Why is my request blocked by CORS?

CORS (Cross-Origin Resource Sharing) is a browser security feature that blocks requests from web pages to different domains. If the API you're testing doesn't explicitly allow requests from inventivehq.com, the browser will block it. Solutions include: (1) Using browser extensions during development to disable CORS checks, (2) Testing with desktop tools like Postman that aren't subject to CORS restrictions, (3) Configuring the API to allow inventivehq.com in its CORS allowlist, or (4) Using a proxy server to route requests (some tools offer this feature).

How do I test an API that requires authentication?

Click the "Auth" tab in the request builder, select your authentication type (Bearer Token, Basic Auth, API Key, or OAuth 2.0), and enter your credentials. The tool will automatically add the appropriate headers to your request. For Bearer tokens, it adds "Authorization: Bearer {token}". For Basic Auth, it base64-encodes your username:password and adds "Authorization: Basic {encoded}". For API keys, you can choose whether to add it as a header (typically X-API-Key) or as a query parameter.

Can I save and organize my requests?

Yes! Use Collections to organize related requests. Create a collection (e.g., "User API", "Payment Endpoints"), add requests to it, and save it for future use. Collections support folder structure for nested organization, collection-level authentication (applied to all requests), and collection-level base URLs. You can export collections as JSON to share with your team or import collections from others. All collections are stored locally in your browser's localStorage for privacy.

What's the difference between GET and POST?

GET is used to retrieve data from a server (read-only operation), while POST is used to send data to create new resources (write operation). GET requests typically don't have a body and parameters are sent in the URL query string. POST requests include data in the request body (usually JSON, XML, or form data). Other methods include PUT (update/replace entire resource), PATCH (partially update resource), DELETE (remove resource), and OPTIONS (query allowed methods, used for CORS preflight).

How do I test with different environments (dev, staging, prod)?

Use Environments to define variables for different contexts. Create environments like "Development" and "Production" with different values for BASE_URL, API_KEY, and other configuration. Then use variable placeholders like {{BASE_URL}}/users in your requests. Switch between environments using the environment selector dropdown, and the tool will automatically replace variables with values from the active environment. This prevents mistakes like testing against production accidentally.

Is my data safe? Do you store my requests?

All requests are sent directly from your browser to the target API - we never see or store your request data. The tool runs entirely client-side using JavaScript. History, collections, and environments are stored locally in your browser's localStorage and never leave your device. We don't track URLs, headers, request bodies, or any sensitive information. However, always be cautious with production credentials and consider clearing history after testing with sensitive data.

Can I generate code from my requests?

Yes! After configuring your request, click the "Code" button to generate equivalent code in various languages and libraries. Supported options include: JavaScript (Fetch API, Axios, XMLHttpRequest, jQuery), Python (Requests, http.client, aiohttp), cURL, PHP (cURL, Guzzle), Java (HttpURLConnection, OkHttp), C# (HttpClient, RestSharp), Go (net/http), and Ruby (Net::HTTP, HTTParty). The generated code includes syntax highlighting, copy button, and download option. You can paste it directly into your application.

What does a 401 vs 403 status code mean?

401 Unauthorized means you're not authenticated - your credentials are missing or invalid. This typically requires you to add or fix authentication (Bearer token, Basic Auth, API key). 403 Forbidden means you're authenticated but don't have permission to access the resource. Your credentials are valid, but your account lacks the necessary permissions or scope. Check with the API administrator to grant appropriate permissions. Other common status codes: 200 OK (success), 400 Bad Request (invalid syntax), 404 Not Found (resource doesn't exist), 500 Internal Server Error (server error).

How do I upload files in a request?

Select "Form Data" (multipart/form-data) as the body type, add a field row, and choose "File" as the type. Then select a file from your computer using the file picker. The tool will automatically set the correct Content-Type header (multipart/form-data) and handle the file upload. You can combine files with regular form fields in the same request. The tool shows visual file size indicators and auto-detects content types for uploaded files.

What are request headers and why do they matter?

Request headers are metadata sent with HTTP requests that provide information about the request, client, and desired response format. Common headers include: Content-Type (format of request body, e.g., application/json), Accept (desired response format), Authorization (authentication credentials), User-Agent (client information), and Origin (for CORS). Headers control authentication, caching, cookies, CORS, content negotiation, and security. The tool provides header autocomplete for common headers, validation warnings for deprecated headers, and security warnings when sending credentials over HTTP.

How do I debug failed requests?

Start by checking the status code: 4xx errors are client errors (check your request), 5xx errors are server errors (check API status). Read the error message carefully - many APIs provide detailed error descriptions in the response body. For authentication errors (401/403), verify your credentials and permissions. For 400 Bad Request, check JSON syntax and required fields. For CORS errors, see the CORS troubleshooting guide. Use the Response Inspector to examine headers for clues. Test with a minimal request first, then add complexity. Compare working requests from API documentation. Check the API's developer console or logs if you have access.

Home/Tools/HTTP Request Builder

HTTP Request Builder

Interactive developer tool for constructing, sending, and analyzing HTTP requests directly from the browser. Test APIs, debug endpoints, inspect headers, format request bodies, and analyze responses in real-time - all client-side for maximum privacy.

Loading tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Need Help Building or Integrating APIs?

While this tool helps test APIs, professional development and integration can save time and prevent security issues. Our experts provide custom API development (REST, GraphQL), third-party API integration, security hardening, performance optimization, comprehensive documentation, and ongoing maintenance.

Get Free Consultation View Development Services

Build and Test HTTP Requests

Construct HTTP requests with custom headers, body, and authentication. Test APIs without writing code.

Request Components

Method: GET, POST, PUT, PATCH, DELETE
Headers: Custom headers, Content-Type, Authorization
Body: JSON, form data, raw text
Authentication: Basic, Bearer, API key

Response Viewer

See status, headers, body, timing, and size. Format JSON responses automatically.

HTTP Basics: Request and Response Cycle

Understanding HTTP Communication

HTTP (Hypertext Transfer Protocol) is the foundation of data communication on the web. Every time you visit a website or use an API, HTTP requests and responses are exchanged between clients (browsers, apps) and servers.

The Request-Response Cycle

Client sends request - Your browser or application sends an HTTP request to a server
Server processes request - The server receives, validates, and processes the request
Server sends response - The server returns an HTTP response with status code and data
Client handles response - Your application receives and processes the response

Anatomy of an HTTP Request

Every HTTP request consists of:

Request Line: Method (GET, POST, etc.) + URL + HTTP version
Headers: Metadata about the request (Content-Type, Authorization, etc.)
Body: Data being sent (optional, typically for POST/PUT/PATCH)

Anatomy of an HTTP Response

Every HTTP response consists of:

Status Line: HTTP version + Status code + Status text
Headers: Metadata about the response (Content-Type, Cache-Control, etc.)
Body: Data being returned (HTML, JSON, XML, etc.)

Common HTTP Methods

GET - Retrieve data (read-only, no body)
POST - Create new resources (includes body with data)
PUT - Update/replace entire resource (includes body)
PATCH - Partially update resource (includes body with changes)
DELETE - Remove resource (body optional)
OPTIONS - Query allowed methods (used for CORS preflight)
HEAD - Retrieve headers only (like GET but no body returned)

HTTP Status Codes Explained

Understanding HTTP Status Codes

Status codes are three-digit numbers that indicate the result of an HTTP request. They're grouped into five categories:

2xx Success

The request was successfully received, understood, and accepted.

200 OK - Standard success response
201 Created - Resource successfully created (typically POST)
202 Accepted - Request accepted for processing (async)
204 No Content - Success but no content to return (typically DELETE)

3xx Redirection

Further action is needed to complete the request.

301 Moved Permanently - Resource has new permanent URL
302 Found - Resource temporarily at different URL
304 Not Modified - Cached version is still valid (use cache)
307 Temporary Redirect - Temporary redirect, keep method

4xx Client Errors

The request contains bad syntax or cannot be fulfilled.

400 Bad Request - Invalid syntax (check JSON, required fields)
401 Unauthorized - Authentication required or failed
403 Forbidden - Authenticated but no permission
404 Not Found - Resource doesn't exist at this URL
405 Method Not Allowed - HTTP method not supported for this endpoint
429 Too Many Requests - Rate limit exceeded

5xx Server Errors

The server failed to fulfill a valid request.

500 Internal Server Error - Generic server error
502 Bad Gateway - Invalid response from upstream server
503 Service Unavailable - Server temporarily unavailable (maintenance, overload)
504 Gateway Timeout - Upstream server didn't respond in time

Debugging with Status Codes

2xx = Success - continue with response data
4xx = Check your request (syntax, auth, permissions)
5xx = Server problem (check API status, try again later)

Authentication Methods Explained

API Authentication Methods

APIs use various authentication methods to verify client identity and authorize access. Here are the most common approaches:

1. Bearer Token Authentication

Most common for modern APIs, especially OAuth 2.0 and JWT-based authentication.

How it works:

Obtain a token from the authentication server
Include token in Authorization header: Authorization: Bearer {token}
Server validates token and processes request

When to use: Modern APIs, OAuth 2.0, JWT tokens, mobile apps, SPAs

Security: Token should be short-lived; use HTTPS; never commit tokens to source control

2. Basic Authentication

Simple username and password authentication using base64 encoding.

How it works:

Encode username:password as base64
Include in Authorization header: Authorization: Basic {base64}
Server decodes and validates credentials

When to use: Simple APIs, development, internal tools, initial authentication to get token

Security: Must use HTTPS (credentials are only encoded, not encrypted); consider as legacy for public APIs

3. API Key Authentication

Simple key-based authentication, often for service-to-service communication.

How it works:

Obtain API key from service provider
Include in custom header (e.g., X-API-Key: {key}) or query parameter
Server validates key and processes request

When to use: Third-party integrations, public APIs with usage tracking, service accounts

Security: Treat like passwords; rotate regularly; use different keys for dev/prod; monitor usage

4. OAuth 2.0

Industry-standard protocol for authorization, used by major platforms (Google, GitHub, etc.).

How it works:

User authorizes your app via consent screen
Receive authorization code
Exchange code for access token (and refresh token)
Use access token for API requests

When to use: Third-party integrations, user data access, delegated authorization, social login

Security: Use PKCE for mobile/SPA; validate state parameter; short-lived access tokens with refresh tokens

5. Custom Authentication

Some APIs use proprietary authentication schemes.

Examples:

HMAC signatures (AWS Signature V4)
Digest authentication
Certificate-based authentication
Session cookies

When to use: When required by specific API

Security: Follow API documentation carefully; understand signature generation; use official SDKs when available

Best Practices

Always use HTTPS - Never send credentials over unencrypted HTTP
Store securely - Use environment variables, never hardcode credentials
Rotate regularly - Change keys and tokens periodically
Least privilege - Request only the permissions you need
Monitor usage - Track API key usage to detect compromise
Separate environments - Different credentials for dev/staging/production

Debugging API Requests: Best Practices

Effective API Debugging Strategies

Debugging API requests efficiently requires a systematic approach. Follow these best practices to identify and resolve issues quickly.

1. Start Simple, Add Complexity

Begin with the simplest possible request and add complexity incrementally.

Basic debugging flow:

Test with minimal request (no headers, no auth, no body)
Add authentication
Add required headers
Add request body
Add optional parameters

This isolates exactly what's causing the failure.

2. Read Error Messages Carefully

Error messages contain valuable information - don't skip them!

What to look for:

Status code (tells you the category of error)
Error message in response body (specific issue description)
Error codes (API-specific error identifiers)
Field-level errors (which parameters are invalid)

3. Verify Request Format

Ensure your request matches API expectations.

Common format issues:

JSON syntax errors - Missing commas, quotes, brackets
Content-Type mismatch - Body is JSON but header says XML
Required fields missing - Check API documentation
Invalid data types - String instead of number, etc.
Encoding issues - Special characters not properly encoded

4. Authentication Troubleshooting

Authentication errors (401, 403) are common but usually straightforward to fix.

401 Unauthorized checklist:

✓ Is authentication header present?
✓ Is token/key valid and not expired?
✓ Is authentication scheme correct (Bearer vs Basic)?
✓ Is token properly formatted (spaces, encoding)?

403 Forbidden checklist:

✓ Does your account have necessary permissions?
✓ Are required scopes granted?
✓ Is the resource accessible to your account level?
✓ Are there IP restrictions or rate limits?

5. Compare with Working Examples

When stuck, compare your request with known working examples.

Resources to check:

API documentation examples
Official SDK source code
Community examples (StackOverflow, GitHub)
API provider's sandbox/test environment
cURL examples from documentation

6. Inspect Response Headers

Response headers provide important clues beyond the status code.

Useful headers to check:

Content-Type - Format of response body
X-RateLimit-* - Rate limit status
WWW-Authenticate - Authentication requirements
Retry-After - When to retry after rate limit
Cache-Control - Caching directives

7. Test in Isolation

Eliminate variables to identify the root cause.

Isolation techniques:

Test same request in different tools (browser, Postman, cURL)
Test from different networks (CORS issues)
Test with different credentials (permission issues)
Test different endpoints (API-wide vs endpoint-specific)

8. Use Developer Tools

Browser developer tools provide deep insights.

What to check:

Network tab - See actual request/response
Console - JavaScript errors, CORS messages
Application tab - Cookies, localStorage
Security tab - Certificate issues

9. Handle Rate Limits

APIs often implement rate limiting to prevent abuse.

Rate limit strategies:

Check rate limit headers (X-RateLimit-Remaining)
Implement exponential backoff for retries
Cache responses to reduce requests
Use webhooks instead of polling where possible
Upgrade to higher tier if consistently hitting limits

10. Document and Learn

Keep a debugging log to identify patterns.

What to document:

Problem description
Error messages
Steps taken
Solution that worked
Time spent

This builds a personal knowledge base for faster debugging in the future.

Common Mistakes to Avoid

❌ Don't guess - Read error messages and documentation ❌ Don't ignore status codes - They tell you where to look ❌ Don't skip validation - Validate JSON before sending ❌ Don't reuse tokens indefinitely - Check expiration ❌ Don't test in production first - Use dev/staging environments ❌ Don't hardcode credentials - Use environment variables

Quick Debugging Checklist

When a request fails, check in this order:

✓ Status code (what category of error?)
✓ Response body (what's the specific error?)
✓ Request URL (correct endpoint?)
✓ HTTP method (GET vs POST vs PUT?)
✓ Authentication (present and valid?)
✓ Headers (Content-Type, Accept, etc.)
✓ Request body (valid JSON/XML, required fields?)
✓ CORS (testing from browser?)
✓ Rate limits (exceeded quota?)
✓ API status (is the service up?)

CORS: Understanding and Troubleshooting

Understanding CORS (Cross-Origin Resource Sharing)

CORS is a browser security feature that can block requests from this tool to certain APIs. Understanding CORS is essential for web-based API testing.

What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from making requests to domains different from the one serving the page.

Origin = Protocol + Domain + Port

Examples:

https://inventivehq.com:443 (this tool)
https://api.example.com:443 (target API)
Different origins → CORS applies

Why Does CORS Exist?

Without CORS, malicious websites could make requests to any API using your credentials (cookies, tokens) stored in the browser. CORS prevents this by requiring APIs to explicitly allow cross-origin requests.

How CORS Works

Simple Requests (GET, HEAD, POST with simple content types)

Browser sends request with Origin: https://inventivehq.com header
Server responds with Access-Control-Allow-Origin header
If origins match (or server allows all with *), browser allows the response
If origins don't match, browser blocks the response

Preflight Requests (PUT, DELETE, custom headers)

Browser sends OPTIONS request (preflight) before actual request
Preflight includes intended method and headers
Server responds with allowed methods, headers, origins
If preflight succeeds, browser sends actual request
If preflight fails, browser blocks the actual request

Common CORS Headers

Request headers:

Origin: https://inventivehq.com - Where request is coming from
Access-Control-Request-Method: PUT - Intended method (preflight)
Access-Control-Request-Headers: authorization - Custom headers (preflight)

Response headers:

Access-Control-Allow-Origin: * - Allowed origins (or specific domain)
Access-Control-Allow-Methods: GET, POST, PUT - Allowed methods
Access-Control-Allow-Headers: authorization - Allowed custom headers
Access-Control-Allow-Credentials: true - Allow cookies/auth
Access-Control-Max-Age: 3600 - Cache preflight response (seconds)

Why Is My Request Blocked?

CORS Error Messages:

"No 'Access-Control-Allow-Origin' header present"
"CORS policy: Response to preflight request doesn't pass access control check"
"CORS header 'Access-Control-Allow-Origin' missing"

Common Causes:

API doesn't support CORS at all
API allows specific origins, but not inventivehq.com
API allows only simple requests (GET, POST), blocking PUT/DELETE
API doesn't allow custom headers (Authorization, X-API-Key)
Preflight response missing required CORS headers

Solutions for CORS Issues

Option 1: Configure API to Allow CORS

If you control the API, add CORS headers to responses:

Access-Control-Allow-Origin: https://inventivehq.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true

Option 2: Use Browser Extension (Development Only)

Install a CORS extension to disable CORS checks during testing.

⚠️ Warning: Only use for development! Never disable CORS in production.

Popular extensions:

CORS Unblock (Chrome)
Allow CORS: Access-Control-Allow-Origin (Firefox)

Option 3: Test with Desktop Tools

Desktop tools (Postman, Insomnia, cURL) aren't subject to CORS because they're not browsers.

When to use:

Testing APIs that don't support CORS
Production testing with sensitive credentials
Automated testing and CI/CD

Option 4: Use Proxy Server

Route requests through a server you control to bypass browser CORS.

How it works:

Your browser → Your proxy server (same origin, no CORS)
Your proxy server → Target API (server-to-server, no CORS)
Proxy returns response to browser

⚠️ Security: Only proxy to APIs you trust. Proxies can see credentials.

CORS Best Practices for API Developers

Don't Use Wildcard with Credentials

❌ Bad:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

✓ Good:

Access-Control-Allow-Origin: https://inventivehq.com
Access-Control-Allow-Credentials: true

Be Specific with Allowed Methods and Headers

Only allow what's necessary:

Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, Authorization

Handle Preflight Requests

Respond to OPTIONS requests with appropriate CORS headers and 200 status.

Cache Preflight Responses

Use Access-Control-Max-Age to reduce preflight requests:

Access-Control-Max-Age: 86400

Validate Origin

Don't just echo the Origin header. Validate against allowlist:

const allowedOrigins = [
  "https://inventivehq.com",
  "https://app.example.com"
];

if (allowedOrigins.includes(request.headers.origin)) {
  response.headers["Access-Control-Allow-Origin"] = request.headers.origin;
}

Testing CORS Configuration

Use this tool to test CORS behavior:

Simple GET request - Should work if API allows any CORS
POST with JSON - Tests Content-Type: application/json
Custom headers - Tests Authorization, X-API-Key, etc.
PUT/DELETE - Tests preflight handling

Check browser developer tools Network tab for:

OPTIONS preflight requests
CORS-related errors
Response headers (Access-Control-*)

CORS is Not Authentication

CORS doesn't prevent unauthorized access - it only controls which origins can access responses in a browser.

CORS protects users, not APIs
APIs still need authentication/authorization
CORS can't prevent direct API calls (cURL, Postman, etc.)

References & Citations

Internet Engineering Task Force (IETF). (2014). RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. Retrieved from https://datatracker.ietf.org/doc/html/rfc7230 (accessed January 2025)
Internet Engineering Task Force (IETF). (2014). RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Retrieved from https://datatracker.ietf.org/doc/html/rfc7231 (accessed January 2025)
Internet Engineering Task Force (IETF). (2014). RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication. Retrieved from https://datatracker.ietf.org/doc/html/rfc7235 (accessed January 2025)
Internet Engineering Task Force (IETF). (2012). RFC 6749: The OAuth 2.0 Authorization Framework. Retrieved from https://datatracker.ietf.org/doc/html/rfc6749 (accessed January 2025)
Internet Engineering Task Force (IETF). (2015). RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2). Retrieved from https://datatracker.ietf.org/doc/html/rfc7540 (accessed January 2025)
WHATWG. Fetch Living Standard. Retrieved from https://fetch.spec.whatwg.org/ (accessed January 2025)
W3C. (2020). Cross-Origin Resource Sharing (CORS). Retrieved from https://www.w3.org/TR/cors/ (accessed January 2025)
IANA. HTTP Status Code Definitions. Retrieved from https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Key Security Terms

Understand the essential concepts behind this tool

HTTP Status Codes

Three-digit codes returned by web servers to indicate the result of an HTTP request.

Learn more →

API (Application Programming Interface)

A set of rules and protocols that allows different software applications to communicate and exchange data.

Learn more →

View all terms in our glossary →

Frequently Asked Questions

Common questions about the HTTP Request Builder

An HTTP request builder is a tool that helps developers construct, send, and analyze HTTP requests to APIs. It provides a user-friendly interface to configure URLs, methods, headers, authentication, and request bodies without writing code. This tool runs entirely in your browser, sending requests directly to the target API while providing detailed response analysis including status codes, headers, timing information, and formatted body content.

Explore More Tools

Continue with these related tools

security

CORS Policy Analyzer

Detect and analyze CORS misconfigurations that could lead to data exposure and security breaches. Test origin validation, credential handling, and policy implementation.

Try it now

security-analysis

JWT Decoder

Decode and analyze JSON Web Tokens (JWT) to inspect headers, payloads, and signatures for debugging and security analysis

Try it now

developer-tools

JSON Formatter

Format, validate, and beautify JSON data with syntax highlighting and error detection

Try it now

encoding

Base64 Encoder/Decoder

Encode and decode Base64 strings for data transport, email attachments, and web development

Try it now

developer

URL Encode/Decode with Query Parser

Free URL encoder/decoder with auto-detection. Encode/decode URLs, parse query strings, and break down URL components. Perfect for APIs, web development, and debugging.

Try it now

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.