REST API Tester
Send HTTP requests and inspect responses directly from your browser. Build, test, and debug REST APIs without leaving the page.
Note:
This tool sends requests directly from your browser using the Fetch API. Requests to APIs that don't include
Access-Control-Allow-Origin headers will be blocked by CORS. To test such APIs, use a local proxy, a browser extension that disables CORS, or a server-side tool.
Body is sent for POST, PUT, and PATCH requests only.
Sending request...
| Header | Value |
|---|
Recent Requests
No requests yet.
Understanding REST APIs
REST (Representational State Transfer) is an architectural style for building web services. REST APIs use standard HTTP methods to perform operations on resources identified by URLs.
HTTP Methods
GET
Retrieves a resource. GET requests should be safe and idempotent -- they don't modify data. Query parameters can be appended to the URL to filter or paginate results.
GET /api/users?page=1&limit=10
POST
Creates a new resource. The request body contains the data for the new resource. Successful creation typically returns 201 Created with the new resource in the response body.
POST /api/users
{"name": "Alice", "email": "alice@example.com"}
{"name": "Alice", "email": "alice@example.com"}
PUT
Replaces an entire resource. PUT is idempotent -- sending the same request multiple times produces the same result. The request body should contain the complete updated resource.
PUT /api/users/42
{"name": "Alice", "email": "new@example.com"}
{"name": "Alice", "email": "new@example.com"}
PATCH
Partially updates a resource. Unlike PUT, PATCH only requires the fields that are changing. This is useful for updating a single property without sending the entire resource.
PATCH /api/users/42
{"email": "updated@example.com"}
{"email": "updated@example.com"}
DELETE
Removes a resource. Typically returns 204 No Content on success. DELETE is idempotent -- deleting the same resource twice should not cause an error (though the second call may return 404).
DELETE /api/users/42
HEAD & OPTIONS
HEAD is identical to GET but returns only headers (no body). Useful for checking if a resource exists or reading metadata. OPTIONS describes the allowed methods for a resource and is used in CORS preflight requests.
HEAD /api/users/42
OPTIONS /api/users
OPTIONS /api/users
Common HTTP Status Codes
| Code | Meaning | Description |
|---|---|---|
| 200 | OK | Request succeeded. Response body contains the requested data. |
| 201 | Created | Resource created successfully. Typically returned after POST requests. |
| 204 | No Content | Request succeeded but no body is returned. Common for DELETE. |
| 301 | Moved Permanently | Resource has a new permanent URL. Clients should use the new URL. |
| 304 | Not Modified | Resource hasn't changed since last request. Use cached version. |
| 400 | Bad Request | Server cannot process the request due to invalid syntax or data. |
| 401 | Unauthorized | Authentication required. Include a valid token or credentials. |
| 403 | Forbidden | Server understood the request but refuses to authorize it. |
| 404 | Not Found | Requested resource does not exist at the given URL. |
| 422 | Unprocessable Entity | Request is well-formed but contains semantic errors (validation failure). |
| 429 | Too Many Requests | Rate limit exceeded. Check Retry-After header. |
| 500 | Internal Server Error | Generic server error. Something went wrong on the server side. |
| 502 | Bad Gateway | Server acting as gateway received an invalid response upstream. |
| 503 | Service Unavailable | Server temporarily unable to handle the request (overloaded or down). |
Understanding CORS
What is CORS?
Cross-Origin Resource Sharing (CORS) is a security mechanism built into browsers. It restricts web pages from making requests to a different domain than the one that served the page, unless the server explicitly allows it via response headers.
Preflight Requests
For non-simple requests (e.g., those with custom headers or methods like PUT/DELETE), the browser sends an OPTIONS request first to check if the server allows the actual request. This is called a preflight check.
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Working Around CORS
If an API doesn't support CORS, you have several options: use a CORS proxy, configure a server-side proxy, use a browser extension for development, or test using tools like cURL or Postman that aren't subject to CORS restrictions.
Common Headers
Key request headers include Authorization (Bearer tokens, API keys), Content-Type (usually application/json), and Accept (tells the server what format you expect). Custom headers are often prefixed with X-.