← Back to API Tester FAQs

Is API Tester Safe?

For cross-origin testing, REST and GraphQL HTTP (JSON) go through a same-origin relay on DevToolSets: your browser posts method, URL, headers, and body to this site, the app server performs the outbound request, and returns status, headers, and body. Only use tokens you are willing to route through this service.

Browser-only traffic

SSE and WebSocket subscriptions connect from your browser directly to the URL you enter (no relay). Multipart file uploads (REST Files tab or GraphQL file fields) also use the browser's fetch() API so files never pass through the JSON relay.

HTTP relay

JSON/raw REST and GraphQL requests and schema introspection use the relay so CORS on the target API does not block reading the response. Request/response data is handled in memory like any HTTP handler (not stored in a database by this tool); hosting and network policies still apply.

The relay blocks obvious SSRF targets (for example private IPs and link-local addresses). Both http and https URLs are allowed; prefer https when the API supports it. Operators can disable the relay entirely with the DEVTOOLSETS_API_TESTER_RELAY_DISABLED environment variable.

No Data Storage

Request history is saved locally in your browser's IndexedDB (first 2KB of responses). The tool does not add a separate server-side log of relayed URLs for analytics in this codebase; treat hosting and network paths like any HTTPS site.

CORS

JSON HTTP traffic avoids browser CORS read restrictions because the browser only talks to DevToolSets; the server fetches the third-party URL. File-upload requests still follow normal browser CORS rules.

Best Practices

  • Use test/development API keys rather than production keys when possible
  • Clear your history after testing with sensitive tokens
  • Be aware that request history stores the first 2KB of response bodies
  • Assume relayed JSON requests may be visible to DevToolSets hosting like any HTTPS backend