Skip to main content
blog title image

3 minute read - API Testing API Challenges

Challenge 34 - How To - POST Amend 200

Jul 25, 2021

This post and video shows how to complete the POST secret note challenge, which returns a status code of 200 and amends the secret note.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

POST Amend Secret Note Challenge

Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.

The X-CHALLENGER header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN authorizes you to gain access.

  • Authentication is “are you who you say you are” (X-CHALLENGER)
  • Authorization is “do you have the right permissions” (X-AUTH-TOKEN)

Challenge 34 POST Amend

Issue a POST request on the /secret/note end point with a note payload e.g. {“note”:“my note”} and receive 200 when valid X-AUTH-TOKEN used. Note is maximum length 100 chars and will be truncated when stored.

  • POST request means use the HTTP Verb POST
    • e.g. POST /secret/note sends to the secret note endpoint
  • with a note payload include a JSON formatted object as the payload
  • valid X-AUTH-TOKEN used means a custom header named X-AUTH-TOKEN should be added to the message with the value received from the /secret/token response in Challenge 30
  • add the X-CHALLENGER header to track progress and authenticate the request
  • Receive a 200 response because both X-CHALLENGER and X-AUTH-TOKEN are for the same user and the payload was well formatted.

Basic Instructions

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
  • The verb should be a POST
  • Ensure there is a custom header with the name X-AUTH-TOKEN and the value is the same as received in the /secret/token response
  • The request should have an X-CHALLENGER header to track challenge completion
  • Add a JSON Payload of the format {"note":"my note"}
  • Include header for Content-type value application/json
  • If the text is too long it will be truncated
  • You should receive a 200 response
  • The body of the response will contain the secret note
> POST /secret/note HTTP/1.1
> Host:
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> X-AUTH-TOKEN: x-auth-token-value
> Content-Type: application/json
> Authorization: Basic YWRtaW46cGFzc3dvcmQ=
> Accept: */*
> Content-Length: 31

| {
|   "note": "my note is here"
| }

< HTTP/1.1 200 OK
< Connection: close
< Date: Sun, 25 Jul 2021 11:47:36 GMT
< X-Challenger: x-challenger-guid
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Example body of the response:

    "note": "my note is here"


  • Try varying the length of the note… does the system truncate as expected?

Overview Video

Patreon ad free version

Learn More and Start Testing