Home · Tools · API Request Builder

API Request Builder

A lightweight, browser-based HTTP client for testing REST APIs. Headers, JSON body, response viewer.

Headers

Response —

No request sent yet. Press Send to make a request.

A lightweight Postman alternative that runs in your browser

This API request builder is a focused HTTP client for quickly hitting an endpoint, inspecting the response, and saving the request for later. No accounts, no Electron app, no telemetry — open the page, paste a URL, hit Send. It supports GET, POST, PUT, PATCH, DELETE, HEAD, custom headers, JSON bodies, and persistent saved requests via localStorage.

What you can do

Send any HTTP method to any URL.
Add and remove arbitrary request headers.
Send a raw JSON request body (Content-Type is auto-set if you don't override it).
Inspect the full response: status code, headers, body (auto-pretty-printed if JSON), latency, and size.
Save requests with a name and reload them later — all kept in your browser, never synced anywhere.

Important: CORS is real

This is a browser-based client, so it follows the same security rules every web app does: the target server must send the right Access-Control-Allow-Origin header, otherwise the browser will block the response and you'll see a generic "Request failed" error. This is not a bug in the tool — it's the browser protecting users. It is not possible to bypass CORS from a static page. If you're hitting an internal API that doesn't allow your origin, you have three options:

Configure the API to allow your origin (best, when you control it).
Run a temporary CORS-disabling browser flag for testing (Chrome --disable-web-security with a separate profile).
Use a desktop client (curl, HTTPie, Insomnia) when CORS isn't allowed.

When to reach for this vs Postman / Insomnia

This tool is great for: quick prototyping, testing public APIs that already support CORS (Stripe, GitHub, OpenAI, etc.), debugging a webhook payload format, sharing a one-line curl-equivalent with a teammate. It's deliberately not great for: workspace-style team collaboration, GraphQL introspection, mock servers, or environment variable management — that's what the heavyweight clients exist for.

Where saved requests live

Saved requests are stored in your browser's localStorage under the key dth-api-saved. They never leave your machine, never sync to another device, and disappear if you clear site data. This is intentional: zero account, zero server, zero risk of leaking a saved bearer token.

Headers cheat sheet

Authorization: Bearer <token> — most OAuth APIs.
Content-Type: application/json — auto-set when you have a body. Override for form data.
Accept: application/json — pre-filled by default; tells the server what response shape you want.
X-Api-Key: ... — common pattern for server-to-server APIs.

Privacy

The page itself does not phone home. It only makes the requests you explicitly send to the URLs you type. There is no analytics and no third-party scripts loaded.

Related tools

FAQ

Why does my request fail with 'Failed to fetch'?

Almost always a CORS problem: the target API isn't sending Access-Control-Allow-Origin for your browser origin. Browsers enforce this — it can't be disabled by the page. Try an API that supports CORS or call from your backend.

Where are saved requests stored?

In your browser's localStorage. They never leave your machine and aren't synced. Clearing site data removes them.

Can I send form data or file uploads?

The current version only supports raw JSON bodies. For multipart/form-data, use a desktop client like Insomnia.

Does this support OAuth flows or environment variables?

No. It's intentionally lightweight — paste a token directly into the Authorization header. For full OAuth dance support, use Postman or Insomnia.

Is the request body limited in size?

Practically limited by your browser's memory; multi-megabyte JSON works fine but isn't ideal in a textarea.