Online API Testing Tool

Request snapshot

Sending request…

Name:

Method:

URL:

Requests run directly in your browser. The API must explicitly allow your origin, otherwise the browser will block the response (CORS).

On	Key	Value	Remove

On	Header	Value	Remove

Auth type:

Credentials:

User

Pass

Token:

Body is ignored for GET and HEAD. JSON payloads receive automatic prettifying and Content-Type when blank.

Timeout:

Redirects:

Parse cURL:

You can paste the command in the URL field as well.

{{ formattedBody }}

Preview is available only for HTML responses.

Header	Value	Copy
{{ h.key }}	{{ h.value }}
No headers returned.

Request

{{ rawRequest }}

Response meta

{{ JSON.stringify({ url: responseURL, status: responseStatus, statusText: responseStatusText, ok: responseOk, type: responseType, sizeBytes: responseSizeBytes, elapsedMs }, null, 2) }}

Saved requests

Import

Name	Method	URL	Actions
{{ entry.name }}	{{ entry.method }}	{{ entry.url }}
No saved requests yet.

Tags: Devtools , Diagnostics , HTTP

Export to PDF Fullscreen

Embed:

Web request testing is the practice of sending a request to a service address and reading the reply. It helps you confirm what an endpoint accepts and returns in everyday terms. Many people look for a simple way to test web service endpoints without setting up scripts or extra software.

Enter a target address and pick a request method. Add any query pairs or custom headers and include a message body when updates are needed, then send. You will see the returned status text plus any response content and key headers as well as the total time, and you can paste a command string to auto fill fields for quick setup.

For example, request a list of users from a demo address with a small limit and expect a short set of names. If you update a record you might send a small body and see confirmation in the reply. Network timing can swing between runs and short tests can show surprising jumps or streaks.

Get clearer results by naming requests so you can compare runs later and by keeping secrets out of saved entries. Use pretty print when a reply is structured and toggle parameters to compare scenarios. When a service moves you elsewhere try a strict redirect setting to see what happens step by step.

Technical Details:

Hypertext Transfer Protocol (HTTP) requests are actions sent to a Uniform Resource Locator (URL) with a method, optional headers, and an optional body. The app composes a final address from the base address and any enabled query key–value pairs, applies headers, and includes a body only for non‑GET and non‑HEAD methods.

Bodies that look like JSON are detected and pretty printed, and a Content‑Type header of application/json is added when none is set. Authentication can attach either a Basic header built from username and password or a Bearer token. A timeout can abort a request, and redirects can be followed, blocked with an error, or left manual.

Status, response type, size in bytes, and elapsed time in milliseconds are presented alongside the body. When the response type is HTML, a safe preview is shown in a frame. If the payload is binary or cannot be decoded as text, a short note with the byte count is shown instead of raw bytes.

Processing pipeline

Build the final address from base address and enabled query pairs.
Assemble headers from enabled rows and selected authentication.
Include the body only for methods other than GET or HEAD.
Issue the request directly from the browser; differing origins require the API to allow cross‑origin access.
Start a timer and send the request with the chosen redirect mode.
Abort on timeout using an internal cancel signal.
Record status, type, headers, size, and elapsed time.
Decode text using the response charset or UTF‑8 as a fallback.
Detect JSON for highlighting and pretty printing when applicable.
Show an HTML preview only for HTML responses.

Validation & bounds

Inputs and their validation rules
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Name	Text	—	—	—	—	Untitled request
Method	Select	—	—	GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS	—	—
URL	Text	—	—	Accepts full addresses; query pairs can auto‑populate	No URL provided.	https://api.example.com/users?limit=10
Timeout (ms)	Number	0	—	Step 100	Aborted on timeout	9000
Redirects	Select	—	—	follow, error, manual	—	—
Auth	Select	—	—	None, Basic, Bearer	—	—

I/O formats & encoding

Inputs and outputs handled by the app
Input	Accepted Families	Output	Encoding/Precision	Rounding
Address	Full address strings with optional query pairs	Echoed in request preview	As typed	None
Headers	Key–value text; default Accept: application/json	Table and CSV copy/download	UTF‑8 text	None
Body	Arbitrary text; JSON detected best‑effort	Raw, highlighted JSON, or binary note	Charset from response; fallback UTF‑8	None
Auth	Basic user:pass; Bearer token	Authorization header	Base64 for Basic credentials	Exact
Timing & size	—	Elapsed ms and byte count	Integer milliseconds; integer bytes	No rounding beyond integers

Networking & storage behavior

Requests are sent directly from the device to the target address; the API’s cross-origin policy is enforced by the browser.
When the API refuses cross-origin calls, the browser blocks the response and the tool reports a CORS failure.
Saved requests are stored in local storage and can be exported or imported as JSON.
No server‑side storage is used for saved data.

Performance & complexity

Work is linear in response size. Responses are buffered to measure bytes, then decoded for display. For non‑text types the decoder samples a small portion to decide whether text should be shown or replaced by a binary note.

Diagnostics & determinism

A raw request preview and a response meta block provide a reproducible trace. Identical inputs yield the same request structure, although network timing and upstream behavior can vary between runs.

Security considerations

Avoid saving secrets in local storage; clear sensitive entries after use.
Be cautious with tokens; anyone with device access can read saved items.
Cross‑origin protections are enforced by the target server; allow the appropriate origin on the API when browser calls are expected.
HTML previews render returned markup; do not assume it is safe to reuse elsewhere.

Worked example

Goal: Read a small list of users.

Method: GET.
Address: api.example.com/users with limit=3 as a query pair.
Headers: Accept = application/json.
Send and observe status 200, elapsed time, and a short array of user objects.

If the type is JSON it is highlighted and can be copied or downloaded.

Assumptions & limitations

Timing is client‑measured wall time, not server processing time.
Binary responses are not displayed; only a size note appears.
Manual redirect mode may not expose redirected content.
JSON detection is heuristic; malformed input shows as plain text.
Charset is read from the response when present; otherwise UTF‑8.
Saved requests persist on the device until deleted.
Heads‑up Cross‑origin rules may block direct requests.
Heads‑up Resolve CORS blocks by adding your origin to the API’s allowed list or working within an allowed environment.

Edge cases & error sources

Empty address field triggers a local error notice.
Timeout abort produces status zero with a timeout message.
Incorrect charset can garble text decoding.
Authentication headers missing or malformed lead to authorization failures.
Unsupported methods at the server can return method‑related errors.
Conflicting duplicate headers can produce unpredictable results upstream.
Large payloads increase memory use during buffering.
Manual redirect mode can hide final bodies by design.

Step‑by‑Step Guide:

Use web request testing to verify a service address and interpret its reply clearly.

Enter the address to contact.
Choose the method for the action.
Add query pairs and headers as needed.
Provide a body only when the action requires it.
Select Basic or Bearer authentication if the service needs credentials.
Set timeout and redirect handling.
If the response is blocked, check the API’s CORS settings before retrying.
Press Send or use Ctrl or Cmd + Enter.
Read status, type, size, time, and body in the results.

Example: Method GET, address with limit=3, header Accept: application/json.

You now have a concise view of what the service returned and how long it took.

Features:

Toggle query and header rows on or off without deleting them.
Auto‑parse a pasted command string to fill method, address, headers, body, and query pairs.
Copy ready‑to‑run previews as cURL, fetch code, or raw request text.
Highlight and pretty print structured replies with quick copy and download.
Save, load, delete, export, and import request sets locally.

FAQ:

Is my data stored?

Saved requests live in local storage on your device. Sending a request contacts the target service directly from your browser, so the API’s CORS policy determines whether it succeeds. No server‑side storage is used for saved items.

Clear saved entries if they contain secrets.

How accurate is timing?

Elapsed time is measured on the device from request start to response processing. It includes network transfer and decoding, so values vary by connection and payload size.

What units and formats are shown?

Time is shown in milliseconds and size in bytes. Text is decoded using the response charset when present, otherwise UTF‑8. Structured replies are detected best‑effort for highlighting.

Can I work offline?

You can edit and manage saved requests without a connection. Sending requests needs network access and will fail when offline or when a service blocks cross‑origin calls.

What does it cost?

No pricing or licensing terms are declared in the package. Use it as provided and review your organization’s policy before storing credentials locally.

How do I validate a CSR?

This utility sends web requests and inspects replies. It does not parse certificate requests. Use a certificate‑specific validator to check CSR structure and signatures.

Why is HTML preview blank?

Only responses labeled as HTML are rendered in the preview. Other types show text or a binary note. Switch to the Body tab to view raw content.

Troubleshooting:

No address entered → add a full address and try again.
Cross‑origin blocked → allow your origin in the API’s CORS settings or test from an approved environment.
Timeouts → increase the timeout or test a lighter endpoint.
Garbled text → set a correct Content‑Type with the right charset.
Auth failures → verify token or username and password.
Unexpected method behavior → confirm the target supports the chosen method.
Binary response shown as note → download the body to inspect locally.
CSV header copy missing a row → switch to the Headers tab and refresh.

Sending blocked by strict cross-origin rules. Update the API to allow your origin or run the tool from a host that the service trusts.

Advanced Tips:

Tip Toggle header rows instead of deleting to A/B test behavior quickly.
Tip Use manual redirects to inspect Location headers without following them.
Tip Pretty print the body before sending when composing structured content.
Tip Copy the raw request preview to share exact reproductions with teammates.
Tip Use Cmd or Ctrl plus Enter to send without leaving the keyboard.

Glossary:

HTTP: The protocol used to send and receive web requests and responses.
URL: A full address that identifies where a request is sent.
Query pair: A key and value appended to the address to refine results.
Header: A key–value field that carries extra request or response metadata.
Body: Optional content sent with methods that create or update data.
Content‑Type: A label that tells how to interpret the body bytes.
Timeout: A limit after which the request is cancelled if unfinished.
Redirect: A server instruction to fetch a different address instead.