REST API Cheat Sheet

HTTP methods, status codes, headers, authentication, curl examples. The complete reference for API developers.

Quick Navigation

HTTP Methods

The nine standard HTTP methods define the action to perform on a resource.

MethodPurposeRequest BodyIdempotentSafe
GETRetrieve a resource or collectionNoYesYes
POSTCreate a new resourceYesNoNo
PUTReplace a resource entirelyYesYesNo
PATCHPartially update a resourceYesNo*No
DELETERemove a resourceOptionalYesNo
HEADSame as GET but no response bodyNoYesYes
OPTIONSDescribe communication optionsNoYesYes
Idempotent means making the same request multiple times produces the same result. *PATCH can be idempotent depending on implementation.

When to use PUT vs PATCH

PUT replaces the entire resource. Every field must be included. If a field is omitted, it is set to null or its default.

PATCH updates only the specified fields. Fields not included in the request body remain unchanged.

# PUT - replaces the entire user resource curl -X PUT https://api.example.com/users/42 \ -H "Content-Type: application/json" \ -d '{"name":"Jane","email":"[email protected]","role":"admin"}' # PATCH - updates only the role field curl -X PATCH https://api.example.com/users/42 \ -H "Content-Type: application/json" \ -d '{"role":"admin"}'

HTTP Status Codes (Most Common)

For a complete list of all codes, see our HTTP Status Codes Reference.

2xx Success

200OK. Request succeeded. Standard response for GET. 201Created. Resource was created. Return in response to POST. 204No Content. Success, but no body returned. Common for DELETE.

3xx Redirection

301Moved Permanently. Resource has a new permanent URL. 302Found. Temporary redirect. Method may change to GET. 304Not Modified. Cached version is still valid.

4xx Client Errors

400Bad Request. Malformed syntax or invalid parameters. 401Unauthorized. Authentication required or credentials invalid. 403Forbidden. Authenticated but not authorized for this resource. 404Not Found. Resource does not exist. 405Method Not Allowed. HTTP method not supported for this endpoint. 409Conflict. Request conflicts with current state (e.g., duplicate). 422Unprocessable Entity. Valid syntax but semantically incorrect. 429Too Many Requests. Rate limit exceeded. Check Retry-After header.

5xx Server Errors

500Internal Server Error. Generic server failure. 502Bad Gateway. Upstream server returned invalid response. 503Service Unavailable. Server is overloaded or under maintenance. 504Gateway Timeout. Upstream server did not respond in time.

Common HTTP Headers

Request Headers

HeaderPurposeExample
Content-TypeFormat of the request bodyapplication/json
AcceptExpected response formatapplication/json
AuthorizationAuthentication credentialsBearer eyJhbG...
User-AgentClient identifierMyApp/1.0
Cache-ControlCaching directivesno-cache
If-None-MatchConditional request (ETag)"abc123"
X-Request-IDTrace ID for debugginguuid-value

Response Headers

HeaderPurposeExample
Content-TypeFormat of response bodyapplication/json; charset=utf-8
LocationURL of created resource/users/42
ETagVersion identifier for caching"abc123"
Retry-AfterSeconds to wait after 429/50360
X-RateLimit-LimitMax requests per window1000
X-RateLimit-RemainingRequests left in window847
LinkPagination links</users?page=2>; rel="next"

CORS Headers

HeaderPurpose
Access-Control-Allow-OriginWhich origins can access the API
Access-Control-Allow-MethodsAllowed HTTP methods for CORS
Access-Control-Allow-HeadersAllowed request headers for CORS
Access-Control-Max-AgeHow long preflight results can be cached (seconds)

Authentication Patterns

API Key (Header)

curl https://api.example.com/data \ -H "X-API-Key: your_api_key_here"

API Key (Query Parameter)

curl "https://api.example.com/data?api_key=your_api_key_here"
Security note: Query parameter API keys appear in server logs and browser history. Prefer header-based authentication when possible.

Bearer Token (JWT / OAuth2)

curl https://api.example.com/data \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Basic Auth

# Using -u flag (curl encodes to Base64 automatically) curl -u username:password https://api.example.com/data # Manual header (Base64 of "username:password") curl https://api.example.com/data \ -H "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ="

OAuth 2.0 Client Credentials Flow

# Step 1: Get access token curl -X POST https://auth.example.com/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&client_id=YOUR_ID&client_secret=YOUR_SECRET" # Step 2: Use the token curl https://api.example.com/data \ -H "Authorization: Bearer ACCESS_TOKEN_FROM_STEP_1"

Curl Examples

GET request

curl https://api.example.com/users

GET with query parameters

curl "https://api.example.com/users?page=2&limit=25&sort=created_at"

GET with headers

curl https://api.example.com/users \ -H "Accept: application/json" \ -H "Authorization: Bearer YOUR_TOKEN"

POST with JSON body

curl -X POST https://api.example.com/users \ -H "Content-Type: application/json" \ -d '{"name":"Jane Doe","email":"[email protected]"}'

POST with form data

curl -X POST https://api.example.com/login \ -d "username=jane&password=secret123"

PUT (full update)

curl -X PUT https://api.example.com/users/42 \ -H "Content-Type: application/json" \ -d '{"name":"Jane Doe","email":"[email protected]","role":"admin"}'

PATCH (partial update)

curl -X PATCH https://api.example.com/users/42 \ -H "Content-Type: application/json" \ -d '{"role":"admin"}'

DELETE

curl -X DELETE https://api.example.com/users/42 \ -H "Authorization: Bearer YOUR_TOKEN"

File upload

curl -X POST https://api.example.com/upload \ -F "file=@/path/to/document.pdf" \ -F "description=Quarterly report"

Verbose output (debugging)

# -v shows request/response headers curl -v https://api.example.com/users # -i includes response headers in output curl -i https://api.example.com/users # Save response to file curl -o response.json https://api.example.com/users # Follow redirects curl -L https://api.example.com/old-endpoint # Set timeout (seconds) curl --max-time 10 https://api.example.com/slow-endpoint

Useful curl flags

FlagPurpose
-X METHODSet HTTP method
-H "Header: Value"Add request header
-d 'data'Send request body (sets POST by default)
-F "field=value"Send multipart form data
-u user:passBasic authentication
-vVerbose output (debug)
-iInclude response headers
-o fileWrite output to file
-LFollow redirects
-sSilent mode (no progress bar)
-kSkip SSL verification (dev only)
--max-time NTimeout in seconds
-w "%{http_code}"Print HTTP status code

Request Body Formats

JSON (most common)

Content-Type: application/json { "name": "Jane Doe", "email": "[email protected]", "tags": ["admin", "active"], "address": { "city": "Portland", "state": "OR" } }

Form URL-encoded

Content-Type: application/x-www-form-urlencoded name=Jane+Doe&email=jane%40example.com&role=admin

Multipart Form Data (file uploads)

Content-Type: multipart/form-data; boundary=----FormBoundary ------FormBoundary Content-Disposition: form-data; name="file"; filename="photo.jpg" Content-Type: image/jpeg (binary data) ------FormBoundary--

Error Response Patterns

Standard error format

{ "error": { "code": "validation_error", "message": "Invalid email format", "details": [ { "field": "email", "message": "Must be a valid email address", "value": "not-an-email" } ] } }

RFC 7807 Problem Details

{ "type": "https://api.example.com/errors/validation", "title": "Validation Error", "status": 422, "detail": "The 'email' field must be a valid email address", "instance": "/users/42" }
Best practice: Always return consistent error formats. Include a machine-readable error code, a human-readable message, and enough detail for the client to fix the problem.

API Versioning

URL path versioning (most common)

GET https://api.example.com/v1/users GET https://api.example.com/v2/users

Header versioning

curl https://api.example.com/users \ -H "Accept: application/vnd.example.v2+json"

Query parameter versioning

GET https://api.example.com/users?version=2

REST API Best Practices

DoDon't
Use nouns for resources: /users/getUsers or /createUser
Use plural nouns: /users/42/user/42
Use HTTP methods for actionsPut verbs in URLs
Return 201 + Location header on createReturn 200 for everything
Use 204 for successful DELETEReturn the deleted resource
Nest sub-resources: /users/42/postsDeeply nest beyond 2 levels
Use kebab-case in URLs: /user-profilescamelCase or snake_case in URLs
Filter via query params: ?status=activeCreate separate endpoints per filter
Include rate limit headersRate limit without informing clients
Version your API from day oneMake breaking changes without versioning

URL structure examples

# Resource collections GET /users # List users POST /users # Create user GET /users/42 # Get user 42 PUT /users/42 # Replace user 42 PATCH /users/42 # Update user 42 DELETE /users/42 # Delete user 42 # Sub-resources GET /users/42/posts # List posts by user 42 POST /users/42/posts # Create post for user 42 # Filtering, sorting, pagination GET /users?role=admin&sort=-created_at&page=2&limit=25

Test Your APIs with ToolPipe

Use our webhook tester, JWT decoder, and JSON formatter to build and debug APIs faster.

Try Webhook Tester

Related Tools

JSON FormatterFormat and validate JSON JWT DecoderDecode and inspect tokens HTTP Status CodesComplete status code list Webhook TesterTest API webhooks URL EncoderEncode query parameters Base64 EncoderEncode/decode Base64 Hash GeneratorMD5, SHA-256, SHA-512 UUID GeneratorGenerate unique IDs
Back to ToolPipe
Get a free API key for 100+ developer endpoints:
Pro plans
ToolPipe JSON Formatter CSS Minifier JS Minifier UUID Generator Regex Tester JWT Decoder Password Generator Hash Generator Base64 JSON to YAML QR Generator Merge PDF Image to Base64 Color Picker My IP XML Formatter YAML Validator CSV to JSON Diff Checker SQL Formatter Free API Key Pro Plans Quick Start
130+ free developer tools by ToolPipe. No signup, no tracking. Support us