Requests
Build, send, and test API requests with full support for all HTTP methods, authentication, headers, and request bodies.
Requests are the core of API testing in RESTK. Each request lets you configure the HTTP method, URL, parameters, headers, body, authentication, and scripts.
Quick Start
Create a Request
Right-click a folder or collection and select New Request.
Configure the Request
Enter the URL, select the HTTP method (GET, POST, etc.), and add any needed parameters or headers.
Send the Request
Click Send or press Cmd+Enter to execute the request and see the response.
HTTP Methods
Select the appropriate method for your API endpoint. Each method has a distinct color in the UI for quick identification.
| Method | Color | Use Case | Has Body |
|---|---|---|---|
| GET | Green | Retrieve data | No |
| POST | Orange | Create new resource | Yes |
| PUT | Blue | Replace entire resource | Yes |
| PATCH | Purple | Update part of resource | Yes |
| DELETE | Red | Remove resource | Optional |
| HEAD | Cyan | Get headers only | No |
| OPTIONS | Gray | Check allowed methods | No |
URL and Parameters
Entering the URL
Type or paste the complete URL in the URL field:
https://api.example.com/v1/users
Using Variables
Reference variables with double curly braces:
{{baseUrl}}/v1/users/{{userId}}
As you type {{, an autocomplete dropdown shows available variables from all scopes.
Query Parameters
Open Parameters Tab
Click the Parameters tab below the URL bar.
Add Parameters
Click Add Parameter and enter:
- Key: Parameter name (e.g., "page", "limit")
- Value: Parameter value (supports variables)
Enable/Disable
Use the checkbox to include or exclude parameters without deleting them.
Example:
| Enabled | Key | Value |
|---|---|---|
| ✓ | page | 1 |
| ✓ | limit | 10 |
| ✗ | debug | true |
Sends: ?page=1&limit=10 (debug is disabled)
Bidirectional Sync
Parameters and the URL stay in sync — edit either one and the other updates automatically. Variable placeholders like {{baseUrl}} are preserved.
Authentication
Requests can inherit authentication from their parent folder or collection, or define their own.
Inherit from Parent
By default, requests use Inherit, which walks up the full hierarchy:
- Request → Folder → Parent Folders → Collection
- The first level with explicit auth is used
- RESTK shows the source of the active auth
Override Authentication
Open Auth Tab
Navigate to the Auth tab.
Select Auth Type
Choose from Bearer Token, Basic Auth, API Key, JWT, OAuth 2.0, OAuth 1.0, Digest, AWS Signature V4, Hawk, NTLM, or None.
Enter Credentials
Fill in the required fields.
Test
Send the request to verify authentication works.
Auth Types
| Type | Description |
|---|---|
| Bearer Token | Sends Authorization: Bearer <token> header |
| Basic Auth | Sends Base64-encoded username:password |
| API Key | Sends a key as a header or query parameter |
| JWT | Generates HMAC-signed tokens (HS256, HS384, HS512) |
| OAuth 2.0 | Authorization Code, Client Credentials, and other OAuth 2.0 grant types |
| OAuth 1.0 | HMAC-SHA1 signed OAuth 1.0a requests |
| Digest | HTTP Digest authentication |
| AWS Signature V4 | Signs requests for AWS APIs |
| Hawk | Hawk HTTP authentication |
| NTLM | Windows NTLM authentication |
| None | Explicitly send no credentials, even if the parent has auth configured |
Credential Storage
Auth credentials are stored securely on your device using the macOS Keychain.
Headers
Add custom HTTP headers to your request.
Adding Headers
Open Headers Tab
Click the Headers tab.
Add Header
Click Add Header and enter:
- Key: Header name
- Value: Header value (supports variables)
Enable/Disable
Toggle headers on/off without deleting them.
Common Headers
Content-Type
Content-Type: application/json
Accept
Accept: application/json
Custom Headers
X-Request-ID: {{requestId}}
X-Client-Version: 1.0.0
Auto-Generated Headers
Some headers are added automatically based on body type (Content-Type) or authentication (Authorization).
Request Body
Configure the request body for POST, PUT, PATCH, and other requests that support a body.
Body Types
RESTK supports six body types:
None
- No request body
- Default for GET, HEAD, and OPTIONS
Raw
- Text-based body with a sub-format picker: JSON, XML, HTML, JavaScript, or Plain Text
- JSON includes syntax highlighting, validation, and a format/prettify shortcut (
Option+Shift+F) - Auto-sets the appropriate Content-Type header based on the selected sub-format
{
"name": "John Doe",
"email": "[email protected]",
"age": {{userAge}}
}
Form Data
- For file uploads and multipart form submissions
- Content-Type: multipart/form-data
| Key | Type | Value |
|---|---|---|
| name | Text | John |
| avatar | File | profile.jpg |
URL Encoded
- For traditional form submissions
- Content-Type: application/x-www-form-urlencoded
| Key | Value |
|---|---|
| username | john |
| password | {{userPassword}} |
Binary
- Upload a raw binary file as the request body
- Useful for file upload APIs, image processing endpoints, and binary protocols
GraphQL
- Dedicated GraphQL body type with query and variables fields
- Separate input areas for the GraphQL query and variables JSON
query GetUser($id: ID!) {
user(id: $id) {
name
email
posts {
title
}
}
}
Variables in Body
All body types support variable substitution using {{variable}} syntax.
Scripts
Automate workflows and run tests with JavaScript scripts.
Pre-request Scripts
Run code before the request is sent.
Common uses:
- Generate timestamps
- Calculate signatures
- Set dynamic headers
- Modify request data
// Generate timestamp
nova.variable.set("timestamp", Date.now().toString());
// Create custom header value
const signature = calculateSignature();
nova.request.setHeader("X-Signature", signature);
Post-response Scripts
Run code after receiving the response.
Common uses:
- Test response data
- Extract values for later use
- Validate status codes
- Process response data
// Test the response
nova.test("Status is 200", function() {
nova.expect(nova.response.status).toBe(200);
});
nova.test("Response has user ID", function() {
const data = nova.response.json();
nova.expect(data).toHaveProperty("id");
// Save for next request
nova.variable.set("userId", data.id);
});
Script Execution Order
When you send a request, scripts run in this order:
- Collection pre-request
- Folder pre-request (if in folder)
- Request pre-request
- HTTP request is sent
- Request post-response
- Folder post-response (if in folder)
- Collection post-response
Skipping Parent Scripts
Check Skip Parent Scripts to run only the request's scripts, ignoring collection and folder scripts.
Request Variables
Define variables scoped to a single request.
Open Variables Tab
Navigate to the Variables tab.
Add Variable
Create request-specific variables.
Use in Request
Reference with {{variableName}}.
Variable Priority
Request variables have the highest priority:
- Request variables (highest)
- Folder variables
- Parent folder variables (if nested)
- Collection variables
- Environment variables (lowest)
Sending Requests
Send and View Response
Configure Request
Set up URL, method, headers, body, and auth.
Click Send
Click the Send button or press Cmd+Enter.
View Response
Response panel shows:
- Status code and message
- Response time
- Response size
- Headers and body
Run Tests
Post-response scripts run automatically, showing test results.
Cancel Request
If a request is taking too long, click Cancel to stop it.
Timeout
Requests timeout based on:
- Request-specific timeout (if set in the Settings tab)
- Collection timeout setting
- Default timeout (30 seconds)
Managing Requests
Renaming
- Double-click the request name in the sidebar
- Edit the name inline
- Press Enter to confirm
Duplicating
- Right-click the request
- Select Duplicate
- A copy is created with " Copy" suffix
Moving
Drag and drop requests between folders:
- Drag onto a folder to move inside
- Drag to reorder within the same folder
Deleting
- Right-click the request
- Select Delete
- Confirm deletion
Deletion is Permanent
Deleted requests cannot be recovered. Make sure you have backups or exports if needed.
Copy as cURL
- Right-click the request
- Select Copy as cURL
- Paste in terminal to execute
Permissions
Request editing is governed by workspace roles:
| Role | View | Edit | Export | Manage Members | Delete Workspace |
|---|---|---|---|---|---|
| Viewer | Yes | — | — | — | — |
| Editor | Yes | Yes | Yes | — | — |
| Manager | Yes | Yes | Yes | Yes | — |
| Owner | Yes | Yes | Yes | Yes | Yes |
Manager Role
Managers can handle day-to-day administration — managing members, importing, and exporting — without having the ability to delete the workspace.
Tips
- Use variables everywhere: Avoid hardcoding values in URLs, headers, and bodies
- Test with scripts: Add post-response tests to validate API behavior
- Changes save automatically: Your edits are committed as you make them
- Organize with folders: Group related endpoints together
- Name descriptively: "Get User by ID" is clearer than "User Request 1"
- Extract response data: Use scripts to save IDs, tokens, and other values for subsequent requests