Zero Snippet

HTTP request builder — test REST APIs with fetch, headers, and JSON bodies

Use this free online HTTP client to compose REST requests in the browser: pick GET, POST, PUT, PATCH, DELETE, HEAD, or OPTIONS, edit request headers, attach a JSON or form body, then send with the Fetch API and read status codes, timing, and response headers. Copy curl equivalents for CI and teammates. Pair it with our JSON formatter, HTTP status code reference, and MIME type lookup when you document APIs and troubleshoot integrations.

Request

Credentials
Headers

GET requests do not send a body in this tool. Switch to POST, PUT, PATCH, or DELETE to attach JSON, raw text, or form data.

cURL preview

curl -X GET \
  'https://httpbin.org/get' \
  -H 'Accept: application/json'
Send a request to see status, headers, and body here. Try the sample buttons if your network allows https://httpbin.org.

Why use a browser-based HTTP request builder?

Modern backends expose REST and HTTP APIs for mobile apps, SPAs, and partner integrations. Debugging those contracts means repeating the same authenticated requests with slightly different paths, query strings, or JSON payloads. A lightweight REST client in the tab reduces context switching: you stay next to documentation, tickets, and DevTools. Unlike server-side proxies, this tool sends traffic from your browser, so you see real CORS behavior—the same surface your frontend hits.

Product engineers use it to verify pagination, filtering, and error shapes. Platform teams pair it with JWT decoding when debugging bearer tokens, and with HTTP header inspection when validating caching and security headers on public URLs.

How to use this HTTP request builder (step by step)

  1. Enter a full https:// or http:// URL pointing at your API route or test echo service. Use Sample GET or Sample POST JSON to load a working example against httpbin.org when your network permits.
  2. Choose an HTTP method. Use GET for idempotent reads, POST for creates and non-idempotent actions, PUT or PATCH for updates, and DELETE for removals. HEAD returns headers only; OPTIONS is often used for CORS preflight discovery.
  3. Add or edit request headers: typical keys include Authorization, Accept, and Content-Type. Remove rows you do not need; the list may be empty if the endpoint requires no custom headers.
  4. For methods that accept an entity body, pick JSON (with automatic application/json when missing), raw text for XML or NDJSON, or form URL-encoded key/value pairs. Use Upload file to load a saved payload from disk.
  5. Toggle Include (cookies) only when you intentionally send cookies to the target origin and the API allows credentialed CORS. Otherwise leave credentials omitted.
  6. Click Send. Review HTTP status, elapsed milliseconds, and response headers. Copy the response body or headers, or copy the generated curl command for scripts and runbooks.

CORS, preflight, and when “Failed to fetch” appears

Browsers enforce the same-origin policy. Cross-origin calls succeed only if the server responds with appropriate Access-Control-* headers. Non-simple requests (for example JSON with custom headers) may trigger an OPTIONS preflight before your real method runs. If the API does not allow your origin, fetch fails with a network error even though the same URL works in curl. That is expected: use server-side calls, an API gateway, or a development proxy when you control the backend. Our redirect checker and response code checker help validate URLs and status codes from a server context when you need a second opinion.

Security and privacy notes

Requests are issued from your machine to the destination you specify. Do not paste production secrets into shared screen recordings. Prefer short-lived tokens, rotate keys if you suspect leakage, and redact Authorization headers before exporting curl snippets to tickets. For structured data hygiene after the call, run bodies through the JSON formatter or API response formatter when you publish examples.

Related API developer tools

Browse the full API developer toolbox on the home page for formatters, references, and calculators. Highlights:

  • API Response FormatterPaste any JSON or XML API response: pretty-print, validate, and explore a collapsible tree view.
  • OpenAPI / Swagger ViewerPaste OpenAPI in YAML or JSON and browse interactive docs—paths, schemas, and examples in one place.
  • Webhook Payload TesterPractice webhook debugging client-side: log sample POST bodies locally (e.g. localStorage) when a public capture URL is not available.
  • HTTP Status Code ReferenceSearch HTTP status codes with plain-English meanings, typical causes, and what to do next.
  • MIME Type LookupMap filenames or extensions to MIME types for Content-Type headers, uploads, and API contracts.
  • OAuth 2.0 Flow VisualizerWalk through the authorization code flow step by step with interactive fields and diagrams.
  • API Rate Limit CalculatorGiven X requests per minute and a daily budget of Y calls, see pacing and when you hit the wall.

Frequently asked questions

What is this HTTP request builder for?
It is a browser-based client to compose REST and HTTP calls: choose the method (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS), add headers and a body, then send the request with the Fetch API and inspect status, timing, response headers, and body. Use it to debug APIs, reproduce support tickets, and document examples without installing Postman or curl.
Are my URLs, headers, and bodies sent to your servers?
No. Requests are initiated from your browser directly to the target URL you enter. This site does not proxy your traffic unless you use a separate backend or tunnel. Only you and the destination server participate in the HTTP exchange (subject to browser security rules such as CORS).
Why do I see a CORS or “Failed to fetch” error?
Browsers block cross-origin responses unless the API sends Access-Control-Allow-Origin (and related CORS headers) that permit your origin. Public APIs often enable CORS for browsers; private or legacy APIs may not. If fetch fails with a network error, test the same URL from a server-side client, curl, or your API gateway, or ask the API owner to whitelist your origin.
Does this replace Postman, Insomnia, or curl?
It complements them. This tool is ideal for quick checks, sharing repro steps with teammates, and staying inside one tab. Desktop clients offer collections, OAuth helpers, and environments; curl is best for scripts and CI. Copy the generated curl command from this page when you need a portable snippet.
How do I send JSON in the request body?
Choose JSON under Request body, paste a valid JSON object or array, and send. If you do not set Content-Type manually, the tool sets application/json automatically. Validate payloads first with our JSON formatter when you are unsure about commas or quotes.
What is the difference between raw body and JSON mode?
JSON mode expects a JSON document and sets Content-Type to application/json when missing. Raw mode sends the textarea exactly as typed—use it for plain text, XML, NDJSON, or custom formats—and you should set Content-Type yourself (for example application/xml or text/plain).
When should I enable “Include credentials”?
Turn it on when the target API relies on cookies (session auth) or HTTP authentication in the same site context and the server allows credentials in CORS (Access-Control-Allow-Credentials: true with a specific origin). For most third-party public APIs you keep credentials omitted to avoid accidental cookie leakage.
Which related tools on this site should I use next?
Pretty-print responses with the API response formatter, look up status meanings in the HTTP status code reference, generate Content-Type values with the MIME type lookup, format JSON with the JSON formatter, and explore OpenAPI specs with the OpenAPI viewer—all linked from the API developer toolbox section.