Send HTTP requests and organize collections in your browser. Share collections via end-to-end encrypted links — server never sees your data.
A Postman-like API client that runs entirely in your browser. Send HTTP requests, organize them into collections, run pre/post scripts, and inspect responses — without installing a native app. Optional sharing lets you hand off a collection via a single link with end-to-end encryption: the server never sees your requests, headers, or variables.
Build a request
Pick a method, set the URL, add params/headers/auth/body, then click Send. The fetch goes directly from your browser to the target URL — no proxy.
Organize with collections and environments
Group related requests into collections. Each collection owns its own environments with `{{variable}}` substitution. Mark sensitive vars (tokens, API keys) as secret with the eye icon.
Share a collection (optional)
Right-click a collection → Share. After a quick captcha, you get a link like /tools/api-client/share/<uuid>#k=<key>. Anyone with the link can open, edit, and run the collection — no login needed.
Recipients work locally
Opening a share link decrypts the collection in the recipient's browser and copies it into their local sidebar. Their edits push back to the same shared blob (last write wins).
Yes. The collection is encrypted in your browser with AES-256-GCM (Web Crypto API) before it ever leaves your device. The encryption key is generated locally, embedded in the URL fragment after `#`, and never sent to our server. Even with full access to our database, we cannot read your collection — only someone with the full share link can decrypt it.
When you click Share, the browser (1) generates a fresh random 256-bit AES-GCM key, (2) encrypts your collection JSON with a random 96-bit IV, (3) sends only the ciphertext + IV to our server (gated by Cloudflare Turnstile + size cap), (4) builds a URL of the form `.../share/<uuid>#k=<key>&v=1`. Browsers never transmit the part after `#` to servers, so the key stays client-side. Recipients reverse the process: fetch the ciphertext by UUID, read the key from the fragment, decrypt locally.
No. Variables you mark as secret (eye icon in the env editor) are stripped — their values are replaced with empty strings before encryption. The recipient sees the variable name but has to fill in their own value. This protects API keys and tokens from accidental sharing.
Nothing leaves your device. Local-only collections live in your browser's IndexedDB and are never sent anywhere. Sharing is opt-in per collection.
Yes — anyone with the link can edit (last-write-wins, no history). Treat the share link like a write-capable URL: only send it to people you'd trust to edit the collection. If a link leaks, delete the collection in your sidebar to lose access; the row will auto-prune from the server after 30 days of inactivity.
No. Requests go directly from your browser to the target URL via `fetch()`. CORS rules apply the same as any browser fetch — if the target server doesn't allow your origin, the request will fail. We never see request URLs, headers, or response bodies.
Local-only collections live in your browser's IndexedDB on the device you're using. Shared collections are also kept locally; only the encrypted blob is mirrored to our server so others can pull it. Both forms are tied to your browser, not an account — clearing site data wipes them.
Shares are pruned after 30 days without use. Every time you (or any recipient) creates, updates, or runs a request from the shared collection, the timer resets. So an actively-used share lives indefinitely; an abandoned one disappears.
Cloudflare Turnstile gates the create/update endpoints to prevent automated abuse (mass-creating shares to fill the database). It's invisible most of the time and runs no slower than a typical sign-in challenge. Running requests from a shared collection does not require a captcha.
No collections yet