QA Engineering

API Testing with Postman and Charles Proxy: A QA Engineer's Workflow

By Odai Naboulsi · February 12, 2026 · 7 min read

Postman and Charles Proxy are two of the most valuable tools in a QA engineer's arsenal for API testing, and they serve complementary roles. Postman is for constructing, sending, and validating API requests directly. Charles Proxy is for observing the actual HTTP/HTTPS traffic your application generates. Together, they give you both the ability to test APIs in isolation and the ability to see exactly what the app does in real conditions.

What Is Postman and What Does It Do for QA?

Postman is an API client that lets you construct HTTP requests — GET, POST, PUT, PATCH, DELETE — and inspect the responses. For a QA engineer, it serves several distinct purposes:

  • Request and response validation — does the endpoint return the correct HTTP status code, the correct response body structure, and the correct data values for a given input?
  • Collections and test suites — Postman allows you to group related API requests into a Collection, write JavaScript-based test assertions that run automatically after each request, and run the entire collection as a batch against different environments
  • Environment variables — switch between QA, staging, and production base URLs and auth tokens without modifying individual requests
  • Pre-request scripts — automate authentication flows so you are not manually refreshing tokens before every test run
  • Contract testing — validate that API responses conform to the agreed-upon schema before the frontend or mobile app depends on them

At Nike, Postman collections were a standard QA artifact for any new API endpoint. Before functional testing of a new feature began, I would validate the underlying API — check that the endpoints returned correctly structured data, that error states returned appropriate HTTP codes, and that boundary conditions in request parameters were handled gracefully. This catches a class of defects before they become confusing UI bugs.

What Is Charles Proxy and What Does It Do for QA?

Charles Proxy is an HTTP/HTTPS proxy that intercepts network traffic between a client (your mobile app or browser) and a server. It sits in the middle and logs every request and response. For mobile QA, this is invaluable because you can see exactly what the app is sending to the server and what the server sends back — something you cannot observe from the app's UI alone.

Key capabilities that matter for QA:

  • Traffic inspection — see every API call the app makes, in real time, including headers, request bodies, response bodies, and timing data
  • SSL proxying — modern apps communicate over HTTPS, which encrypts traffic. Charles can decrypt this traffic (with proper SSL certificate setup) so you can inspect the actual payloads rather than seeing encrypted noise
  • Request throttling — simulate slow or unreliable network conditions (2G, 3G, high latency) to test how the app behaves under poor connectivity
  • Request/response rewriting — modify a request or response on the fly to test how the app handles specific error codes, malformed responses, or edge-case data values without needing backend changes
  • Breakpoints — pause a request or response in-flight, modify it, and then let it through — useful for testing how the app handles a specific HTTP 500 or a specific malformed JSON field

How Postman and Charles Proxy Complement Each Other

Postman tests the API in isolation: you control every parameter of the request and you validate the response directly. Charles shows you what the app actually sends: you observe the real request the application constructs under real usage conditions. These are different things, and both perspectives matter.

A request you send in Postman and a request the app sends to the same endpoint may look different. The app might be sending an unexpected header, omitting a required parameter, or sending a malformed JSON body due to a serialization bug. Charles is how you catch that. Postman is how you confirm the endpoint itself behaves correctly when given a properly formed request.

A Step-by-Step Workflow for Diagnosing an API Defect

  1. Reproduce the defect in the app. Identify the specific user action that triggers the misbehavior — a button press, a form submission, a screen load.
  2. Open Charles and capture the traffic. With SSL proxying enabled for the relevant domain, reproduce the action in the app. Charles captures the request and response in real time.
  3. Inspect the request. Is the app sending the correct endpoint? Are the headers correct (auth token, content-type)? Is the request body properly formed? Is any required parameter missing or malformed?
  4. Inspect the response. What HTTP status code did the server return? What is the response body? If the server returned an error, does the error message explain the failure?
  5. Replicate in Postman. Take the exact request you observed in Charles and reconstruct it in Postman. Send the same request directly to the API. Does it reproduce the failure? If yes, the defect is in the backend. If the direct Postman call succeeds but the app fails, the defect is in how the app constructs or handles the request.
  6. Document both the Charles session and the Postman request in the JIRA defect report. Attach the request/response from Charles and export the failing Postman request as a shareable link or collection. This gives the developer everything they need to reproduce and fix the issue without a back-and-forth.

Tips for Mobile API Testing

  • Set up Charles SSL proxying for your app's domains before testing begins — trying to configure it mid-defect investigation while under deadline pressure is painful
  • Use Charles's "Map Remote" feature to redirect API calls to a different environment on the fly, without modifying the app build
  • For iOS, install the Charles root certificate on the device via the Charles iOS certificate URL; for Android 7+, note that apps using network security config may require additional steps to trust user-installed certificates
  • Postman's collection runner with environment variables is the fastest way to run a smoke test of all critical API endpoints after a new build is deployed

The difference between a QA engineer who says "the app is broken" and one who says "the app is sending a malformed request body — here is the Charles session and the Postman reproduction" is the difference between a useful defect report and a frustrating one.

Mastering this two-tool workflow — Postman for direct API validation, Charles for observed app behavior — gives you the ability to diagnose defects with precision and communicate findings with evidence. In any modern mobile or web application where the client-server contract is central to product quality, these tools are not optional extras. They are core QA infrastructure.

← Back to Blog