Send any HTTP request and inspect the full response โ status code, headers, body, and elapsed
time. Choose GET, POST, PUT, PATCH, DELETE, HEAD, or OPTIONS; add custom headers; include a
request body. Useful for quickly testing REST APIs, checking if an endpoint is alive, or
debugging a webhook without spinning up a dedicated client.
Requests are proxied through our Cloudflare Worker to avoid browser CORS restrictions. The
response body is auto-formatted when JSON is detected. For webhook testing specifically, see
also Webhook Tester, which is optimized for POST-only
webhook checks.
What this tool does
The HTTP Request Builder is a lightweight in-browser API client that lets you send HTTP
requests to any URL and inspect the raw response. It's the equivalent of running
curl -X GET https://api.example.com/resource -H "Authorization: Bearer token"
from the command line, but without leaving your browser. Useful for:
- API exploration โ fire a GET or POST at an endpoint to see what it returns
before writing any code.
- Webhook debugging โ send a POST to a webhook URL and confirm you get the
expected 200 back, or debug a 4xx/5xx.
- Header inspection โ add a custom
Accept or
Authorization header and see exactly what the server responds with.
- Quick health checks โ ping an endpoint and check its response time and
status code without installing anything.
How the proxy works
The request goes to our Cloudflare Worker at api.lunchboxhands.com/webhook,
which forwards it to the target URL and streams the response back. The worker enforces a
10-second timeout, a 1 MB response size cap, and SSRF (Server-Side Request Forgery)
protection โ it blocks requests to internal IP ranges and localhost. This prevents the tool
from being used to probe private networks.
The response you see is exactly what the target server returned: status code, all response
headers, and the full body text up to 1 MB. JSON bodies are pretty-printed automatically
based on the content-type response header.
Reading the response panel
After sending, the response panel shows:
- Status code and text โ colour-coded green for 2xx (success), yellow for
3xx (redirects), red for 4xx/5xx (errors).
- Elapsed time โ measured from when the worker forwards the request to when
the response body is fully received. This is network round-trip time, not your browser's
latency to our server.
- Response headers โ all headers the server sent back, including
content-type, cache-control, x-request-id, and any
custom headers.
- Response body โ the raw text, pretty-printed if JSON. Use the Copy button
to copy it to the clipboard.
Tips for common API patterns
- Bearer token auth โ add the header
Authorization: Bearer your-token-here in the headers textarea.
- JSON POST โ set
Content-Type: application/json in headers and
paste your JSON payload in the body. The worker sends it verbatim to the target.
- Form submission โ set
Content-Type: application/x-www-form-urlencoded and paste
key=value&key2=value2 in the body.
- Checking redirect behaviour โ the worker follows redirects automatically
(up to the browser/fetch default). The status you see is the final hop, not the intermediate
302. Use Redirect Checker to trace the full chain.
Related tools
-
Need POST-only webhook testing with a pre-filled JSON body?
Try Webhook Tester โ streamlined for Discord,
Slack, and other webhook integrations.
-
Want to format or validate a JSON payload before sending?
JSON Formatter can pretty-print and validate your
request body in a separate tab.
Frequently asked questions
Why does this go through your server instead of making the request directly from my browser?
Browsers enforce a security policy called CORS (Cross-Origin Resource Sharing) that blocks JavaScript from making requests to domains other than the page itself โ unless the target server explicitly opts in. Most APIs, webhooks, and arbitrary URLs do not opt in for random browser clients, so a direct request from the browser would be silently blocked before it even left your machine. By routing the request through our Cloudflare Worker at api.lunchboxhands.com, we bypass CORS on your behalf and forward the real response back to you. To be transparent: your URL, any request headers you add, and any body text you provide are all sent to our server. We do not log or store that data beyond an anonymized usage counter (tool name only, no URLs or content). We use Cloudflare Workers, so the request runs on Cloudflare's global edge network.
Which HTTP methods are supported?
GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. These cover the full range of methods used by REST APIs. The tool automatically disables the request-body editor for GET and HEAD, since those methods must not carry a body per the HTTP specification. For DELETE, a body is technically allowed by the spec but rarely expected โ the body editor stays enabled so you can include one if your API needs it.
Can I send custom request headers or a JSON body?
Yes, both. Enter request headers one per line in the format "Key: Value" โ for example, "Authorization: Bearer mytoken" or "Content-Type: application/json". Colons in the value are handled correctly (only the first colon separates the key). For the request body, paste any text โ JSON, XML, form data, plain text, whatever your API expects. If the response comes back with a content-type of application/json, the body panel will automatically pretty-print it for readability.
Is this a Postman replacement?
It's more of a lightweight companion for quick checks. Postman (and Insomnia, Bruno, etc.) are full-featured API clients with collections, environments, test scripting, and team collaboration. This tool is for fast one-off requests โ no install, no account, no setup. Open the page, paste a URL and a bearer token, hit Send, and read the response. If you're debugging a webhook, checking whether an endpoint is alive, or quickly verifying a header value, it's faster than switching to a desktop app. For building and maintaining a full API workflow, a dedicated client is still the right tool.