized for. Test role-based access control (RBAC) or permission-based controls.

5. Rate Limiting and Throttling – Rate Limiting is a process of limiting the number of requests that can be sent to an API within a specific time. Testing for it means verifying that all the limits are properly set and enforced on all APIs. Simulate a high volume of requests to test the API’s resilience against Distributed Denial of Service (DDoS) attacks.

6. Discovering Zombie APIs – Zombie APIs are old or unused APIs that are still active but not updated or maintained. As they are not maintained, zombie APIs can lead to security risks and can be exploited for vulnerabilities.

Common Tests to Assess Zombie APIs:

• Test for data accessed by zombie APIs(user data, financial data, etc.)
• Test for Authentication and Authorization.
• Test for weak encryption implementation.
• Test for known vulnerabilities or CVEs.

20. What is the purpose of the request and response headers in API testing?

Request and response headers in API testing are used to transmit additional information about the request or response. Request headers can be used to specify a content type, authentication, caching, language preferences, etc.

1. Headers like Authorization include tokens, API keys, or credentials.
2. Specify the desired data format for the request or response.
3. Control or bypass caching mechanisms.

Response headers are sent by the server to the client, containing metadata about the response and instructions for handling it.

1. Specify the format and encoding of the response body.
2. Provide caching policies for the client to optimize performance.
3. Inform the client about rate limits or remaining quota.
4. Specify which origins are allowed to access the resource.

21. What is the purpose of query parameters in API testing?

Query parameters in API testing are used to pass additional parameters in the URL of an API request. These parameters are used to customize the behavior of the API request, such as filtering, sorting, or paginating results. 

Pagination – APIs use query parameters to manage large datasets by breaking them into smaller chunks (pages).

https://api.example.com/items?page=2&limit=50

It returns the second page of results with 50 items per page.

Filtering Data – Query parameters are commonly used to filter the data returned by an API.

https://api.example.com/products?category=electronics&price<1000

It will display products in the “electronics” category with a price less than $1000.

22. What are the major challenges faced in API testing?

Output verification and validation – APIs can return responses in different data formats like JSON, XML, or plain text. Parsing and validating these formats might require additional effort.

Security Tokens – APIs may require various types of authentication, such as OAuth, API keys, or JWT tokens. Managing and automating the generation and use of these tokens can be complex.

Version Management – Testing different versions of the API and ensuring backward compatibility can become complex, especially if multiple versions are in active use.

External Dependencies – When integrating with third-party APIs, there can be challenges related to their availability, reliability, and version changes over which testers have little control.

Setting Up the Test Environment – APIs often depend on other services or databases. Setting up a fully operational test environment that mimics production can be challenging.

23. What are the testing methods that come under API testing?

1. Unit Testing: It involves testing the smallest functional parts of the API, such as individual endpoints, services, or methods, to ensure they work as expected. Unit tests are typically written to validate the behavior and functionality of your code in isolation.

2. Functional Testing: It ensures that the API functions as expected and meets the requirements and specifications. It verifies responses for various inputs and parameters, HTTP status code.

3. Integration Testing: It tests the interaction between different modules or services to ensure they work together as intended. It verifies that APIs properly communicate with other APIs or systems.

4. Load Testing: It evaluates the API’s performance under a specific load to determine its behavior under normal and peak conditions.

5. Stress Testing: Subjects the API to extreme conditions to evaluate how it handles high traffic, large data volumes, or limited resources.

6. Fuzz Testing: Sends random or unexpected data to the API to see how it responds. Automatically generating malformed or random inputs to test the API’s robustness.

7. Security Testing: It Ensures that the API is secure and can protect data from unauthorized access or attacks. Checks for vulnerabilities such as SQL injection, XSS, and other attack vectors.

8. Usability Testing: Ensures that the API is user-friendly and its endpoints are easy to use. Reviewing API documentation and testing the ease of making requests and interpreting responses.

9. Compliance Testing: Verifies that the API adheres to specific standards, regulations, and guidelines. Ensures adherence to industry standards such as REST, SOAP, or specific compliance requirements (e.g., GDPR, HIPAA).

10. Penetration Testing: Simulates attacks on the API to identify security weaknesses. Identifies vulnerabilities that could be exploited by attackers.

11. Regression Testing: Ensures that recent changes to the API do not affect existing functionality. Running a comprehensive set of tests after a new feature is added to ensure existing functionalities are intact.

24. Why is API testing considered as the most suitable form for Automation testing?

API testing is now preferred over GUI testing and is considered as most suitable because:

1. APIs serve as the communication layer between different software components. By testing APIs, issues can be identified early in the development process before the UI is developed.

2. APIs tend to be more stable and less prone to frequent changes compared to the user interface (UI). This stability makes API tests more reliable and less likely to break with minor updates.

3.  API tests are generally faster to execute. They are quicker because API tests do not require the overhead of rendering the user interface, unlike UI tests.

4. API tests do not depend on the UI, they can be executed even when the UI is not available or under development. This independence allows for continuous testing throughout the development cycle.

5. API tests focus on the core business logic and data layer, which are crucial for the functionality of the application. This ensures that the critical components are thoroughly tested.

6. APIs are ideal candidates for automation within CI/CD pipelines. Automated API tests can be seamlessly integrated into build and deploy processes, providing rapid feedback and ensuring continuous testing.

25. What type of bugs would often found in API testing?

1. Incorrect Response Data: API returns incorrect data due to logic errors.

2. Missing or Extra Fields: Response JSON or XML missing required fields or containing unexpected fields.

3. Incorrect Status Codes: API endpoints returning incorrect HTTP status codes (e.g., 200 OK for an error condition).

4. Unexpected Behavior: API does not perform operations as expected (e.g., CRUD operations not working correctly).

5. Slow Response Times: API takes too long to respond under normal or load conditions.

6. Throughput Issues: API cannot handle expected load, leading to reduced throughput.

7. Resource Utilization: High CPU, memory, or network usage during API requests.

8. Injection Attacks: Susceptibility to SQL, NoSQL, and other forms of injection attacks.

9. Cross-Site Scripting (XSS): API responses containing unescaped data leading to XSS vulnerabilities.

10. Authentication Issues: Failure to correctly implement authentication mechanisms (e.g., missing or expired tokens not handled properly).

11. Authorization Flaws: Insufficient checks allowing unauthorized access to protected resources.

26. What are the principles of an API test design?

1. Understand the API Specifications: Review the API documentation to understand the endpoints, request/response formats, parameters, authentication mechanisms, status codes, and error messages.

2. Identify Test Scenarios:

• Positive Tests: Test with valid inputs to ensure the API returns the expected responses.
• Negative Tests: Test with invalid inputs or boundary values to ensure the API handles errors gracefully and returns appropriate error messages.
• Edge Cases: Consider unusual or extreme cases, such as very large inputs, empty inputs, or special characters.
• Error Scenarios: Test the API’s behavior when it encounters errors, such as network failures, timeouts, or invalid inputs.
• Logging and Monitoring: Ensure that the API has proper logging and monitoring to help diagnose and troubleshoot issues.

3. Execution: Send API requests with defined parameters, methods, and data, and observe how the system behaves.

4. Verification & Reporting: Validate the response against expected results, including status codes, response data, and schema. Document test outcomes, marking them as passed, failed, or blocked based on validation results.

5. Performance and Load Testing: Test how well the API scales under load and how it performs under peak traffic conditions.

6. Security Testing: Test that the API properly handles authentication and authorization and does not expose sensitive data.

7. Cleanup: Return the environment to its pre-test state, such as deleting test data or stopping services.

27. Can API tests run in CI/CD pipeline

Yes, API tests can and should run in a Continuous Integration/Continuous Deployment (CI/CD) pipeline to ensure the quality and reliability of your software. 

Implementation Steps

1. Write and Prepare the API Tests: API Tests should be written using the suitable tools like Postman, Rest Assured, JUnit and JUnit for Java and PyTest for Python language.

2. Setup CI/CD Pipeline: CI/CD platform such as Jenkins, GitHub Actions, GitLab CI, or others can be used.  example GitHub Actions workflow file to run API tests using Postman and Newman:

name: API Tests

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Set up Node.js
      uses: actions/setup-node@v2
      with:
        node-version: '14'

    - name: Install Newman
      run: npm install -g newman

    - name: Run API tests with Newman
      run: newman run test.json

3. Handle Test Results: CI/CD pipeline is configured to handle and report test results. Many CI/CD tools can integrate with test reporting tools for detailed results and logs.

4. Configure Notifications or Alerts: Configure notifications (e.g., emails or Slack messages) to alert the team when tests fail. This ensures that any issues are promptly addressed.

By integrating API tests into your CI/CD pipeline, you can automatically verify the stability and reliability of your APIs with each code change. 

28. What is the difference between Authentication and Authorization in API testing?

Authentication – Authentication is the process of verifying the identity of a user or system attempting to access the API. It ensures that the person or system making the API request is who they claim to be.

Example – A user logs in to a banking API using their credentials and receives a token.

Common Methods:

• API Keys: A unique identifier sent with the request to validate the user or application.
• Username and Password: Basic authentication.
• OAuth Tokens: Access tokens issued after a successful login.
• Multi-Factor Authentication (MFA): Combining two or more methods (e.g., password + OTP).
• JWT (JSON Web Token): A token that securely transmits user identity

{
  "token": "eyJhbGciOiJIUzI1NiIsInR..."
}

Authorization – Authorization is the process of verifying whether an authenticated user has the necessary permissions. This process checks if they can access specific resources or perform certain actions

Example – The same user tries to transfer money to another account. The API checks if the user’s role allows this action. If the user doesn’t have sufficient permissions, the API denies the request.

Common Methods:

• Role-Based Access Control (RBAC): Permissions based on user roles (e.g., Admin, User).
• Policy-Based Access Control (PBAC): Custom policies to determine access rights.
• Scopes in OAuth: Limit the actions that a token allows (e.g., read-only, full access).

29. Can API testing be automated? If yes, how?

Yes, API testing can be automated using tools like RestAssured, Postman, or TestNG. Test scripts can be written to send requests and validate the response. Assert the following in your tests:

1. Status Codes (e.g., 200 OK, 401 Unauthorized).
2. Response Body: Check for required fields and values.
3. Headers: Validate Content-Type, Cache-Control, etc.
4. Performance: Measure response times.

Below is an example of automated test scripts using Java with Rest Assured.

import io.restassured.http.ContentType;
import org.json.JSONObject;
import org.junit.jupiter.api.Test;
import static io.restassured.RestAssured.given;
import static org.hamcrest.Matchers.equalTo;

public class APITests {

        String BaseURL = "https://reqres.in/api";

    @Test
    public void getUser() {  

        // GIVEN
        given()
                .contentType(ContentType.JSON)

                // WHEN
                .when()
                .get(BaseURL + "/users/2")

                // THEN
                .then()
                .statusCode(200)
                .body("data.first_name", equalTo("Janet"))
                .log().all();

    }

}

These tests can be run as part of CI/CD pipelines using GitLab, GitHub, Jenkins and many more.

30. What is the difference between synchronous and asynchronous APIs?

Synchronous APIs: The client waits for the server to process the request and send back a response. Request and response happen in the same thread. The client is blocked until a response is received.

Suitable for real-time, sequential tasks where the response is required immediately (e.g., login authentication). Commonly uses HTTP/HTTPS with immediate response (e.g., REST APIs).

Use Case Examples**:
  - Login authentication: The client needs the server's response before proceeding.
  - Fetching data: The client requires the result immediately to display to the user.

Asynchronous APIs: The client sends a request and continues processing without waiting for the server’s response. Request and response happen in separate threads or processes. The client continues processing while waiting for the response.

Suitable for long-running processes or tasks that do not require an immediate response (e.g., batch processing). Often uses WebSockets, Message Queues, or event-driven systems (e.g., Webhooks).

**Use Case Examples**:
  - File upload or processing: The server processes the file and sends a notification when done.
  - Notification systems: Sending push notifications to multiple devices.