API Client — HTTP Requests with Auth & History
Send HTTP requests with Bearer, Basic Auth, or API Key authentication. Edit headers, compose request bodies, and browse your last 25 requests — all in your browser. No install, no signup.
No authentication will be added to the request.
How the API Client Works
- 1Choose an HTTP method (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS) and enter the API endpoint URL in the request bar.
- 2Open the Auth tab to add Bearer Token, Basic Auth credentials, or an API Key — the tool builds the correct Authorization header automatically.
- 3Add custom request headers (Accept, Content-Type, etc.) in the Headers tab and set a request body (JSON, text, or form-encoded) in the Body tab for POST/PUT/PATCH requests.
- 4Click Send. The response panel shows the HTTP status code, latency in milliseconds, pretty-printed JSON body, and all response headers. The request is saved to your history automatically.
Authentication in HTTP APIs
Most production APIs require authentication. Bearer tokens (used by OAuth 2.0 and JWT-based APIs) are sent in the Authorization header as Bearer <token>. Basic Auth encodes username:password in Base64. API Keys can go in a header (common for REST APIs) or as a query parameter (common for third-party services like mapping or weather APIs). This tool handles all three so you never have to construct the header manually.
Tips for Testing APIs
Check the Status Code First
2xx = success, 4xx = client error, 5xx = server error. A 401 means missing or invalid credentials. A 403 means authenticated but not permitted. A 429 means you have been rate-limited.
CORS Errors? Use cURL
Browser-based clients cannot bypass CORS. If the API does not set Access-Control-Allow-Origin, the browser blocks the response. Use the cURL Generator tool and run the command from your terminal instead.
Inspect Response Headers
Rate limit info (X-RateLimit-*), token expiry (WWW-Authenticate), cache directives, and content type all live in the response headers — often more informative than the body when debugging.
Use History to Replay Requests
Click any entry in the History panel to restore the method and URL. This is useful when testing the same endpoint repeatedly with different auth tokens or body payloads.
Decode JWT Responses
If the API returns a JWT in the response body, copy it and paste it into the JWT Decoder tool to inspect the claims, algorithm, expiry, and issuer without extra setup.
Pretty JSON, Always
When the response Content-Type is application/json, the body is automatically pretty-printed with 2-space indentation for readability. Use the Copy button to grab the formatted JSON directly.
Frequently Asked Questions
What is an API client and how is this different from a REST API tester?
An API client is a tool for composing and sending HTTP requests to any server endpoint and inspecting the response. This API Client adds authentication support (Bearer Token, Basic Auth, API Key), a persistent request history stored in your browser (up to 25 requests), and a headers editor with per-row enable/disable toggles — features aimed at developers who regularly test APIs that require credentials.
Which authentication methods are supported?
Four modes: None (no auth header added), Bearer Token (adds Authorization: Bearer <token>), Basic Auth (encodes username:password in Base64 and adds the Authorization: Basic header automatically), and API Key (adds the key as a custom header or appends it as a query parameter — your choice).
Why do some requests fail with a network error?
Requests run directly from your browser via the Fetch API. Browsers enforce CORS (Cross-Origin Resource Sharing): if the API server doesn't return an Access-Control-Allow-Origin header that permits requests from this origin, the browser blocks the response. This is a security restriction, not a bug. Use the cURL Generator tool to build the equivalent curl command and run it from your terminal, where there are no CORS restrictions.
How does request history work?
Every request you send — successful or not — is saved to your browser's localStorage under the key pst_api_client_history. The last 25 requests are retained. Click any history entry to restore the method and URL into the request bar. History is local to your device and is never sent to any server.
Is my request data (headers, tokens, body) sent to PublicSoftTools?
No. The request is made directly from your browser to the target URL — it never passes through PublicSoftTools servers. Your tokens, API keys, request body, and response data are only visible to you and the target API.
Can I send a JSON body?
Select POST, PUT, or PATCH as the method, open the Body tab, choose JSON as the format, and paste your JSON payload. The tool automatically adds Content-Type: application/json to the request if you haven't already set it in the Headers tab.
What HTTP methods are available?
GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. GET, HEAD, and OPTIONS do not include a request body (the Body tab is disabled for these methods). All other methods support JSON, plain text, and form URL-encoded bodies.
How do I read the response headers?
After sending a request, click the Headers tab inside the response panel. It shows every response header the server returned (Content-Type, Cache-Control, X-RateLimit-*, etc.). This is useful for diagnosing caching behaviour, rate limits, and authentication errors.