Online API Testing Tool

Header	Value	Copy
{{ h.key }}	{{ h.value }}

Name	Method	URL	Actions
{{ s.name }}	{{ s.method }}	{{ s.url }}
No saved requests yet.

HTTP requests are structured messages that let software interact with resources on the web. When people say API calls, they mean the same client–server exchange using a method, a Uniform Resource Locator (URL) and optional headers or body data. Use this browser‑based API request tester to explore how an endpoint responds without installing anything today.

You provide a URL and method and can add query parameters, headers or a body. The request runs in your browser and returns the status code, headers and body, with a formatted JSON view when possible. It also reports elapsed time and total bytes to help you compare responses during iteration. You can paste a cURL command to populate fields instantly.

For example, a users endpoint might return 200 with a JSON list after a GET to a URL that includes limit and page parameters. Inspect the fields, confirm the content type, and verify that the host and path match your expectations before sharing a link. Be mindful of secrets in headers or bodies, and open HTML previews only when you trust the source.

Set a timeout that matches the environment you are targeting and choose how redirects are handled when tracing sign‑in flows. Save frequently used requests for repeat runs and consider omitting tokens from saved entries. When building query parameters, prefer distinct keys over duplicates so values stay predictable, and use explicit Accept and Content‑Type headers to avoid ambiguity.

Technical Details:

The utility assembles an HTTP request from your inputs and executes it in the browser. It builds the final address using the URL interface when possible, or by percent‑encoding keys and values as a fallback. Body data is sent only for non‑GET and non‑HEAD methods, and JSON payloads trigger an automatic Content‑Type header when that header is absent. Authorization supports Basic and Bearer forms. A timeout uses an abort signal, redirect handling follows your selection, and the app records elapsed milliseconds and response size. Responses are decoded with a declared charset when present, parsed as JSON when recognized, previewed as HTML for HTML types, and can be saved locally for reuse.

Processing Pipeline:

Normalize inputs and compose the final address.
Merge enabled headers and attach Authorization when applicable.
If body parses as JSON, set Content‑Type when missing.
Prepare request options with method, headers, body and redirect mode.
Start a timeout and abort the request on expiry.
Send the fetch to the target or through the optional proxy.
Capture status, headers, body bytes, type and final address.
Detect charset from content type and decode text.
Parse JSON when content type indicates it or text looks like JSON.
Compute elapsed milliseconds and total byte size.
Generate HTML preview for HTML responses.
Enable copying, downloading and payload export.

Units, Precision & Rounding:

Timeout is an integer in milliseconds; negative values clamp to 0; decimals are truncated.
Elapsed time uses wall‑clock millisecond differences; treat as approximate, not a benchmark.
Response size is the ArrayBuffer length in bytes when available.
Pretty‑printed JSON uses two‑space indentation.
Character decoding honors a declared charset value; fallback is UTF‑8.

Validation & Bounds (from code):

Inputs, types, limits and messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Name	text	—	—	—	—	Untitled request
Method	select (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)	—	—	enum	—	—
URL	text	—	—	—	No URL provided.	https://api.example.com/users?limit=10
CORS proxy	switch (boolean)	—	—	—	—	—
Timeout (ms)	number	0	—	step 100	—	9000
Redirects	select (follow, error, manual)	—	—	enum	—	—
Param key	text	—	—	—	—	limit
Param value	text	—	—	—	—	10
Header key	text	—	—	—	—	Accept
Header value	text	—	—	—	—	application/json
Body	textarea (sent for non‑GET/HEAD)	—	—	—	—	{"name":"Alice","email":"alice@example.com"}
Auth type	select (None, Basic, Bearer)	—	—	enum	—	—
Username	text	—	—	—	—	user
Password	password	—	—	—	—	••••••••
Token	text	—	—	—	—	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…
cURL	text	—	—	—	—	curl -X POST https://api.example.com …
Runtime	n/a	—	—	—	Network error or CORS blocked. / Network error (proxy) or upstream blocked.	—

I/O Formats & Encoding:

Inputs and outputs with encoding notes
Input	Accepted Families	Output	Encoding/Precision	Rounding
URL & query	URL string plus optional key–value pairs	Final address	URL API when parsable; else keys/values encoded with `encodeURIComponent`	n/a
Headers	List of key–value rows	Request headers map	Case‑insensitive matching for existing header names	n/a
Body	Text (JSON or other)	Sent as provided	JSON detection sets `Content‑Type: application/json` when absent	n/a
Response body	Textual or binary	Pretty JSON, raw text or binary notice	Charset from content type; fallback UTF‑8; HTML preview via iframe	n/a
Response headers	Structured pairs	CSV copy or download	Key and value preserved as received	n/a
Payload export	Combined request and response	JSON file	Includes status, headers, body and metrics	n/a

Networking & Storage Behavior:

Requests originate from the browser; target servers may enforce Cross‑Origin Resource Sharing (CORS).
An optional public proxy can relay requests when servers block browser access.
Timeout uses an abort controller; no retries are attempted.
Saved requests persist in localStorage under the key api_tool_saved_v1.
Import accepts a JSON file and merges entries; export writes a JSON file.

Performance & Complexity:

URL assembly and header merging run in linear time relative to input size.
Responses are buffered in memory; very large bodies increase memory usage.
Decoding and pretty‑printing scale with response length.
Preview creation is instantaneous for small HTML; heavy pages may render slowly.

Diagnostics & Determinism:

Status code, status text, type, size, and timing are displayed for each run.
For identical inputs and server state, behavior is deterministic; networks introduce variability.
Copy, download, and export actions reflect exactly what was received.

Security Considerations:

Do not save tokens or passwords unless you understand browser storage risks on shared machines.
Proxying requests reveals the target address and data to the proxy operator.
HTML preview executes returned markup in an iframe; avoid previewing untrusted content.
Never reuse production secrets in demonstrations or screenshots.

Worked Example:

A simple GET to a users endpoint with limit=10 returns a 200 status and a JSON array. The request sets Accept: application/json and omits a body.

\begin{matrix} t {elapsed}_{ms} & = & t {end}_{ms} - t {start}_{ms} \end{matrix}

{ "status": 200, "headers": {"content-type":"application/json"}, "sizeBytes": 532, "elapsedMs": 128 }

Assumptions & Limitations:

Heads‑up Duplicate query keys set via the URL API overwrite earlier values.
Body content is not sent for GET or HEAD methods by design.
JSON auto‑detection requires valid syntax starting with { or [.
Charset detection relies on the response content type.
Binary bodies are not rendered; a size notice is shown instead.
No retry, backoff, or streaming reader is implemented.

Edge Cases & Error Sources:

Invalid or partial URLs may bypass parsing and only append query pairs.
Servers without CORS allowlists will block direct browser requests.
Timeouts abort in‑flight requests and yield a zero status with an error message.
Malformed JSON prevents pretty printing and header inference.
Unknown or incorrect charsets may decode to garbled text.
204 No Content responses show metadata without a body.
Manual redirect mode may surface non‑final response metadata.
Very large responses can exhaust memory before decoding completes.

Privacy & Compliance:

Saved items stay in your browser’s storage. Requests are sent directly from your device to target servers, or through a proxy when enabled. Do not include secrets you are not prepared to expose.

Step‑by‑Step Guide:

Follow this quick path to send and inspect a request.

Enter the target URL.
Select the method.
Enable the proxy only when CORS blocks direct access Use with care.
Add query parameters as needed.
Add headers; keep or adjust the default Accept value.
Provide a request body for applicable methods.
Choose Basic or Bearer authorization if required.
Set timeout and redirect handling.
Send the request or press Ctrl/⌘+Enter.

Example: paste a cURL command to auto‑populate fields, then press Send to run it.

Tip: save frequently used setups and export them to share with teammates.

You now have a repeatable way to probe endpoints and capture exact responses.

FAQ:

Is my data stored?

Saved requests are kept in your browser’s local storage. The app does not upload saved entries. Requests and responses travel directly between your browser and the destination or proxy.

Avoid saving secrets on shared devices.

Which HTTP methods are supported?

GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS.

Can I send a body with GET?

No. Body content is only sent for non‑GET and non‑HEAD methods.

How is JSON detected?

If the body starts with { or [ and parses correctly, the tool treats it as JSON and adds a Content‑Type header when missing.

How accurate is timing?

Timing uses wall‑clock differences in milliseconds. It includes network latency and client processing overhead, so use it for comparisons, not performance certification.

Why does JSON show a message?

If the response is not valid JSON, the JSON tab displays a helpful message and you can inspect the raw body or headers instead.

How do I send a Bearer token?

Choose Bearer under Auth and paste the token. The Authorization header will be added automatically.

Does it work without CORS?

Direct requests require the server to allow browser access. When blocked, you can relay through the optional proxy if your data handling policies permit it.

Do I need an account or license?

No sign‑in is required and no license keys are needed. Everything runs in your browser.

Can I use it offline?

You can open the interface without a network, but requests obviously need connectivity.

Troubleshooting:

0 status with error text: Check connectivity, CORS policy, or proxy availability.
JSON not pretty‑printed: Validate that the body is syntactically correct JSON.
Preview is blank: Only HTML types render in the preview tab.
Headers missing: Confirm they are enabled and keys are spelled correctly.
cURL parse failed: Wrap data in quotes and avoid line breaks.
Timeout fires early: Increase the value to cover slow endpoints.

Blocked by CORS: The browser refused the request. If allowed, enable the proxy or run the call from a trusted server.

Advanced Tips:

Tip Keep the Accept header explicit when testing content negotiation.
Tip Use distinct query keys rather than relying on server‑side merging.
Tip Export saved requests before clearing browser data or switching machines.
Tip Prefer Bearer tokens over Basic for short‑lived, revocable credentials.
Tip Use manual redirect mode to inspect intermediate auth or consent pages.

Glossary:

Uniform Resource Locator (URL): Address of a resource on a network.
HTTP method: Action verb like GET, POST or DELETE.
Header: Key–value metadata sent with a request or response.
Query parameter: Key–value pair appended to a URL’s query string.
JSON: Text format for structured data; uses name–value pairs.
Timeout: Maximum duration to wait before aborting a request.
CORS: Browser rules controlling cross‑origin requests.
Bearer token: Opaque string that authorizes a request.
Basic authentication: Credentials encoded as user:pass with Base64.
Content‑Type: Header declaring the media type and optional charset.