InoTools Dev

Web API Tester

A free API development client to visually test HTTP requests (GET/POST) and inspect headers or responses. Ideal for verifying CORS configurations. Requests are made directly from your device, ensuring our servers never intercept or log your traffic.

CORS Policy Warning

Requests are made directly from your browser. The target API must have permissive Cross-Origin Resource Sharing (CORS) headers configured to accept requests from this origin, otherwise the request will fail. See the 'Guide & Terminology' section at the bottom of this page for more details.

Output

Enter URL and click Send to get a response

Guide & Terminology

What is the Web API Tester?

The Web API Tester is a flexible HTTP client that runs directly from your browser, allowing you to send GET, POST, PUT, and DELETE requests to test your endpoints visually.

How to use (Important: CORS configuration)

Because this tool issues requests directly from your browser, it is subject to Cross-Origin Resource Sharing (CORS) restrictions.

  1. When testing an API on an external domain, the server must be configured to allow requests from this website by including Access-Control-Allow-Origin: * or https://inotools.com in its response headers. (Without this, the browser will block the request).
  2. Configure your Method, URL, Params, Headers, and Body, then click "Send".
  3. The tool formats and displays the HTTP Status, Response Time, and Response Body/Headers.

Common CORS Configuration Examples:

  • Express.js (Node.js) 
    const cors = require('cors');
// Allow multiple origins (e.g., your local app and InoTools)
const allowedOrigins = ['http://localhost:3000', 'https://inotools.com'];
app.use(cors({
  origin: (origin, callback) => {
    if (!origin || allowedOrigins.includes(origin)) return callback(null, true);
    return callback(new Error('Not allowed by CORS'));
  }
}));
  • Python FastAPI 
    from fastapi.middleware.cors import CORSMiddleware
# Add inotools.com to your existing allow_origins list
app.add_middleware(
    CORSMiddleware, 
    allow_origins=["http://localhost:3000", "https://inotools.com"], 
    allow_methods=["*"], 
    allow_headers=["*"]
)
  • PHP 
    $allowed_origins = ['http://localhost:3000', 'https://inotools.com'];
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowed_origins)) {
    header("Access-Control-Allow-Origin: " . $origin);
}
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Authorization");

Security

Requests are sent directly from your device to the target server. The content of your communications and the destination URLs never route through, nor are they logged by, this website's servers.

Related Tools

Find more utilities to streamline your workflow

Global IP & Network Info