Build HTTP requests, fire them, and inspect responses. A lightweight REST client in your browser.
How to Use
Enter the webhook/API URL you want to test
Choose the HTTP method (GET, POST, PUT, PATCH, DELETE)
Add headers and a JSON body as needed
Click "Send" to fire the request
Inspect the response status, headers, and body below
Note: Requests are sent directly from your browser, so CORS restrictions apply. The
target server must allow cross-origin requests.
Headers
Body
Response
Response Headers
Response Body
What this webhook tester is (and what it is not)
This is a sender. You give it a URL, an HTTP method, headers, and a body, and it fires the
request straight from your browser and shows you the response. It is a lightweight REST client you can open in
a tab without installing anything.
It is not a receiver. If you are looking for a public URL that catches incoming webhooks from
Stripe, GitHub, Shopify, or any other service so you can inspect what they send, this is the wrong tool. For
that job, use webhook.site, RequestBin, or Hookdeck. Those services give you a temporary URL, collect requests
sent to it, and let you replay them. This tool solves the other half of the webhook problem: testing how
your own endpoint behaves when a payload arrives.
What it is good for
The scenarios where a browser-based sender is the right tool:
Testing a webhook handler you just deployed. You wrote a
/webhooks/stripe route in your app. Fire a sample payload at it and check the response, the
logs, and any downstream side effects.
Debugging an integration that is not receiving the expected payload. Replay a request with
the exact shape you think the provider is sending, and see if your endpoint matches that assumption.
Validating signature verification logic. Send a request with a known HMAC or
Stripe-Signature header to confirm your verification middleware accepts valid signatures and
rejects invalid ones.
Poking at any REST API. It is also a general HTTP client. If you need to hit a GET endpoint
to see what it returns, or POST to a JSON API while prototyping, this works the same way Postman or curl
would.
Sharing a repro case. The request you built can be copied as a curl command and dropped
into an issue or a chat message.
The CORS constraint (and how to work around it)
Because requests fire from your browser, the target server has to opt in to cross-origin requests via the
Access-Control-Allow-Origin header. This is a browser security rule, not something the tool can
bypass.
In practice, this affects you in one of three ways:
Testing your own endpoint in development: add https://www.forgelit.com (or
* during dev) to your CORS config. Most frameworks let you do this with one line of middleware.
Testing a public API that supports browser clients: services like httpbin, JSONPlaceholder,
and most modern REST APIs already allow cross-origin requests. You can use this tool as-is.
Testing a third-party API that blocks browser requests: you cannot work around this with a
browser tool, period. Use curl, Postman's desktop app, or an HTTP client library in a terminal instead. The
CORS block is the server's decision, not ours.
If you hit a CORS error, the response area will show an empty or errored response and the browser console will
explain why. The tool itself is working. The target is refusing the cross-origin connection.
Webhook anatomy, briefly
If you are newer to webhooks, the request model is the same as any HTTP API call. A webhook is just an HTTP
POST (usually) sent to a URL you control, by a service reacting to an event on their end.
The four parts of any request
URL: where the request is sent. For webhook testing, this is usually your own
/webhooks/provider route. Method: almost always POST for webhooks,
but you can test any HTTP verb here. Headers: metadata like
Content-Type: application/json, authentication, and signature values. Body: the
payload, almost always JSON.
Signature headers you will encounter
Most providers sign their webhooks so your endpoint can verify the request really came from them. The header
names vary: Stripe uses Stripe-Signature, GitHub uses X-Hub-Signature-256, Shopify
uses X-Shopify-Hmac-SHA256, and many custom integrations use a generic
X-Signature or X-Hmac. When testing locally, you can construct a valid signature
using the provider's documented algorithm and paste it into the Headers section here.
Response codes your endpoint should return
By convention, webhook receivers return 200 OK or 204 No Content when the payload
was accepted successfully. Any 2xx means "I got it, do not retry". Most providers treat 4xx as permanent
failures (bad payload, auth failed) and 5xx as temporary failures worth retrying. If your endpoint is
returning 500 on valid payloads, the provider will eventually give up. If it returns 200 on broken payloads,
you will silently lose events.
Frequently asked questions
Is this webhook tester free to use?
Yes. No signup, no limits, no ads. The tool runs entirely in your browser, so there is nothing to pay for.
Can this tool catch incoming webhooks from Stripe, GitHub, or other services?
No. This is a webhook sender and REST client, not a public catch-all URL. If you need a URL that receives
incoming webhooks from third-party services so you can inspect the payloads they send, you want a service
like webhook.site, RequestBin, or Hookdeck. This tool is for the other half of the problem: firing test
requests at your own endpoints to see how they behave.
Why am I getting CORS errors when I try to send a request?
Because the request is made from your browser, the target server has to explicitly allow cross-origin
requests via the Access-Control-Allow-Origin header. If you are testing your own endpoint, add
https://www.forgelit.com to the allowed origins in your CORS config during development. If you
are testing a third-party API that does not allow browser requests, you will need a server-side tool like
curl, Postman's desktop app, or an HTTP client library instead.
Does it support Bearer tokens, Basic auth, and API keys?
Yes, via the Headers section. Add an Authorization header with the value
Bearer YOUR_TOKEN for Bearer auth, Basic base64-encoded-credentials for Basic
auth, or any custom header name for API keys (X-API-Key, X-Auth-Token, and so on).
The headers you add are sent exactly as typed.
How is this different from Postman or Insomnia?
Postman and Insomnia are much more full-featured: collections, environments, scripting, team sharing, mock
servers, test assertions. This tool is deliberately lighter weight. It opens instantly in a browser tab, has
zero setup, and does not require an account. Think of it as the tool you reach for when you need to fire one
request right now, not when you are managing a whole API workspace.
Are my requests or responses logged anywhere?
No. Requests go directly from your browser to the target URL you enter. Nothing is proxied through Forgelit,
and no payload data is sent to any Forgelit server. We cannot see what you send or receive.
Privacy
Requests go directly from your browser to the target URL. Nothing is proxied or logged by Forgelit.