Web API Testing

Base URL for Postman: · Docs: OpenAPI (Swagger)

API credentials

Production (PostgreSQL configured): paste the key and secret once, then click Sign in (httpOnly cookie). The browser stores an opaque session cookie — not the secret in sessionStorage. Use Sign out to clear it.

No database (local dev): click Save (headers only) — credentials stay in sessionStorage for this tab only.

Postman: always send X-API-Key and X-API-Secret. After rotation, update both from the JSON response.

Rotate: GET /api/credentials/rotate or GET /api/health?exchange=true returns a new pair; previous headers and browser sessions stop working.

Traffic

Total requests recorded

Server

Uptime (seconds)

Quick test routes

  • GET /api/health · GET /api/health?exchange=true (returns new key pair)
  • GET /api/credentials/rotate (new key pair)
  • POST /api/echo JSON body {"message":"hi"}
  • GET /api/items/42?detail=true
  • POST /api/items any JSON
  • DELETE /api/items/1
  • GET /api/slow?delay_ms=800

Analytics — methods & status codes

By HTTP method

        

        

          
By status code

          

        

      

    


    

      
Analytics — top paths

      

    


    

      
Analytics — recent requests

      

        

          
            

              Time
              Method
              Path
              Query
              Status
              ms
              Client