DevToolKit

API Tester

Test REST APIs directly from your browser. Send GET, POST, PUT, DELETE requests with custom headers and body. View response status, headers, timing, and formatted body.

CORS Proxy enabled— Routes through Cloudflare Worker to bypass CORS

Enter a URL and click Send to test an API endpoint

Press Ctrl+Enter to send quickly
Was this tool helpful?

How to Use

Test any REST API endpoint directly from your browser:

  1. Set the method and URL — Select the HTTP method (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS) from the dropdown and enter the full URL including https://. The CORS proxy is enabled by default to route requests through a Cloudflare Worker, bypassing browser cross-origin restrictions.
  2. Configure headers and body — Add custom request headers as key-value pairs. For POST/PUT/PATCH requests, switch to the Body tab to add a JSON payload or raw text. A default Content-Type: application/json header is pre-filled.
  3. Send and inspect the response — Click Send (or press Ctrl+Enter) to execute the request. The response panel shows the status code, response time, body size, response body (auto-formatted for JSON), and all response headers. Copy any value with the clipboard button.

About This Tool

Browser-Based API Testing

Traditional API testing tools like Postman and Insomnia require desktop installation. This tool runs entirely in your browser — no downloads, no accounts, no syncing. It's designed for quick one-off API checks: verifying an endpoint works, inspecting response headers, or debugging a webhook payload.

The CORS proxy is the key feature that makes browser-based API testing practical. Without it, browsers block requests to most APIs due to the Same-Origin Policy. The proxy routes your request through a Cloudflare Worker at the edge, which forwards it to the target server and returns the response with permissive CORS headers. You can disable the proxy for APIs that already support CORS (like public APIs designed for browser consumption).

HTTP Methods Explained

REST APIs use HTTP methods to indicate the desired action: GET retrieves data without side effects (safe, idempotent). POST creates a new resource. PUT replaces an entire resource (idempotent). PATCH partially updates a resource. DELETE removes a resource (idempotent). HEAD is identical to GET but returns only headers (useful for checking if a resource exists). OPTIONS returns the allowed methods for a URL (used in CORS preflight checks).

Response Status Codes

Status codes are grouped by class: 2xx (green) indicates success — 200 OK, 201 Created, 204 No Content. 3xx (blue) indicates redirection — the proxy follows redirects automatically and shows the final URL. 4xx (amber) indicates client errors — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests. 5xx (red) indicates server errors — 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable.

Security and Limits

The proxy blocks requests to private IP ranges (localhost, 10.x, 172.16.x, 192.168.x) to prevent Server-Side Request Forgery (SSRF) attacks. Request bodies are limited to 1MB and responses to 2MB. Requests time out after 15 seconds. Sensitive headers like Cookie and X-Forwarded-For are stripped by the proxy. For security analysis of response headers, see HTTP Headers Analyzer.

Why Use This Tool

Quick API Debugging

When you need to quickly verify an API endpoint — check if it returns the right status code, inspect the response format, or test a webhook URL — launching a full desktop client is unnecessary overhead. This tool loads instantly in any browser tab and keeps a history of recent requests in localStorage.

Common Use Cases

  • API development: Test endpoints as you build them. Send POST requests with JSON payloads and verify the response structure before writing frontend code.
  • Webhook debugging: Send test payloads to webhook URLs to verify they're receiving and processing data correctly.
  • Third-party API exploration: Explore unfamiliar APIs by sending GET requests and examining the response format, headers, and error messages.
  • Status monitoring: Quick health checks on API endpoints — send a GET and verify you get a 200 response within acceptable latency.
  • Header inspection: Check what headers an API returns, including caching directives, rate limit headers, and authentication requirements.

Privacy

The proxy does not log request URLs, headers, bodies, or responses. All data passes through Cloudflare's edge network and is discarded after the response is returned. Request history is stored only in your browser's localStorage — clear it anytime from the history panel. For related developer tools, see JSON Formatter, cURL to Code, HTTP Headers Analyzer, and WebSocket Tester.

FAQ

How does the CORS proxy work?
Browser security blocks cross-origin requests to most APIs. The proxy routes your request through a Cloudflare Worker that forwards it to the target URL and returns the response. This bypasses CORS restrictions without installing browser extensions.
What HTTP methods are supported?
GET, POST, PUT, DELETE, PATCH, HEAD, and OPTIONS. Select the method from the dropdown before sending your request.
Is there a request size limit?
Request bodies are limited to 1MB through the proxy. Responses are capped at 2MB for display. These limits ensure fast processing at the Cloudflare edge.
Are my requests logged?
No. The proxy does not log request URLs, headers, bodies, or responses. Requests pass through Cloudflare's edge network and are discarded after the response is returned. Request history is stored only in your browser's localStorage.
NavigateOpenEscClose