Debug a Failing API Request

Convert the failing cURL command to readable code

Paste the failing cURL command into the Curl to Code Converter and select your language (Python, JavaScript/Node, Go, Ruby, PHP). Viewing the request as code immediately surfaces issues that are invisible in a raw cURL string: URL encoding problems in query parameters that look correct in the terminal but fail when parsed, headers split across multiple lines that combine incorrectly, JSON request bodies where escaped quotes mask syntax errors, and base64-encoded credentials in Authorization headers that look valid but were generated incorrectly. The code view also shows the exact headers being sent, which matters when debugging authentication — Bearer tokens, API keys in headers, and Basic Auth are all immediately readable.

Tip: Copy the cURL from your browser's Network tab (right-click a request → Copy → Copy as cURL) to get the exact headers and body the browser is sending, including cookies.

Format and validate the JSON request body

Paste the request body from your cURL command into the JSON Formatter & Validator. A surprising number of API failures are caused by malformed request JSON: a missing closing brace from a concatenated template string, a trailing comma that's valid in JavaScript but invalid in JSON, a numeric value that was serialised as a string ('42' vs 42), or a null value sent as the string 'null'. The formatter will immediately highlight any syntax error with the line number. After fixing syntax, visually inspect the structure: are required fields present? Are nested objects at the correct depth? Are array items the right type? Are field names spelled correctly (camelCase vs snake_case — the API's convention, not yours)? This step alone resolves 20–30% of mysterious 400 Bad Request errors.

Tip: Compare your request body structure against the API's sample request in its documentation. JSON Formatter makes this side-by-side comparison easy — open two tabs with the formatter.

Decode and inspect your JWT for expiry, audience, and algorithm issues

Most 401 Unauthorized errors come from JWT problems. Paste your Authorization Bearer token into the JWT Decoder to see the full decoded header, payload, and signature without needing a secret key. Check: (a) exp (expiry) — is the timestamp in the past? JWT expiry is a Unix timestamp; a value of 1700000000 expired in November 2023. (b) iss (issuer) — does it match what the API expects? (c) aud (audience) — some APIs reject tokens issued for a different audience even if the signature is valid. (d) alg (algorithm) in the header — beware of tokens with alg: 'none' (a well-known vulnerability), and RS256 tokens being sent to endpoints expecting HS256. (e) Scope or permissions claims — the token may be valid but missing the required scope for this specific endpoint.

Tip: JWT signatures can be verified without the private key if you have the public key — paste both into the decoder. Without the key, you can still read all claims and diagnose most auth failures.

Parse rate limit response headers to diagnose throttling

If your requests are failing intermittently with 429 Too Many Requests, or succeeding but slower than expected, paste the response headers from a failed request into the Rate Limit Header Parser. Standard rate limit headers include: X-RateLimit-Limit (max requests per window), X-RateLimit-Remaining (requests left in current window), X-RateLimit-Reset (Unix timestamp when the window resets), Retry-After (seconds to wait before retrying — set on 429 responses), and RateLimit-Policy (RFC 6585 format). Different APIs use different header names: GitHub uses X-RateLimit-*, Stripe uses Rate-Limit-Remaining, and some APIs use the standard Retry-After only on 429s. The parser normalises these into readable values so you know exactly when your quota resets and how much headroom you have.

Tip: In production code, always read and respect Retry-After headers before retrying — exponential backoff without checking Retry-After often means you're still retrying too fast.

Document the corrected endpoint for your team

Once the request is working, use the REST Endpoint Documenter to produce a clean, shareable record of the correct endpoint: URL, HTTP method, required headers (with example values, not real credentials), request body schema with field descriptions and types, successful response structure, and error codes with their meanings. This documentation serves two purposes: (a) immediate — sharing the working request with teammates who hit the same issue, (b) long-term — building an internal API reference so the same debugging session doesn't need to happen again in 6 months. The documenter exports in Markdown or OpenAPI format, which can be committed to your repository alongside the integration code.

Tip: Document the error states alongside the success state — note which response body field indicates the specific error, which status code maps to which problem, and how authentication failures differ from authorisation failures in the response.