Writing Postman Test Scripts

Postman test scripts transform Postman from an HTTP client into a full API test automation tool. Written in JavaScript using Postman's pm library, test scripts define assertions that run after every request. A well-written Postman test validates status codes, response schema, data integrity, performance, and security — and chains data between requests for complex workflow tests.

35 min•By Priygop Team•Updated 2026

Postman Test Script — Full Reference

// ══════════════════════════════════════════════════════════════
// POSTMAN TEST SCRIPTS — pm.test() + pm.expect() cheat sheet
// Paste these in the "Tests" tab of any Postman request
// ══════════════════════════════════════════════════════════════

// ── STATUS CODE ────────────────────────────────────────────────
pm.test("Status is 200 OK", () => {
    pm.response.to.have.status(200);
});

pm.test("Status is 201 Created (for POST)", () => {
    pm.response.to.have.status(201);
});

// ── RESPONSE TIME ──────────────────────────────────────────────
pm.test("Response time is under 500ms", () => {
    pm.expect(pm.response.responseTime).to.be.below(500);
});

// ── RESPONSE HEADERS ──────────────────────────────────────────
pm.test("Content-Type is JSON", () => {
    pm.response.to.have.header("Content-Type", "application/json; charset=utf-8");
});

pm.test("Response has X-Request-ID header", () => {
    pm.expect(pm.response.headers.get("X-Request-ID")).to.not.be.undefined;
});

// ── RESPONSE BODY — Parse and assert ──────────────────────────
const body = pm.response.json();

pm.test("Response has correct user ID", () => {
    pm.expect(body.id).to.equal(parseInt(pm.environment.get("user_id")));
});

pm.test("Email format is valid", () => {
    const emailRegex = /^[^s@]+@[^s@]+.[^s@]+$/;
    pm.expect(body.email).to.match(emailRegex);
});

pm.test("User name is a non-empty string", () => {
    pm.expect(body.name).to.be.a("string").and.not.empty;
});

pm.test("Password is NOT exposed in response", () => {
    pm.expect(body).to.not.have.property("password");
    pm.expect(body).to.not.have.property("passwordHash");
});

pm.test("CreatedAt is a valid ISO date", () => {
    const date = new Date(body.createdAt);
    pm.expect(date.toString()).to.not.equal("Invalid Date");
});

// ── NESTED OBJECTS ────────────────────────────────────────────
pm.test("Address has required fields", () => {
    pm.expect(body.address).to.have.all.keys(["street", "city", "country", "zip"]);
});

// ── ARRAYS ────────────────────────────────────────────────────
pm.test("Products list is not empty", () => {
    pm.expect(body.products).to.be.an("array").and.to.have.length.above(0);
});

pm.test("Each product has required fields", () => {
    body.products.forEach((product, i) => {
        pm.expect(product, `Product[${i}]`).to.have.property("id");
        pm.expect(product, `Product[${i}]`).to.have.property("name");
        pm.expect(product.price, `Product[${i}].price`).to.be.a("number").and.above(0);
    });
});

// ── SET VARIABLE for next request in collection ───────────────
pm.test("Extract created order ID", () => {
    pm.expect(body.orderId).to.exist;
    pm.environment.set("order_id", body.orderId);  // Available in next request
});

Common Mistakes

Only testing status codes — a 200 response with wrong data is still a failure; always validate the response body
Not checking for sensitive data exposure — the most critical security check: verify that password, token, PII are never returned in unexpected responses
Using pm.response.text() instead of pm.response.json() — always parse JSON responses for proper assertion; string comparison breaks on formatting
Test names that don't describe the scenario — 'Test 1' is useless in reports; use descriptive names like 'Price should be a positive number'

Tip

Practice Writing Postman Test Scripts in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

Technical diagram.

Practice Task

Note

Practice Task — (1) Write a working example of Writing Postman Test Scripts from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.

Quick Quiz

Common Mistake

Warning

A common mistake with Writing Postman Test Scripts is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready software testing code.

Key Takeaways

Postman test scripts transform Postman from an HTTP client into a full API test automation tool.
Only testing status codes — a 200 response with wrong data is still a failure; always validate the response body
Not checking for sensitive data exposure — the most critical security check: verify that password, token, PII are never returned in unexpected responses
Using pm.response.text() instead of pm.response.json() — always parse JSON responses for proper assertion; string comparison breaks on formatting

Topics in This Module

Writing Postman Test Scripts

35 min•By Priygop Team•Updated 2026

Postman Test Script — Full Reference

// ══════════════════════════════════════════════════════════════
// POSTMAN TEST SCRIPTS — pm.test() + pm.expect() cheat sheet
// Paste these in the "Tests" tab of any Postman request
// ══════════════════════════════════════════════════════════════

// ── STATUS CODE ────────────────────────────────────────────────
pm.test("Status is 200 OK", () => {
    pm.response.to.have.status(200);
});

pm.test("Status is 201 Created (for POST)", () => {
    pm.response.to.have.status(201);
});

// ── RESPONSE TIME ──────────────────────────────────────────────
pm.test("Response time is under 500ms", () => {
    pm.expect(pm.response.responseTime).to.be.below(500);
});

// ── RESPONSE HEADERS ──────────────────────────────────────────
pm.test("Content-Type is JSON", () => {
    pm.response.to.have.header("Content-Type", "application/json; charset=utf-8");
});

pm.test("Response has X-Request-ID header", () => {
    pm.expect(pm.response.headers.get("X-Request-ID")).to.not.be.undefined;
});

// ── RESPONSE BODY — Parse and assert ──────────────────────────
const body = pm.response.json();

pm.test("Response has correct user ID", () => {
    pm.expect(body.id).to.equal(parseInt(pm.environment.get("user_id")));
});

pm.test("Email format is valid", () => {
    const emailRegex = /^[^s@]+@[^s@]+.[^s@]+$/;
    pm.expect(body.email).to.match(emailRegex);
});

pm.test("User name is a non-empty string", () => {
    pm.expect(body.name).to.be.a("string").and.not.empty;
});

pm.test("Password is NOT exposed in response", () => {
    pm.expect(body).to.not.have.property("password");
    pm.expect(body).to.not.have.property("passwordHash");
});

pm.test("CreatedAt is a valid ISO date", () => {
    const date = new Date(body.createdAt);
    pm.expect(date.toString()).to.not.equal("Invalid Date");
});

// ── NESTED OBJECTS ────────────────────────────────────────────
pm.test("Address has required fields", () => {
    pm.expect(body.address).to.have.all.keys(["street", "city", "country", "zip"]);
});

// ── ARRAYS ────────────────────────────────────────────────────
pm.test("Products list is not empty", () => {
    pm.expect(body.products).to.be.an("array").and.to.have.length.above(0);
});

pm.test("Each product has required fields", () => {
    body.products.forEach((product, i) => {
        pm.expect(product, `Product[${i}]`).to.have.property("id");
        pm.expect(product, `Product[${i}]`).to.have.property("name");
        pm.expect(product.price, `Product[${i}].price`).to.be.a("number").and.above(0);
    });
});

// ── SET VARIABLE for next request in collection ───────────────
pm.test("Extract created order ID", () => {
    pm.expect(body.orderId).to.exist;
    pm.environment.set("order_id", body.orderId);  // Available in next request
});

Common Mistakes

Only testing status codes — a 200 response with wrong data is still a failure; always validate the response body

Not checking for sensitive data exposure — the most critical security check: verify that password, token, PII are never returned in unexpected responses

Using pm.response.text() instead of pm.response.json() — always parse JSON responses for proper assertion; string comparison breaks on formatting

Test names that don't describe the scenario — 'Test 1' is useless in reports; use descriptive names like 'Price should be a positive number'

Tip

Diagram

Loading diagram…

Technical diagram.

Topics in This Module