How to Test a REST API with Postman — Free Endpoints to Practice On

Published 2026-01-15 · 7 min read
Most Postman tutorials hand-wave the API itself. This one points at a real, free public REST API so you can practice every step end-to-end — auth, CRUD, chaining and assertions.

What you'll do in this guide

  1. Import a real OpenAPI 3.0 spec into Postman in one click
  2. Send your first GET and read the response
  3. Get a JWT and have Postman re-use it across every request
  4. Chain requests — create a user, then create an order for that user
  5. Add tests that fail loudly when the API misbehaves

You'll use the free TotalShiftLeft REST API. No signup, no API key.

Step 1 — Import the OpenAPI spec

In Postman, click Import in the top-left, choose Link, paste this URL and import:

https://demo.totalshiftleft.ai/openapi.json

Postman generates a collection with every endpoint, example bodies pre-filled. This beats hand-typing URLs and saves about 20 minutes of setup.

Step 2 — Send your first request

Open GET /api/v1/users and click Send. You should see a paginated list of seed users in the response body.

If you see a 429, you've hit the per-IP rate limit. Wait 60 seconds.

Step 3 — Authenticate once, reuse everywhere

Most real APIs need a token. Add this Pre-request Script to the collection root:

if (!pm.environment.get('token') ||
    Date.now() > +pm.environment.get('tokenExpiry')) {
  pm.sendRequest({
    url: 'https://demo.totalshiftleft.ai/auth/token',
    method: 'POST',
    header: { 'Content-Type': 'application/json' },
    body: { mode: 'raw', raw: JSON.stringify({ username:'demo', password:'demo' }) }
  }, (err, res) => {
    const j = res.json();
    pm.environment.set('token', j.access_token);
    pm.environment.set('tokenExpiry', Date.now() + 50 * 60 * 1000);
  });
}

Then on the collection's Authorization tab pick Bearer Token and set the value to {{token}}. Every request now authenticates automatically.

Step 4 — Chain a real workflow

Real APIs are sequences, not single calls. Add this Tests script to POST /api/v1/users so the next request can use the new ID:

const j = pm.response.json();
pm.environment.set('userId', j.data.id);
pm.test('user created', () => pm.expect(pm.response.code).to.eql(201));

Now POST /api/v1/orders with body { "userId": "{{userId}}", "productId": 1 } — Postman fills the variable from the previous response.

Step 5 — Run the whole flow with the Collection Runner

Click Runner, drag in your collection, hit Run. You'll get a green wall of test results. To make it fail on purpose, append ?error=500 to any request — useful when you want to verify your tests actually catch failures.

Where to go next

Frequently asked questions

Do I need a Postman account?

No — Postman runs locally. The API is public, no signup needed.

Can I run this in Newman / CI?

Yes. Export the collection and run newman run collection.json. The pre-request token script works the same in CI.

Where can I see the OpenAPI spec?

At /openapi.json (raw JSON) or /docs (Swagger UI).

Other free public APIs in this sandbox

Free Public REST API JSON, full CRUD, no API key Free Public GraphQL API Live GraphiQL playground Free Public SOAP API WSDL + 14 operations Swagger UI Demo Try-it-out enabled OpenAPI 3.0 Example Importable spec Auth API (OAuth2 / JWT) Public auth-flow sandbox
Ready to try it?

Open the live sandbox — REST, GraphQL, SOAP and auth in one place. No signup, no API key.

Open the API Sandbox →

Topics: how to test a REST API · REST API in Postman · Postman tutorial · free APIs for Postman practice · Postman beginner guide