How to use HTTP Client

Pick a method and paste the URL, or click a preset like GitHub API to prefill a working request.

Add headers with the Add header button. Values in auth-style keys are masked by default.

For POST/PUT/PATCH/DELETE, fill in the body — JSON, form-urlencoded, or raw bytes.

Hit Send (or press Enter in the URL field). The request goes directly to the target server.

Browse the response — body with auto-JSON-pretty-printing, headers as a searchable table, or the raw HTTP response text.

Use Copy as curl or Copy as fetch to export the current request for your terminal or a code snippet.

HTTP Client

A browser-native REST client for quickly testing API endpoints — GitHub, Stripe, Anthropic, OpenAI, an internal staging service, whatever. The request is sent directly from your browser to the target server using the same fetch() API your app uses in production. No proxy, no relay, no logging. If it works here it will work in your code; if it fails here with a CORS error, the Copy as curl button gives you a terminal-equivalent in one click.

Why yet another HTTP client?

Because the existing options are heavier than they need to be. Postman ships a desktop app, requires sign-in, and syncs your request history to their servers by default. Insomnia is similar. Bruno is lighter but still an install. Hoppscotch is browser-based but cloud-sync by default. For the 90% case of "let me poke this one endpoint for a minute" what you actually want is a fetch wrapper with a nice form on top. That's this tool.

It's intentionally scoped small:

One request at a time — no collections, no environments, no variable substitution.
One-click curl import/export — pastes from Chrome/Firefox devtools work unchanged.
Response rendered three ways — pretty body, header table, raw HTTP text.
API keys never written to storage — reload the tab and they're gone.

If you need environments and saved history, Postman is a better fit. For the quick poke, this is faster.

How the request actually flies

The browser's native fetch() is the only network layer. When you click Send:

We validate the URL (must parse, must be http: or https:).
We build a RequestInit with your method, headers, and body.
We call fetch(url, init) exactly once and time it with performance.now().
We stream the response, read it as text, then opportunistically parse as JSON for pretty-printing.

Nothing unusual. The same browser network stack your app uses. Which is the whole point — if the request works from this tool, you've proven the server accepts browser origins, the CORS headers are right, and the body shape is valid. Copy as fetch, paste into your app, done.

CORS — the honest disclaimer

Browsers restrict cross-origin requests by default. The target server has to send an Access-Control-Allow-Origin header for the request to succeed. Most modern APIs do this correctly; many legacy APIs and most internal services do not. When you hit a CORS wall, the fetch call throws a TypeError with a message like "Failed to fetch" — we surface that verbatim and point you at the Copy as curl button. Your terminal doesn't enforce CORS, so the same request works there.

This isn't a bug in the tool and there's no way around it that isn't building a server-side proxy — which would defeat the entire privacy story (your tokens would pass through our server). The explicit trade-off is: we do nothing with your data, in exchange you sometimes have to go to the terminal.

Curl round-trip

The curl import/export is bidirectional and stable: pasting a command, importing it, and re-exporting produces the same command (modulo flag ordering and single-vs-double quoting). Handled flags: -X, -H, -d, --data-raw, --data-binary, -u (→ Authorization: Basic), -A (→ User-Agent), -e (→ Referer). Flags that are browser-irrelevant (--compressed, -k, -s, -L, -v) are parsed-and-ignored so you can paste unfiltered devtools output.

If you want a fetch snippet instead of curl, the Copy as fetch button emits a await fetch(url, { method, headers, body }) line that pastes cleanly into any async context.

Related tools

Anthropic Messages API — purpose-built playground for Claude with model picker, system prompt, and streaming.
OpenAI Responses API — playground for OpenAI's Responses API with conversation state.
JWT Decoder — inspect the Authorization: Bearer … token your API is returning.

Frequently asked questions

Is my request actually sent from my browser, or proxied through your server?

The request is sent directly from your browser to the target server using the native `fetch()` API. Nothing is proxied, logged, or intercepted. You can verify this in your browser's devtools Network tab — the only outbound request you'll see is the one you sent. This means API keys, tokens, and bodies stay local; but it also means CORS applies, so some APIs will block browser-origin calls. For those, use the "Copy as curl" button and run the command from your terminal.

Why does my request fail with a CORS error when curl from my terminal works fine?

CORS (Cross-Origin Resource Sharing) is a browser-only restriction. Your terminal doesn't enforce it — it just sends the request. A browser will only make cross-origin requests to servers that opt in by returning an `Access-Control-Allow-Origin` header. Most modern APIs (GitHub, Stripe, Anthropic, OpenAI's newer endpoints) allow browser calls; many legacy APIs and internal services do not. When the request fails, click "Copy as curl" and run it in your terminal — same request, no CORS check.

Are my API keys stored anywhere?

No. Keys live only in the React state of the page, which means they vanish the moment you reload or close the tab. They are never written to localStorage, never sent to a server other than the one you're targeting, and never logged. Header fields with names like `Authorization`, `X-API-Key`, or `Api-Key` render with a `type="password"` input so screen-shares and shoulder-surfers don't accidentally capture the token.

Can I import a curl command I copied from browser devtools?

Yes. Open the "Paste a curl command" section, drop in the full command, and click "Import curl → request". The parser handles `-X`, `-H`, `-d`, `--data-raw`, `-u`, `-A`, and most of the one-letter aliases you see in real-world pastes. Multi-line commands with trailing `\` also work. Flags that don't map to browser fetch — `--compressed`, `-k`, `-s`, `-L`, `-v` — are silently ignored since the browser handles those concerns automatically.

What methods does it support?

GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. GET and HEAD cannot carry request bodies (that's a fetch spec restriction, not ours), so the body input hides when those methods are selected. The full request, regardless of method, can be exported as curl or as a browser `fetch(...)` snippet with a single click.