About this tool
What Is API Testing?
API testing is the process of sending HTTP requests to an API endpoint and examining the response to verify that it behaves correctly. Developers test APIs to confirm that endpoints return the expected data, handle errors properly, authenticate users correctly, and respond within acceptable time limits.
API testing is a fundamental step in software development. Before integrating a third-party API (Stripe, Twilio, OpenAI) into your application, you need to verify that it accepts your requests and returns the expected data structure. This tool lets you do that directly from your browser.
Understanding HTTP Status Codes
The HTTP status code is the most important piece of information in any API response:
2xx Success codes: 200 OK (request succeeded), 201 Created (new resource created), 204 No Content (success with no response body).
3xx Redirection codes: 301 Moved Permanently (URL has changed), 304 Not Modified (cached version is still valid).
4xx Client error codes: 400 Bad Request (invalid parameters or JSON syntax), 401 Unauthorized (missing or invalid authentication), 403 Forbidden (valid auth but insufficient permissions), 404 Not Found (endpoint does not exist), 429 Too Many Requests (rate limit exceeded).
5xx Server error codes: 500 Internal Server Error (bug in the API), 502 Bad Gateway (proxy/load balancer issue), 503 Service Unavailable (server is overloaded or down).
Understanding CORS Restrictions
Because this tool runs in your browser, it is subject to CORS (Cross-Origin Resource Sharing) security policies. If the API server does not include the Access-Control-Allow-Origin header allowing requests from external origins, your browser will block the response.
This is a browser security feature, not a limitation of this tool. It prevents malicious websites from making unauthorized API calls using your cookies and credentials.
APIs that support CORS include most public APIs (JSONPlaceholder, OpenWeatherMap, GitHub public endpoints). Internal company APIs, banking APIs, and many authenticated services typically do not allow cross-origin requests from browsers.
To test CORS-restricted APIs, use a server-side tool like cURL, or the API provider's own testing interface.
Authentication Methods
Most production APIs require authentication. The three most common methods:
Bearer Token (JWT): Add the header {"Authorization": "Bearer eyJhbG..."}. The token is a JSON Web Token issued after login. Most modern APIs use this method.
API Key: Add the header {"X-API-Key": "your-key-here"} or include it as a query parameter ?api_key=your-key. Common in services like Google Maps, OpenWeatherMap, and SendGrid.
Basic Auth: Add the header {"Authorization": "Basic base64(username:password)"}. This method sends credentials in every request and is considered less secure than token-based auth.
When to Use This Tool vs. Postman
Use this online tester when you need to quickly verify an endpoint, test a one-off API call, or work on a machine where you cannot install software (corporate laptops, shared workstations, Chromebooks).
Use Postman when you need to save collections of requests, create automated test suites, share API documentation with your team, or manage environment variables across development/staging/production configurations.
Both tools send identical HTTP requests — the difference is in workflow features, not the requests themselves.
Practical Usage Examples
Testing a Public API
GET https://jsonplaceholder.typicode.com/users/1
Returns user object with id, name, email, address, and phone. Status: 200 OK.POST with Authentication
POST to your API with Bearer token and JSON body.
Headers: {"Authorization": "Bearer token123"}. Body: {"name": "New User"}. Status: 201 Created.Step-by-Step Instructions
Step 1: Enter the API URL. Paste the full endpoint URL including the protocol (https://). Include query parameters if needed: https://api.example.com/users?page=1.
Step 2: Select the HTTP Method. Choose GET to retrieve data, POST to create resources, PUT/PATCH to update, or DELETE to remove. The method determines how the server processes your request.
Step 3: Add Headers (Optional). For authenticated APIs, add headers in valid JSON format. Common headers: {"Authorization": "Bearer your_token"} for JWT auth, {"X-API-Key": "your_key"} for API key auth.
Step 4: Add a Request Body (Optional). For POST, PUT, and PATCH requests, enter the JSON payload. The tool automatically sets Content-Type to application/json if not specified.
Step 5: Send and Inspect. Click send to execute the request. Review the HTTP status code, response time, response body, and response headers. JSON responses are automatically formatted for readability.
Core Benefits
No Installation Required: Unlike Postman or Insomnia, this tool runs entirely in your browser tab. No downloads, no updates, no Electron app consuming system resources.
No Account or Login: Test APIs immediately without creating an account, verifying an email, or joining a workspace. Open the page and start testing.
Privacy-First : Your API endpoints, request bodies, authentication tokens, and response data are processed entirely by your browser using the native Fetch API. Nothing is sent to our servers.
Automatic JSON Formatting: JSON responses are automatically parsed and displayed with 2-space indentation, making nested data structures easy to read and debug.
Full HTTP Method Support: Send GET, POST, PUT, PATCH, and DELETE requests with custom headers and JSON request bodies — covering all standard REST API operations.
Frequently Asked Questions
CORS errors occur when the API server does not include Access-Control-Allow-Origin headers allowing browser-based requests from external domains. This is a browser security policy, not a limitation of this tool. To test CORS-restricted APIs, use cURL from a terminal or the API provider's own testing console.
Yes. This tool uses your browser's native Fetch API to send requests directly from your device. Your API keys, tokens, request bodies, and response data are never sent to our servers, stored in any database, or logged anywhere. All processing happens locally in your browser.
Enter headers in valid JSON format. For Bearer tokens: {"Authorization": "Bearer yourtokenhere"}. For API keys: {"X-API-Key": "yourkeyhere"}. For Basic auth: {"Authorization": "Basic base64encodedcredentials"}. All key-value pairs must use double quotes.
PUT replaces the entire resource with the data you send — any fields you omit are deleted or reset to defaults. PATCH applies a partial update, modifying only the fields you include in the request body. Use PATCH when you want to update a single field without affecting others.
Yes. GraphQL uses standard HTTP POST requests. Set the method to POST, enter the GraphQL endpoint URL, set the header {"Content-Type": "application/json"}, and put your query in the body: {"query": "{ user(id: 1) { name email } }"}.
This error typically indicates one of three issues: (1) The URL is incorrect or the server is down, (2) The server blocks cross-origin requests (CORS), or (3) The URL uses HTTP instead of HTTPS and your browser blocks mixed content. Check the URL spelling, ensure the server is running, and try using HTTPS.
Some API responses intentionally return no body, indicated by a 204 No Content status code. This is common for DELETE requests and some PUT/PATCH updates. If you expected data but got an empty response with a 200 status, the server may be returning data in a different format or endpoint.
Select POST as the method, enter the API URL, add {"Content-Type": "application/json"} to the headers (or leave it blank — the tool adds it automatically for POST requests), and enter your JSON payload in the body field. Ensure the body is valid JSON with double-quoted keys and values.
The latency is the round-trip time in milliseconds from when your browser sent the request to when it received the complete response. It includes DNS lookup, TCP connection, TLS handshake, server processing, and data transfer time. Normal API latency ranges from 50-500ms depending on server location and response size.
For quick, one-off API testing — yes. For advanced workflows like saving request collections, running automated test suites, managing environment variables, or team collaboration — Postman provides features this tool does not. Both send identical HTTP requests; the difference is in project management features.