REST API Checker

Test any REST API endpoint directly from your browser. Send GET, POST, PUT, DELETE, PATCH, HEAD or OPTIONS requests with custom headers and JSON, raw or multipart body — including file uploads. View the response status, headers, timing and formatted body in one screen.

Method: GET

Request Headers

About the REST API Checker

REST APIs are the backbone of modern web and mobile applications — they expose data and operations over HTTP so different systems can talk to each other. Whether you are integrating a payment processor, consuming a public weather API, building a mobile backend, or debugging a third-party webhook, you need a fast way to send requests and inspect the response without writing any code.

This online REST API Checker is a free browser-based alternative to desktop clients like Postman, Insomnia, or command-line tools like cURL. It supports every standard HTTP method (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS), arbitrary request headers, and three common body formats: JSON (for typical REST and GraphQL APIs), raw (for XML, plain text, or any custom content type), and multipart form-data (for file uploads or traditional form posts).

Requests are made server-side, which means you are not blocked by browser CORS policies — you can test any public HTTPS API regardless of its CORS configuration. The response is returned with the full status line, headers, body, timing, and size so you can quickly verify behaviour, debug failing integrations, test authentication tokens, or learn how an unfamiliar API works. Private and loopback IP ranges are blocked for security.

Frequently Asked Questions

REST (Representational State Transfer) is an architectural style for APIs that uses standard HTTP methods (GET, POST, PUT, DELETE, PATCH) to operate on resources identified by URLs. Most modern web APIs follow REST principles, returning JSON over HTTPS. REST is stateless — each request must carry all the context the server needs to process it.

GET fetches a resource (idempotent, no body). POST creates a new resource. PUT replaces a resource entirely. PATCH updates part of a resource. DELETE removes it. Idempotent methods (GET, PUT, DELETE, HEAD, OPTIONS) can be safely retried; POST and PATCH typically cannot because retrying may create duplicates.

Browsers enforce CORS (Cross-Origin Resource Sharing), which blocks JavaScript from calling APIs on different domains unless the server explicitly allows your origin via Access-Control-Allow-Origin. This tool makes the request from our server, which is not subject to CORS — so you can test any public API regardless of its CORS configuration.

2xx = success (200 OK, 201 Created, 204 No Content). 3xx = redirect (301 Moved, 302 Found, 304 Not Modified). 4xx = client error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests). 5xx = server error (500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout).

Add a header named Authorization with the value Bearer YOUR_TOKEN (for OAuth/JWT), Basic base64(user:pass) (for HTTP Basic), or your API's custom scheme like ApiKey abc123. Some APIs use a different header name like X-API-Key or X-Auth-Token — always check the API docs for the exact name and prefix.

Use JSON for almost every modern REST API and GraphQL endpoint — it's the de-facto standard. Use raw when sending XML (SOAP, RSS), plain text, or a custom format — set the Content-Type accordingly. Use multipart form-data when uploading files, sending binary data, or posting classic HTML form data with file fields.

The API received your request but rejected your credentials. The token may be missing, expired, malformed, or the account doesn't have permission for that endpoint. Check that the Authorization header is exactly what the API expects — correct prefix (Bearer vs Basic), no extra spaces, and not URL-encoded. 401 means "who are you?", whereas 403 means "I know who you are, but you can't do this".

The server understood the request but rejected the body. Common causes: invalid JSON syntax (missing comma, unquoted key), wrong Content-Type, missing required fields, or values outside the expected types. Try copying the exact example from the API docs first to confirm the endpoint works, then modify one field at a time.

Requests are made from our server, but we do not store request bodies, headers or responses. Still, for production secrets, prefer scoped test keys or short-lived tokens. For high-sensitivity production credentials, use a desktop client like Postman or Insomnia that runs entirely on your machine.

If your frontend JavaScript calls an API directly, the API's server must include Access-Control-Allow-Origin matching your origin. If it doesn't, you need to either ask the API provider to allow your domain, or proxy the call through your own backend (which is what this tool does internally for testing). Server-to-server calls never trigger CORS — it's a browser-only restriction.

About This REST API Checker

This server-side REST API checker sends HTTP requests (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS) from our server to any URL, returning the status code, response headers, response body, and latency. Because the request is proxied server-side, CORS restrictions do not apply.

Unlike browser-based request tools, server-side proxying lets you test APIs that block cross-origin requests, reach internal staging endpoints, and inspect raw response headers exactly as the server sends them — without installing any software.

When to use this tool

Testing API endpoints without setting up a local HTTP client
Debugging CORS or authentication header issues
Inspecting redirect chains and raw response headers
Verifying webhook endpoints and health-check URLs

Standards & References

RFC 9110 — HTTP Semantics

How it works

Three steps happen every time you click Send:

Build your request

Enter a URL, pick a method, add headers (e.g. Authorization: Bearer …), and choose a body format — JSON, raw text, or multipart with file upload.

Server proxies the call

Your browser sends the request specification to our server, which makes the actual HTTP call using cURL with TLS verification enabled — bypassing CORS restrictions.

Inspect the response

See the status code, response time, body size, all response headers and the response body — automatically pretty-printed if the body is valid JSON.

Common Use Cases

API integration testing

Verify a third-party API works as documented before writing integration code. Catch undocumented quirks (extra fields, unexpected status codes) early.

Debug failing webhooks

Replay a webhook payload to reproduce a 4xx/5xx error and inspect exactly what the receiver sees, including response headers.

Test authentication

Verify API keys, OAuth bearer tokens, Basic auth or signed requests against a protected endpoint before wiring them into production code.

Learn an unfamiliar API

Explore endpoints, response shapes and error formats interactively before reading the full documentation. Faster than writing code first.

Compare endpoints

Quickly switch between staging and production URLs to compare response payloads side by side and catch environment drift.

Upload file via multipart

Test file-upload endpoints by attaching a file in the multipart body and observing the response — useful for image uploads, document import APIs, etc.

Related Developer Tools

REST API Checker

About the REST API Checker

Frequently Asked Questions

What is a REST API?

What's the difference between GET, POST, PUT, PATCH and DELETE?

Why does my browser block API requests but this tool works?

What does each HTTP status code mean?

How do I send an Authorization header?

When should I use JSON, raw or multipart body?

What does "401 Unauthorized" actually mean?

Why is my POST request returning 400 Bad Request?

Is it safe to put my API key in this tool?

Why am I getting a CORS error in my own app but not here?