How to Test API Endpoints Online
Send HTTP requests to any API and inspect responses with our free API Tester. Supports GET, POST, PUT, DELETE with custom headers and JSON bodies.
Steps
Enter the API URL
Type or paste the full URL of the API endpoint you want to test, including the protocol (https://), domain, path, and any path parameters. Example: https://api.example.com/v1/users/123
Select the HTTP method
Choose the appropriate HTTP method: GET for retrieving data, POST for creating resources, PUT or PATCH for updating, DELETE for removing. The method must match what the API endpoint expects.
Add headers
Click Add Header to include request headers. Common headers include: Content-Type: application/json (required for POST/PUT with JSON body), Authorization: Bearer YOUR_TOKEN (for authenticated endpoints), Accept: application/json (to specify the expected response format).
Add request body (for POST/PUT/PATCH)
If sending data, enter the request body in the Body tab. Select JSON format and enter valid JSON. The tool validates your JSON before sending. Alternatively, use form data or raw text for APIs that expect those formats.
Send and inspect the response
Click Send. The response panel shows the HTTP status code, response headers, response body (formatted if JSON), and response time in milliseconds. A 2xx status means success; 4xx means client error (check your request); 5xx means server error.
REST API Testing Best Practices
Effective API testing goes beyond just checking that an endpoint returns a 200 status. Test the happy path first: verify that a valid request returns the expected data with the correct structure. Then test edge cases: what happens with invalid input, missing required fields, extremely large values, special characters in string fields, and empty arrays? Test authentication boundaries: verify that unauthenticated requests get 401, requests without the right permissions get 403, and valid authenticated requests succeed. Test rate limiting: confirm that exceeding the rate limit returns a 429 with a Retry-After header. For mutation endpoints (POST, PUT, DELETE), verify the state change by following up with a GET request to confirm the data changed as expected. Document your test cases so they can be reproduced when debugging issues.
Understanding API Response Formats
Most modern REST APIs return JSON responses, but the structure varies. Look at the response for: the data payload (usually nested under a 'data' key in well-structured APIs), error format (well-designed APIs return a consistent error object with a code, message, and sometimes a details array), pagination indicators (total count, next page cursor or URL), and timestamp formats. An HTTP 200 status does not guarantee the request succeeded at the business logic level — some older APIs return 200 with an error message in the body. Always check the actual response content, not just the status code. A well-designed API uses appropriate HTTP status codes so you do not have to parse the body to determine success or failure.
Frequently Asked Questions
Postman is a full-featured API development environment with collections, environment variables, automated testing, mock servers, and team collaboration features. This online API tester is optimised for quick, one-off requests when you need to verify an endpoint works or inspect a response without opening another application. Use this for rapid testing; use Postman for systematic API development and documentation.
Yes. Add an Authorization header with your Bearer token, API key, or Basic auth credentials. For Basic auth, encode username:password in Base64 and use Authorization: Basic BASE64_STRING. For OAuth, get your access token first and pass it as Authorization: Bearer ACCESS_TOKEN.
CORS (Cross-Origin Resource Sharing) errors occur when a browser blocks requests to a different domain for security reasons. Some APIs only allow requests from specific origins and will reject browser-based requests. To test such APIs, you need to send the request from a server or use a proxy. CORS restrictions apply to browser-based requests only — cURL and Postman's desktop app are not affected.
200 OK: success. 201 Created: resource created successfully. 400 Bad Request: your request has invalid syntax or missing parameters. 401 Unauthorized: authentication is required or failed. 403 Forbidden: authenticated but not permitted to access this resource. 404 Not Found: the endpoint or resource does not exist. 429 Too Many Requests: rate limit exceeded. 500 Internal Server Error: something went wrong on the server. 503 Service Unavailable: server is temporarily down or overloaded.