JSON Validator
Regex Tester
Password Generator
JWT Debugger
Base64 Tool
Color Palette
Text Diff
CRON Builder
UUID Generator
SQL Formatter
Mermaid Editor
Markdown Exporter
HTTP Composer
Browser Inspector
HTTP Request Composer
Test REST APIs and compose HTTP requests directly in your browser
Privacy & Browser Compatibility
This tool runs directly in your browser for maximum privacy. Most APIs work perfectly, but some may have browser restrictions for security reasons.
Why might some APIs not work?
Browsers have built-in security that prevents websites from accessing certain APIs without explicit permission. This is called CORS (Cross-Origin Resource Sharing) and it protects you while browsing.
How to make it work:
- Check the API documentation - Many public APIs are designed to work directly in browsers
- For development/testing - Try a browser extension like "CORS Unblock" or "Allow CORS"
- For your own APIs - Configure your server to allow browser requests (add CORS headers)
- Alternative option - Use a CORS proxy service for testing (search for "cors proxy")
Your privacy is protected:
Everything you enter stays in your browser. We don't store or send your API keys or request data to our servers.
No authentication required for this request.
Collections
Examples
History
Frequently Asked Questions
Are my API keys or credentials stored when using the HTTP Composer?
No. The HTTP Request Composer makes requests directly from your browser. Authentication headers, API keys, and request bodies are never stored on our servers or logged anywhere — they exist only within your current browser session.
Can I set custom headers and authentication methods?
Yes. You can add unlimited custom headers including Authorization (Bearer tokens, Basic Auth), Content-Type, Accept, and any other HTTP header. The tool also provides preset patterns for common authentication workflows.
Does this tool support all HTTP methods?
Yes. The HTTP Request Composer supports GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. You can set a request body (JSON, form data, or raw text) and inspect the full response including status code, headers, and body.
How Requests Are Sent
Requests are sent using the browser's native fetch() API. All requests originate from your browser — the target server sees your real IP address. CORS restrictions apply; APIs must send Access-Control-Allow-Origin headers to allow browser-based requests.
HTTP Methods
GET: Retrieve data. POST: Create a resource (body required). PUT: Replace an existing resource entirely. PATCH: Partially update a resource. DELETE: Remove a resource. HEAD: Returns only headers — useful for checking if a resource exists without downloading the body.
Common Headers
Content-Type: application/json tells the server the body is JSON. Authorization: Bearer <token> passes JWT tokens. Accept: application/json indicates the client prefers JSON responses. X-API-Key is a common API key authentication pattern.
Response Status Codes
2xx: Success (200 OK, 201 Created, 204 No Content). 3xx: Redirects (301 Permanent, 302 Temporary). 4xx: Client errors (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Rate Limited). 5xx: Server errors (500 Internal Server Error, 503 Service Unavailable).
CORS Limitations
Many APIs block browser-based requests due to CORS policy. If you get a CORS error, the API requires requests from a server, not directly from the browser. This tool is best suited for APIs that explicitly support browser access (i.e., have Access-Control-Allow-Origin: * or your origin).