ReqRes Blog

Using ReqRes for QA Automation Without Getting Blocked

Jan 8, 2026 3 min read
qa testing automation postman bruno
Next step

Want to try this in 2 minutes? Start a project or open the Notes example.

Get started See example app

If you're using ReqRes in automated tests, you're in good company - most new Projects right now are coming from QA and automation workflows.

This guide shows how to use ReqRes reliably in Postman, Bruno, Cypress, or Playwright without getting stuck on 401, 403, or 429 errors.

The QA mental model for ReqRes

Think of ReqRes in two modes:

  • Classic endpoints + API key → fastest for demos, teaching, and basic request validation
  • Projects (collections + logs) → best for automation suites that need predictable data and visibility

If you're writing repeatable tests, Projects are usually the better fit because you can control state and inspect logs.

Step 1: Create a dedicated QA API key

Create your free API key here:

https://app.reqres.in/?next=/api-keys

Use a key name that matches your suite, for example:

  • qa-playwright
  • bruno-smoke
  • cypress-regression

Avoid generic names like x-api-key - future you will thank you.

Step 2: Always send a real User-Agent (don't send empty headers)

Automation tools are not browsers, and that's fine - but avoid sending malformed or empty headers.

Good:

  • A normal Postman or Bruno User-Agent
  • A CI User-Agent string (any non-empty value)

Bad:

  • Empty header values (for example x-api-key: with no value)
  • Malformed or non-UTF8 header values

If your tool allows it, explicitly set something simple:

User-Agent: reqres-qa-tests/1.0

Step 3: Avoid 429s by throttling retries

Most rate-limit issues come from test runners retrying too aggressively.

Rules of thumb:

  • Add a 200–500ms delay between requests in tight loops
  • Use exponential backoff on retries
  • Respect Retry-After headers when present

Even small delays dramatically improve stability.

Step 4: Understand the two auth headers (this causes most confusion)

x-api-key

Use x-api-key for:

  • classic endpoints like /api/users
  • admin and setup calls
  • collection reads/writes when not testing per-user isolation

Authorization: Bearer

Use Authorization: Bearer for:

  • per-user data reads and writes
  • tests that validate user isolation and auth behavior

If you see a 401 while sending x-api-key, it usually means the endpoint expects a session token instead.

Step 5: A reliable smoke test request

This request should work from any runner:

curl -X GET "https://reqres.in/api/users?page=2" \
 -H "Content-Type: application/json" \
 -H "x-api-key: YOUR_API_KEY"

If this fails:

  • confirm the key exists and is not empty
  • check that headers are correctly set
  • slow down request frequency

Step 6: Use collections for predictable test data

Classic endpoints are great, but collections give you full control.

Create a collection (for example todos) and write records you can assert against.

Create a record:

curl -X POST "https://reqres.in/api/collections/todos/records" \
 -H "Content-Type: application/json" \
 -H "x-api-key: YOUR_PROJECT_MANAGE_KEY" \
 -H "X-Reqres-Env: prod" \
 -d '{ "title": "Ship onboarding", "done": false }'

Read records:

curl -X GET "https://reqres.in/api/collections/todos/records" \
 -H "x-api-key: YOUR_PROJECT_READ_KEY" \
 -H "X-Reqres-Env: prod"

Collections let your tests assert against known state instead of fake responses.

Step 7: Debug failures with Logs (why Pro matters for QA)

Logs are essential for automation.

They tell you:

  • what request was actually received
  • which headers were present
  • the exact status and response body
  • whether failures came from auth, rate limits, or WAF rules

If you're debugging flaky tests, logs are usually the fastest way to root cause issues.

Common QA errors (and fixes)

401 Unauthorized

Cause:

  • wrong auth mode (x-api-key used where Bearer is required)

Fix:

  • check the endpoint and switch to Authorization: Bearer when needed

403 Forbidden

Cause:

  • invalid or empty headers
  • Cloudflare/WAF blocking suspicious patterns

Fix:

  • ensure headers are non-empty and valid
  • add a stable User-Agent
  • reduce burst traffic

429 Rate Limited

Cause:

  • requests sent too quickly

Fix:

  • add delays and exponential backoff
  • avoid tight retry loops

Where to go next

To see a complete real-app flow (magic links + per-user CRUD), open the Notes example app:

https://app.reqres.in/?next=/examples/notes-app

To create a project and start using collections and logs:

https://app.reqres.in/?next=/getting-started

Keep reading

View all
Jan 22, 2026 • 1 min read
Free API for Testing: Real Examples You Can Use Today

If you're looking for a free API for testing, you usually want one thing: something you can hit immediately without setting up a backend, database, or authentication system. ReqRes provides a public REST API that deve...
Jan 22, 2026 • 1 min read
Frontend-Only Auth Without Standing Up a Backend

Authentication is often the moment a frontend project stalls. OAuth providers, JWT handling, user tables, and email flows quickly turn a simple app into a backend project. But many teams don't actually need custom aut...
Jan 22, 2026 • 1 min read
JSONPlaceholder Alternatives: When You Need More Than Fake Data

JSONPlaceholder is a fantastic tool for learning REST APIs. But many teams eventually hit its limits. Common pain points Common pain points include: Data resets between sessions No authentication flows No per user dat...
Ready to ship? Continue in the app.
Get started See example app