Toolkit

API Tester Guide

Send HTTP requests (GET, POST, PUT, PATCH, DELETE) to any URL. Add headers and a request body. All requests run in your browser — no server proxy.

Back to API Tester

What does this tool do

The API Tester sends HTTP requests (GET, POST, PUT, PATCH, DELETE) to any URL from your browser. Add custom headers and a request body. View status, response headers, and body. Requests use fetch()—no server-side proxy. Useful for testing REST APIs, debugging endpoints, and checking CORS. Only http and https URLs are allowed.

How to use it

  1. Enter URL — Type the full URL (e.g. https://api.example.com/users).
  2. Select method — GET, POST, PUT, PATCH, or DELETE.
  3. Add headers — Optional: Content-Type, Authorization, etc.
  4. Add body — For POST/PUT/PATCH: raw JSON or text body.
  5. Send — Click to send the request.
  6. View response — Status, headers, and body. Large bodies are truncated.

How it works

URLs are validated: only http and https schemes are allowed. The request is sent via browser fetch() with the specified method, headers, and body. A 30-second timeout applies. Response status, headers, and body are displayed. The body is truncated at ~100KB to avoid UI freeze. CORS applies: the API must allow the origin, or the request will fail. No server-side proxy is used—requests originate from the user's browser.

All computation runs entirely in your browser. No data is sent to any server (except to the target API).

Use cases & examples

  • API development — Test endpoints during development.
  • Debugging — Inspect request/response for integration issues.
  • CORS check — Verify APIs allow your origin.
  • Documentation — Try example requests from API docs.
  • Quick checks — Ping health endpoints or check status.

Example

Limitations & known constraints

  • CORS — Only same-origin or CORS-enabled APIs work; blocked requests show a fetch error.
  • No proxy — No server proxy; cannot bypass CORS or reach non-public APIs.
  • http/https only — file:, javascript:, data: URLs are rejected.
  • Timeout — 30-second limit; long-running requests may fail.
  • Body truncation — Response body truncated at ~100KB for display.
  • Credentials — Sensitive data in headers/body is visible; use with caution.

All calculations and conversions run entirely in your browser. No data is sent to any server, so your input never leaves your device.