How to Test an API in Your Browser (No Postman, No Install)

· Javed Iqbal · 7 min read

Postman is great until you just want to check one endpoint and it’s asking you to sign in, sync a workspace, and update itself. Sometimes I want to send a single GET, see the JSON, and move on with my life.

For that, a browser-based tester is faster. Here’s how to do the common things — and the one browser limitation (CORS) that everyone hits, explained without hand-waving.

Sending your first request

Open the API tester, then:

  1. Pick the method (GET, POST, PUT, PATCH, DELETE…).
  2. Paste the URL. For a quick sanity check, https://jsonplaceholder.typicode.com/todos/1 always responds.
  3. Hit Send (or Ctrl/Cmd+Enter). You’ll get the status, timing, and a formatted JSON body.

That’s the 90% case. The other 10% is auth and headers.

Headers, auth, and a JSON body

For anything behind a login you’ll need an Authorization header — usually Bearer your-token for APIs that use tokens, or Basic auth for older ones. Add a Content-Type: application/json header on POST/PUT and drop your JSON in the body. A tip that’s saved me real time: store the token as an environment variable and reference it, so you’re not pasting secrets into every request.

When the request works, you can export it as a cURL command or a fetch snippet to drop straight into your code — or paste an existing cURL command in to rebuild a request someone sent you.

The CORS gotcha (read this before you rage-quit)

Here’s the thing nobody warns you about: a request that works perfectly in Postman or cURL can fail in a browser with a vague “Failed to fetch.” That’s almost always CORS, and it isn’t a bug in the tool.

Browsers block a page on one origin from reading a response from another origin unless the API explicitly allows it with an Access-Control-Allow-Origin header. Postman and cURL aren’t browsers, so they don’t play by that rule — which is why the same request behaves differently. Three realities worth knowing:

  • If the API sends the right CORS headers (lots of public ones do), it just works in the browser.
  • If it doesn’t, you can route through a proxy. The tester has a Bypass CORS toggle for exactly this — just don’t use it for requests carrying real secrets, since the traffic transits a third party.
  • A local server (localhost) is a special case: a public proxy can’t reach your machine, so the fix is to enable CORS on your dev server (one line of middleware in Express/FastAPI).

When you should still use Postman

I’m not going to pretend a browser tab replaces everything. If you’re running big saved collections in CI, sharing a workspace across a team, or scripting complex multi-step test flows, a dedicated app still wins. The browser tool is for speed: quick checks, debugging a single endpoint, generating a snippet, or testing from a machine where you can’t install anything.

FAQ

Can I really test a REST API without installing anything?

Yes. The browser API tester sends real HTTP requests from the tab — no download, no account.

Why does my request fail only in the browser?

Almost always CORS. The API didn’t allow your origin. Use the proxy toggle, or test an API that sends CORS headers.

Is it free?

Yes, free and no signup. Your requests run from your browser.

Go test something: open the online API tester, or see the rest of the free browser tools worth bookmarking.