Unknown Challenger ID

To view your challenges status in multi-user mode, make sure you have registered as a challenger using a `POST` request to `/challenger` and are including an `X-CHALLENGER` header in all your requests.

Then view the challenges in the GUI by visiting `/gui/challenges/{GUID}`, where `{GUID}` is the value in the `X-CHALLENGER` header.

Challenger sessions are purged from the server memory after 10 minutes of inactivity. To restore your session progress issue an API request with the X-CHALLENGER header (note this will restore the completion state of challenges, but not the data you were using).

You can find more information about this on the Multi User Help Page

Sections

Getting Started

If you want to track your challenge progress, in multi-user mode then you need to solve the challenges in this section to generate a unique ID that we can associate your progress with.

IDChallengeDoneDescription
01POST /challenger (201)false

Issue a POST request on the `/challenger` end point, with no body, to create a new challenger session. Use the generated X-CHALLENGER header in future requests to track challenge completion.


Hints
  • In multi-user mode, you need to create an X-CHALLENGER Session first Learn More
Solution
  • Send request using POST to /challenger endpoint. The response has an X-CHALLENGER header, add this header X-CHALLENGER and the GUID value to all future requests.
  • Read Solution
  • Watch Insomnia Solution

Back to Section List

First Real Challenge

For your first challenge, get the list of challenges. You'll be able to use this to see your progress in your API Client, as well as using the GUI.

IDChallengeDoneDescription
02GET /challenges (200)false

Issue a GET request on the `/challenges` end point


Solution

Back to Section List

GET Challenges

To retrieve, or read information from an API we issue GET requests. This section has a bunch of GET request challenges to try out.

IDChallengeDoneDescription
03GET /todos (200)false

Issue a GET request on the `/todos` end point


Solution
04GET /todo (404) not pluralfalse

Issue a GET request on the `/todo` end point should 404 because nouns should be plural


Solution
05GET /todos/{id} (200)false

Issue a GET request on the `/todos/{id}` end point to return a specific todo


Hints
  • Make sure you don't use {id} in the url, replace that with the id of a todo e.g. /todos/1
Solution
06GET /todos/{id} (404)false

Issue a GET request on the `/todos/{id}` end point for a todo that does not exist


Hints
  • Make sure you don't use {id} in the url, replace that with the id of a todo e.g. /todos/1
  • Make sure the id is an integer e.g. /todos/1
  • Make sure you are using the /todos end point e.g. /todos/1
Solution
07GET /todos (200) ?filterfalse

Issue a GET request on the `/todos` end point with a query filter to get only todos which are 'done'. There must exist both 'done' and 'not done' todos, to pass this challenge.


Hints
  • A query filter is a URL parameter using the field name and a value
  • A URL parameter is added to the end of a url with a ? e.g. /todos?id=1
  • To filter on 'done' we use the 'doneStatus' field ? e.g. ?doneStatus=true
  • Make sure there are todos which are done, and not yet done
Solution

Back to Section List

HEAD Challenges

A HEAD request, is like a GET request, but only returns the headers and status code.

IDChallengeDoneDescription
08HEAD /todos (200)false

Issue a HEAD request on the `/todos` end point


Solution

Back to Section List

Creation Challenges with POST

A POST request can be used to create and update data, these challenges are to 'create' data. As a Hint, if you are not sure what the message body should be, try copying in the response from the associated GET request, and amending it.

IDChallengeDoneDescription
09POST /todos (201)false

Issue a POST request to successfully create a todo


Solution
10POST /todos (400) doneStatusfalse

Issue a POST request to create a todo but fail validation on the `doneStatus` field


Solution
11POST /todos (400) title too longfalse

Issue a POST request to create a todo but fail length validation on the `title` field because your title exceeds maximum allowable characters.

12POST /todos (400) description too longfalse

Issue a POST request to create a todo but fail length validation on the `description` because your description exceeds maximum allowable characters.

13POST /todos (201) max out contentfalse

Issue a POST request to create a todo with maximum length title and description fields.


Hints
  • Max lengths are listed in the API Documentation
  • CounterStrings are very useful for testing with maximum field lengths
14POST /todos (413) content too longfalse

Issue a POST request to create a todo but fail payload length validation on the `description` because your whole payload exceeds maximum allowable 5000 characters.


Hints
  • Try using a long 5000 char string as the description or title text
15POST /todos (400) extrafalse

Issue a POST request to create a todo but fail validation because your payload contains an unrecognised field.


Hints
  • Try to create a todo with a title, description and a priority

Back to Section List

Creation Challenges with PUT

A PUT request can often used to create and update data. The todo application we are using has automatically generated ids, so you cannot use PUT to create. As a Hint, if you are not sure what the message body should be, try copying in the response from the associated GET request, and amending it.

IDChallengeDoneDescription
16PUT /todos/{id} (400)false

Issue a PUT request to unsuccessfully create a todo

Back to Section List

Update Challenges with POST

Use a POST request to amend something that already exists. These are 'partial' content updates so you usually don't need to have all details of the entity in the request, e.g. you could just update a title, or a description, or a status

IDChallengeDoneDescription
17POST /todos/{id} (200)false

Issue a POST request to successfully update a todo


Hints
  • Make sure you don't use {id} in the url, replace that with the id of a todo e.g. /todos/1
Solution
18POST /todos/{id} (404)false

Issue a POST request for a todo which does not exist. Expect to receive a 404 response.


Hints
  • Make sure you don't use {id} in the url, replace that with the id of a todo that does not exist e.g. /todos/100

Back to Section List

Update Challenges with PUT

A PUT request can be used to amend data. REST Put requests are idempotent, they provide the same result each time.

IDChallengeDoneDescription
19PUT /todos/{id} full (200)false

Issue a PUT request to update an existing todo with a complete payload i.e. title, description and donestatus.

20PUT /todos/{id} partial (200)false

Issue a PUT request to update an existing todo with just mandatory items in payload i.e. title.

21PUT /todos/{id} no title (400)false

Issue a PUT request to fail to update an existing todo because title is missing in payload.


Hints
  • Title is required for Put requests because they are idempotent. You can amend using POST without a title, but not using a PUT.
22PUT /todos/{id} no amend id (400)false

Issue a PUT request to fail to update an existing todo because id different in payload.


Hints
  • ID is auto generated you can not amend it in the payload.
  • If you have a different id in the payload from the url then this is viewed as an amendment and you can not amend an auto generated field.

Back to Section List

DELETE Challenges

Use a DELETE request to delete an entity. Since this is an extreme request, normally you have to be logged in or authenticated, but we wanted to make life easier for you so we cover authentication later. Anyone can delete To Do items without authentication in this system.

IDChallengeDoneDescription
23DELETE /todos/{id} (200)false

Issue a DELETE request to successfully delete a todo


Hints
  • Make sure you don't use {id} in the url, replace that with the id of a todo e.g. /todos/1
  • Make sure a todo with the id exists prior to issuing the request
  • Check it was deleted by issuing a GET or HEAD on the /todos/{id}
Solution

Back to Section List

OPTIONS Challenges

Use an OPTIONS verb and check the `Allow` header, this will show you what verbs are allowed to be used on an endpoint. When you test APIs it is worth checking to see if all the verbs listed are allowed or not.

IDChallengeDoneDescription
24OPTIONS /todos (200)false

Issue an OPTIONS request on the `/todos` end point. You might want to manually check the 'Allow' header in the response is as expected.


Solution

Back to Section List

Accept Challenges

The `Accept` header, tells the server what format you want the response to be in. By changing the `Accept` header you can specify JSON or XML.

IDChallengeDoneDescription
25GET /todos (200) XMLfalse

Issue a GET request on the `/todos` end point with an `Accept` header of `application/xml` to receive results in XML format


Solution
26GET /todos (200) JSONfalse

Issue a GET request on the `/todos` end point with an `Accept` header of `application/json` to receive results in JSON format


Solution
27GET /todos (200) ANYfalse

Issue a GET request on the `/todos` end point with an `Accept` header of `*/*` to receive results in default JSON format


Solution
28GET /todos (200) XML preffalse

Issue a GET request on the `/todos` end point with an `Accept` header of `application/xml, application/json` to receive results in the preferred XML format


Solution
29GET /todos (200) no acceptfalse

Issue a GET request on the `/todos` end point with no `Accept` header present in the message to receive results in default JSON format


Solution
30GET /todos (406)false

Issue a GET request on the `/todos` end point with an `Accept` header `application/gzip` to receive 406 'NOT ACCEPTABLE' status code


Solution

Back to Section List

Content-Type Challenges

The `Content-Type` header, tells the server what format type your 'body' content is, e.g. are you sending XML or JSON.

IDChallengeDoneDescription
31POST /todos XMLfalse

Issue a POST request on the `/todos` end point to create a todo using Content-Type `application/xml`, and Accepting only XML ie. Accept header of `application/xml`


Solution
32POST /todos JSONfalse

Issue a POST request on the `/todos` end point to create a todo using Content-Type `application/json`, and Accepting only JSON ie. Accept header of `application/json`


Solution
33POST /todos (415)false

Issue a POST request on the `/todos` end point with an unsupported content type to generate a 415 status code


Solution

Back to Section List

Fancy a Break? Restore your session

Your challenge progress is saved, and as long as you remember you challenger ID you can restore it. Leaving a challenger idle for 10 minutes and coming back will restore the progress in memory.

IDChallengeDoneDescription
34GET /challenger/guid (200)false

Issue a GET request on the `/challenger` end point, with an existing challenger GUID to restore that challenger's progress into memory.


Hints
  • In multi-user mode, you need to create an X-CHALLENGER Session first and let it go idle so it is removed in the 10 minute purge Learn More
35POST /challenger (existing X-CHALLENGER)false

Issue a POST request on the `/challenger` end point, with an existing challenger GUID as the X-CHALLENGER header to restore that challenger's progress into memory.


Hints
  • In multi-user mode, you need to create an X-CHALLENGER Session first and let it go idle so it is removed in the 10 minute purge Learn More

Back to Section List

Mix Accept and Content-Type Challenges

We can mix the `Accept` and `Content-Type` headers so that we can send JSON but receive XML. These challenges encourage you to explore some combinations.

IDChallengeDoneDescription
36POST /todos XML to JSONfalse

Issue a POST request on the `/todos` end point to create a todo using Content-Type `application/xml` but Accept `application/json`


Solution
37POST /todos JSON to XMLfalse

Issue a POST request on the `/todos` end point to create a todo using Content-Type `application/json` but Accept `application/xml`


Solution

Back to Section List

Status Code Challenges

Status-codes are essential to understand, so we created some challenges that help you trigger more status codes. Remember to review httpstatuses.com to learn what the status codes mean.

IDChallengeDoneDescription
38DELETE /heartbeat (405)false

Issue a DELETE request on the `/heartbeat` end point and receive 405 (Method Not Allowed)


Solution
39PATCH /heartbeat (500)false

Issue a PATCH request on the `/heartbeat` end point and receive 500 (internal server error)


Solution
40TRACE /heartbeat (501)false

Issue a TRACE request on the `/heartbeat` end point and receive 501 (Not Implemented)


Solution
41GET /heartbeat (204)false

Issue a GET request on the `/heartbeat` end point and receive 204 when server is running


Solution

Back to Section List

HTTP Method Override Challenges

Some HTTP Clients can not send all verbs e.g. PATCH, DELETE, PUT. Use an X-HTTP-Method-Override header to simulate these with a POST request

IDChallengeDoneDescription
42POST /heartbeat as DELETE (405)false

Issue a POST request on the `/heartbeat` end point and receive 405 when you override the Method Verb to a DELETE


Hints
  • Use a normal POST Request, but add an X-HTTP-Method-Override header
Solution
  • Add a header 'X-HTTP-Method-Override: DELETE' to a POST /heartbeat request
43POST /heartbeat as PATCH (500)false

Issue a POST request on the `/heartbeat` end point and receive 500 when you override the Method Verb to a PATCH


Hints
  • Use a normal POST Request, but add an X-HTTP-Method-Override header
Solution
  • Add a header 'X-HTTP-Method-Override: PATCH' to a POST /heartbeat request
44POST /heartbeat as Trace (501)false

Issue a POST request on the `/heartbeat` end point and receive 501 (Not Implemented) when you override the Method Verb to a TRACE


Hints
  • Use a normal POST Request, but add an X-HTTP-Method-Override header
Solution
  • Add a header 'X-HTTP-Method-Override: TRACE' to a POST /heartbeat request

Back to Section List

Authentication Challenges

Authentication is telling the system who you are. In multi-user mode you are already doing that with the X-CHALLENGER header, but we have added an extra level of security on the /secret section. So first Authenticate with Basic Authentication to find out the token to use for authorisation for later challenges.

IDChallengeDoneDescription
45POST /secret/token (401)false

Issue a POST request on the `/secret/token` end point and receive 401 when Basic auth username/password is not admin/password


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
46POST /secret/token (201)false

Issue a POST request on the `/secret/token` end point and receive 201 when Basic auth username/password is admin/password


Hints
  • Remember to add your X-CHALLENGER guid header
Solution

Back to Section List

Authorization Challenges

Once the system knows who you are, authorization is if you have the correct level of access. In these challenges the authorization is granted using a custom API header X-AUTH-TOKEN or using a Bearer Authorization header.

IDChallengeDoneDescription
47GET /secret/note (403)false

Issue a GET request on the `/secret/note` end point and receive 403 when X-AUTH-TOKEN does not match a valid token


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
48GET /secret/note (401)false

Issue a GET request on the `/secret/note` end point and receive 401 when no X-AUTH-TOKEN header present


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
49GET /secret/note (200)false

Issue a GET request on the `/secret/note` end point receive 200 when valid X-AUTH-TOKEN used - response body should contain the note


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
50POST /secret/note (200)false

Issue a POST request on the `/secret/note` end point with a note payload e.g. {"note":"my note"} and receive 200 when valid X-AUTH-TOKEN used. Note is maximum length 100 chars and will be truncated when stored.


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
51POST /secret/note (401)false

Issue a POST request on the `/secret/note` end point with a note payload {"note":"my note"} and receive 401 when no X-AUTH-TOKEN present


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
52POST /secret/note (403)false

Issue a POST request on the `/secret/note` end point with a note payload {"note":"my note"} and receive 403 when X-AUTH-TOKEN does not match a valid token


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
53GET /secret/note (Bearer)false

Issue a GET request on the `/secret/note` end point receive 200 when using the X-AUTH-TOKEN value as an Authorization Bearer token - response body should contain the note


Hints
  • Remember to add your X-CHALLENGER guid header
Solution
54POST /secret/note (Bearer)false

Issue a POST request on the `/secret/note` end point with a note payload e.g. {"note":"my note"} and receive 200 when valid X-AUTH-TOKEN value used as an Authorization Bearer token. Status code 200 received. Note is maximum length 100 chars and will be truncated when stored.


Hints
  • Remember to add your X-CHALLENGER guid header
Solution

Back to Section List

Miscellaneous Challenges

We left these challenges to the end because they seemed fun, but... different.

IDChallengeDoneDescription
55DELETE /todos/{id} (200) allfalse

Issue a DELETE request to successfully delete the last todo in system so that there are no more todos in the system


Hints
  • After deleting the last todo, there will be no todos left in the application
  • Make sure you don't use {id} in the url, replace that with the id of a todo e.g. /todos/1
  • You have to delete all the todo items in the system to complete this challenge
56POST /todos (201) allfalse

Issue as many POST requests as it takes to add the maximum number of TODOS allowed for a user. The maximum number should be listed in the documentation.

Back to Section List