API testing with Postman and Newman on a real application (Serenity Demo). Full CRUD operations, validations, schema testing, and data-driven testing with CSV. Every decision and issue is publicly documented.
This is not a collection of requests copied from the documentation. It's a project where each flow was built against a real application, solving real problems: dynamic CSRF, authentication cookies, conditional assertions, schema validation, and data-driven testing from the terminal.
| Layer | Technology |
|---|---|
| API Client | Postman |
| CLI Runner | Newman |
| Target App | Serenity Demo (ASP.NET) |
| Data Source | CSV (data-driven testing) |
| Schema Validation | AJV (JSON Schema) |
| Reports | Newman HTML Reporter |
| CI/CD | GitHub Actions |
| Report Hosting | GitHub Pages |
Every push to main triggers an automated pipeline:
Push to main
↓
GitHub Actions (Ubuntu + Node.js 20)
↓
npm install newman + htmlextra
↓
newman run (6 iterations, 150 assertions)
↓
HTML report generated
↓
Published to GitHub Pages
Live report: cesarbeassuarez.github.io/postman-api-testing
Note
The report includes intentional failures. Two assertions are designed to fail to demonstrate how the report handles and displays real errors. The pipeline shows as "failed" because Newman returns exit code 1 — the deploy runs anyway via if: always().
postman-api-testing/
├── .github/
│ └── workflows/
│ └── newman-tests.yml # CI/CD pipeline
├── .postman/ # Postman internal config
├── postman/
│ └── collections/ # Postman Git sync (individual .yaml per request)
├── newman/
│ ├── Serenity Demo - Auth + Customer API Flow.postman_collection.json
│ ├── serenity-demo.postman_environment.json
│ ├── create_customer_data.csv # Data file for data-driven testing
│ └── report/ # Newman HTML reports
└── README.md
Each entry is a real iteration. Full context of decisions and problems in mi blog.
| # | Focus | Date |
|---|---|---|
| 1 | Postman + CSRF dinámico: resolver un 400 en app real — Replicating a real flow is not copying requests. Static CSRF token = 400. Dynamic variables and pre-request scripts. | 10 Mar 2026 |
| 2 | Postman sin assertions es solo un cliente HTTP bonito — 11 validations with pm.test: status codes, cookies, JSON structure, TotalCount. From "No tests found" to a flow that tests. | 12 Mar 2026 |
| 3 | Testing negativo: rompiendo el login a propósito — 4 scenarios that break the login: Incorrect credentials, no CSRF, no authentication, empty fields. A 500 error that shouldn't be there. | 12 Mar 2026 |
| 4 | Runner y CSRF: por qué fallaba en la primera corrida — ASP.NET Core Antiforgery links the CSRF token to the user's identity. The problem and the complete solution. | 14 Mar 2026 |
| 5 | CRUD real: crear, verificar, eliminar y confirmar — Create a client via API, check in grid of 92 records, delete, confirm that it returns to 91. CRUD self-cleaning cycle. | 18 Mar 2026 |
| 6 | Retrieve y Update: completando el CRUD — Retrieve customer data with Retrieve, modify a field with Update, and verify the change. Complete CRUD cycle. | 18 Mar 2026 |
| 7 | Schema validation: un contrato formal para la API — JSON Schema for Customer List, validated with AJV. I intentionally broke the schema to test that it detects real errors. | 19 Mar 2026 |
| 8 | Data-driven testing con Newman y CSV — CSV with 6 scenarios, parameterized CRUD, conditional assertions, HTML reports. All from the terminal, without a paid Postman plan. | 22 Mar 2026 |
| 9 | CI/CD con Newman y GitHub Actions — The same local command now runs on every push. HTML report on GitHub Pages. Comparison with the Selenium pipeline. | 22 Mar 2026 |
- App real, no mock. Serenity Demo is an ASP.NET app with CSRF, cookies, and real authentication. It is not a frictionless public API.
- Problemas reales documentados. Dynamic CSRF, identity-linked cookies, Runner failing on first run — all explained.
- Progresión visible. From copying requests to data-driven testing with Newman. Each post builds on the previous one.
- Testing negativo incluido. Not just happy paths: scenarios that intentionally break the app.
- CI/CD integrated. Tests run automatically, reports are public.
- CI/CD: Newman + GitHub Actions pipeline
- Integración con REST Assured en qa-automation-lab
- Blog (serie completa): cesarbeassuarez.dev/tag/postman
- Live report: cesarbeassuarez.github.io/postman-api-testing
- LinkedIn: linkedin.com/in/cesarbeassuarez