Postman’s response validation lets you automate checking API responses, turning manual checks into reliable tests.
Let’s see it in action. Imagine you’re testing a simple API that returns user data.
// In Postman's "Tests" tab for a GET request to /users/{id}
// Assert the HTTP status code is 200 OK
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});
// Assert the Content-Type header is application/json
pm.test("Content-Type header is application/json", function () {
pm.response.to.have.header("Content-Type", "application/json");
});
// Assert the response body contains a specific JSON key
pm.test("Response body has user ID", function () {
const responseJson = pm.response.json();
pm.expect(responseJson).to.have.property("id");
});
// Assert the response body JSON has a specific value for a key
pm.test("User ID is 123", function () {
const responseJson = pm.response.json();
pm.expect(responseJson.id).to.eql(123);
});
When you send a request to your API with this script in the "Tests" tab, Postman will execute these checks against the received response. The "Results" pane in Postman will then show which tests passed and which failed, along with detailed error messages for failures. This is crucial for CI/CD pipelines, ensuring your API behaves as expected with every deployment.
The core problem this solves is the tedious and error-prone nature of manually verifying API responses. Imagine checking dozens or hundreds of responses by hand – it’s slow, inconsistent, and prone to human error. Postman’s test scripts allow you to define a contract for your API responses and automatically verify that contract.
Internally, Postman provides a JavaScript environment within its "Tests" tab. The pm object is your gateway to this environment. pm.response gives you access to the raw response data: status, headers, and body. You then use assertion libraries like Chai (which Postman bundles) via pm.test and pm.expect to define your validation rules.
The pm.response.json() method is a powerful shortcut. If your API returns JSON, this method automatically parses the response body into a JavaScript object, making it trivial to assert specific values or structures. For non-JSON responses, you’d use pm.response.text() and parse manually.
You control the granularity of your tests. You can assert the overall status code, specific header values (like Content-Type or Cache-Control), or dive deep into the JSON or XML body to check for specific keys, values, data types, or even array lengths.
A common misconception is that you must use pm.response.json(). While convenient for JSON, if you have an API that returns, say, XML, you can still parse it. You’d fetch the text content using pm.response.text() and then use a JavaScript XML parsing library (which you might need to include in your collection or environment if not built-in) to process it before making assertions. The key is that pm.response exposes the raw body, and you can process it however you need.
The next concept you’ll likely encounter is chaining requests and using the data from one response in a subsequent request.