API Testing Without Postman: Lightweight Alternatives
Postman is a solid tool, but it is also a 300MB Electron app that requires an account, pushes you toward cloud workspaces, and takes a noticeable amount of time to launch. For quick API checks during development, debugging a webhook, or testing an endpoint in CI/CD, you do not need any of that. You need something fast and lightweight.
I have been testing APIs professionally for years, and most of my daily testing happens with tools that are already on my machine or run directly in the browser. Here is how to do the same.
cURL: The Universal API Testing Tool
cURL is installed on virtually every macOS, Linux, and modern Windows system. It is the fastest way to hit an endpoint from your terminal, and it is the lingua franca of API documentation. When an API shows you how to authenticate, the example is almost always in cURL.
Basic GET Request
# Simple GET
curl https://api.example.com/users
# GET with headers
curl -H "Accept: application/json" \
-H "X-API-Key: your-key-here" \
https://api.example.com/users
# GET with query parameters
curl "https://api.example.com/users?page=2&limit=10"POST with JSON Body
# POST JSON data
curl -X POST https://api.example.com/users \
-H "Content-Type: application/json" \
-d '{"name": "Alice", "email": "[email protected]"}'
# POST from a file
curl -X POST https://api.example.com/users \
-H "Content-Type: application/json" \
-d @payload.jsonDebugging with -v
The -v (verbose) flag is your best friend when something is not working. It shows you the full request and response, including headers, TLS handshake details, and redirects.
curl -v https://api.example.com/health
# Output shows:
# > GET /health HTTP/2
# > Host: api.example.com
# > Accept: */*
# >
# < HTTP/2 200
# < content-type: application/json
# < x-request-id: abc-123
# <
# {"status": "ok"}Other useful flags: -i shows response headers only (without the TLS noise), -o /dev/null discards the body (useful with -w for timing), and -L follows redirects.
Using fetch() in Browser DevTools
Every modern browser has a JavaScript console where you can use the Fetch API directly. Open DevTools (F12), go to the Console tab, and you have a fully capable HTTP client.
// Simple GET
const res = await fetch('https://api.example.com/users');
const data = await res.json();
console.table(data);
// POST with auth
const res = await fetch('https://api.example.com/users', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer your-token-here'
},
body: JSON.stringify({
name: 'Bob',
email: '[email protected]'
})
});
console.log(res.status);
console.log(await res.json());The advantage of the browser console is that you can inspect responses with console.table() for arrays, expand nested objects in the console, and use the Network tab to see the full request and response details. The disadvantage is CORS, which I will cover later.
Browser-Based API Testers
For those who want the convenience of a GUI without installing anything, browser-based API testers fill the gap perfectly. The BoltQuickTools API Tester runs entirely in your browser. You set the method, URL, headers, and body, then hit send. The response shows up with syntax-highlighted JSON, status codes, timing, and response headers.
The key advantages of browser-based testers over cURL:
- Visual header management. Adding and editing headers in a form is faster than writing
-Hflags for complex requests. - Response formatting. JSON responses are automatically prettified and syntax-highlighted. No piping to
jq. - Shareable. Some testers let you share request configurations via URL. No "works on my machine" problems.
- No installation. Open a tab and start testing. Works on any device with a browser.
After getting your response, you can pipe the JSON into the JSON Formatter for deeper inspection or validate it against a schema.
Converting cURL to Code
One of the most practical workflows in API development is testing with cURL first, then converting that working command to your language of choice. This is useful when you have confirmed an endpoint works and now need to integrate it into your application.
# This cURL command...
curl -X POST https://api.stripe.com/v1/charges \
-u sk_test_abc123: \
-d amount=2000 \
-d currency=usd \
-d source=tok_visa
# ...becomes this in Python (requests):
import requests
response = requests.post(
'https://api.stripe.com/v1/charges',
auth=('sk_test_abc123', ''),
data={
'amount': 2000,
'currency': 'usd',
'source': 'tok_visa'
}
)
# ...or this in JavaScript (fetch):
const response = await fetch('https://api.stripe.com/v1/charges', {
method: 'POST',
headers: {
'Authorization': 'Basic ' + btoa('sk_test_abc123:'),
'Content-Type': 'application/x-www-form-urlencoded'
},
body: 'amount=2000¤cy=usd&source=tok_visa'
});The cURL to Code converter automates this translation. Paste in your cURL command and get working code in Python, JavaScript, Go, PHP, and other languages. It handles the nuances of auth encoding, header formatting, and body serialization that are easy to get wrong manually.
Testing Authentication
Most APIs require some form of authentication. Here are the three most common patterns and how to test each one.
API Keys
# As a header (most common)
curl -H "X-API-Key: your-key-here" \
https://api.example.com/data
# As a query parameter (less secure, avoid if possible)
curl "https://api.example.com/data?api_key=your-key-here"Bearer Tokens (OAuth 2.0 / JWT)
# Bearer token in Authorization header
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
https://api.example.com/meIf you are working with JWTs and need to inspect what is inside the token (claims, expiration, issuer), the JWT Decoder will parse it instantly without sending the token anywhere.
Basic Auth
# cURL handles Basic auth natively with -u
curl -u username:password https://api.example.com/data
# This is equivalent to:
curl -H "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=" \
https://api.example.com/data
# (The value is base64-encoded "username:password")Reading API Responses
Status Codes
The HTTP status code is the first thing to check. Here are the ones you will encounter most:
- 200 OK: Request succeeded. Response body contains the data.
- 201 Created: Resource was created successfully. Usually returned after a POST.
- 204 No Content: Success, but no body. Common for DELETE operations.
- 400 Bad Request: Your request is malformed. Check the body format and required fields.
- 401 Unauthorized: Authentication failed. Check your API key or token.
- 403 Forbidden: Authentication succeeded but you lack permission for this resource.
- 404 Not Found: The endpoint or resource does not exist. Check the URL.
- 429 Too Many Requests: Rate limited. Check the
Retry-Afterheader. - 500 Internal Server Error: The server broke. Not your fault (probably).
Response Headers
Headers carry important metadata. Look for Content-Type to know the response format, X-RateLimit-Remaining to track your rate limit budget, X-Request-Id for debugging with the API provider, and Link headers for pagination URLs.
JSON Response Bodies
Most modern APIs return JSON. When the response is complex or deeply nested, pipe it through a formatter for readability:
# cURL piped to jq (if installed)
curl -s https://api.example.com/users | jq '.'
# Or paste the raw JSON into the BoltQuickTools JSON Formatter
# for syntax highlighting and collapsible sectionsCommon Pitfalls
CORS in the Browser
If you test an API from the browser console and get a CORS error, the API is not broken. The server simply does not include your browser's origin in its Access-Control-Allow-Origin header. This is a browser-only restriction. The same request works fine from cURL, server-side code, or a proxy. Browser-based API testers that run requests server-side can bypass this, but client-only testers will hit the same wall.
SSL Certificate Errors
# Skip SSL verification (development only, NEVER in production)
curl -k https://localhost:8443/api/health
# The proper fix: add your dev CA certificate
curl --cacert /path/to/dev-ca.crt https://localhost:8443/api/healthTimeouts
# Set connection and read timeouts
curl --connect-timeout 5 --max-time 30 \
https://api.example.com/slow-endpointBuilding a Simple Test Script
For repeatable API testing in CI/CD or local development, a simple shell script beats any GUI tool:
#!/bin/bash
# api-tests.sh
BASE_URL="https://api.example.com"
API_KEY="your-test-key"
PASS=0
FAIL=0
check() {
local name="$1"
local expected="$2"
local actual="$3"
if [ "$actual" = "$expected" ]; then
echo "PASS: $name"
((PASS++))
else
echo "FAIL: $name (expected $expected, got $actual)"
((FAIL++))
fi
}
# Test 1: Health check returns 200
status=$(curl -s -o /dev/null -w "%{http_code}" "$BASE_URL/health")
check "Health endpoint" "200" "$status"
# Test 2: Auth required returns 401
status=$(curl -s -o /dev/null -w "%{http_code}" "$BASE_URL/users")
check "Unauthed request" "401" "$status"
# Test 3: Authed request returns 200
status=$(curl -s -o /dev/null -w "%{http_code}" \
-H "X-API-Key: $API_KEY" "$BASE_URL/users")
check "Authed request" "200" "$status"
# Test 4: Create user returns 201
status=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST -H "Content-Type: application/json" \
-H "X-API-Key: $API_KEY" \
-d '{"name":"Test","email":"[email protected]"}' \
"$BASE_URL/users")
check "Create user" "201" "$status"
echo ""
echo "Results: $PASS passed, $FAIL failed"
[ $FAIL -eq 0 ] && exit 0 || exit 1This script runs in seconds, works in any CI pipeline, and tests the exact same endpoints you would test manually. No desktop app needed.
The bottom line: you do not need a heavy GUI to test APIs effectively. cURL gives you full control from the terminal, browser DevTools give you a quick interactive environment, and tools like the BoltQuickTools API Tester give you a clean GUI without any installation. For converting between formats, the cURL to Code converter and JSON Formatter round out a lightweight but complete API testing workflow.