API Request Builder
Build and fire HTTP requests directly from your browser. Inspect response headers, body, and status โ no install needed.
Full URL
This may be a CORS restriction. The target server must allow browser requests.
Requests are fired directly from your browser. If the target API does not include CORS headers, the request will be blocked by your browser. Use this tool for public APIs or APIs you control. No data is proxied through any server.
About this tool
Build and send HTTP API requests directly from your browser. Supports GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS. Add query params, custom headers, Bearer/Basic/API key auth, JSON or form body. Inspect response status, headers, and body. Generates code snippets for fetch, axios, cURL, PHP, and Python.
Frequently asked questions
What HTTP methods are supported?
GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. Each method is colour-coded for quick identification.
What authentication types are supported?
Bearer token (adds Authorization: Bearer header automatically), HTTP Basic auth (base64-encodes username and password), and custom API key header (any header name and value).
Why does my request get blocked?
Browsers enforce CORS (Cross-Origin Resource Sharing). If the API server does not return the appropriate Access-Control-Allow-Origin header, the browser blocks the response. This is a browser security restriction, not a bug in the tool. Use it with public APIs or APIs you control.
What body formats are supported?
JSON (with a Format JSON button and validation), URL-encoded form data (key-value pairs), plain text, and XML. The correct Content-Type header is set automatically based on the selected format.
Can I generate code snippets from my request?
Yes. Switch to the Code tab to see a ready-to-paste snippet in fetch (JavaScript), axios, cURL, PHP (curl_init), or Python (requests). The snippet includes your current URL, method, headers, auth, and body.
Is my request data sent through any server?
No. Requests are fired directly from your browser to the target API. Nothing passes through DevToolbox servers. No credentials or request data are stored or logged.