curl Cheat Sheet: API Testing, Auth & File Uploads

# Check if an API is up and what it returns
curl -s https://api.example.com/health | jq

# GET with auth, pretty-print JSON response
curl -s \
  -H "Authorization: Bearer $TOKEN" \
  https://api.example.com/users \
  | jq '.data[] | {id, name, email}'

# POST JSON and pretty-print response
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"name": "Alice", "role": "admin"}' \
  https://api.example.com/users \
  | jq

# See only the status code (useful in scripts)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://api.example.com/health)
echo "Status: $STATUS"
[ "$STATUS" = "200" ] && echo "OK" || echo "FAIL"

curl -w "
    time_namelookup:  %{time_namelookup}s
       time_connect:  %{time_connect}s
    time_appconnect:  %{time_appconnect}s
   time_pretransfer:  %{time_pretransfer}s
      time_redirect:  %{time_redirect}s
 time_starttransfer:  %{time_starttransfer}s
                    ----------
         time_total:  %{time_total}s
" -s -o /dev/null https://api.example.com

# What each means:
# time_namelookup   → DNS resolution
# time_connect      → TCP connection
# time_appconnect   → TLS handshake
# time_pretransfer  → headers sent
# time_starttransfer → first byte received (TTFB)
# time_total        → everything done

# Download with progress bar + resume support
curl -L -C - -o large_file.zip https://example.com/large_file.zip

# Download multiple files
curl -O https://example.com/file1.zip \
     -O https://example.com/file2.zip

# Download only if file has changed (conditional GET)
curl -z existing_file.zip -O https://example.com/file.zip

# Parallel downloads (with GNU parallel)
cat urls.txt | parallel curl -O {}

# Download and extract immediately (no temp file)
curl -s https://example.com/archive.tar.gz | tar xzf -

# Simulate a webhook POST to your local server
curl -X POST http://localhost:3000/webhook \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: mysecret" \
  -d '{"event": "user.created", "data": {"id": 42, "name": "Alice"}}'

# Simulate GitHub webhook
curl -X POST http://localhost:3000/github-webhook \
  -H "Content-Type: application/json" \
  -H "X-GitHub-Event: push" \
  -H "X-Hub-Signature-256: sha256=..." \
  -d @github_push_payload.json

# Get your public IP
curl -s ifconfig.me

# Check HTTP headers of any site
curl -sI https://example.com

# Follow all redirects, show final URL
curl -sIL https://t.co/shortlink | grep -i "location" | tail -1

# Download and run an install script (inspect first!)
curl -sL https://get.example.com/install.sh | bash

# Test CORS headers
curl -sI -X OPTIONS \
  -H "Origin: https://myapp.com" \
  -H "Access-Control-Request-Method: POST" \
  https://api.example.com/users

# Check SSL certificate expiry
curl -sI https://example.com 2>&1 | grep -i "expire"

# Or more directly:
echo | openssl s_client -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates

# POST to an API and extract a field from the JSON response
TOKEN=$(curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"secret"}' \
  https://api.example.com/auth \
  | jq -r '.token')

echo "Got token: $TOKEN"

#!/bin/bash
set -e

API_BASE="https://api.example.com"
TOKEN="$API_TOKEN"  # from environment

# Helper function
api_call() {
  local method=$1
  local path=$2
  local data=${3:-""}

  if [ -n "$data" ]; then
    curl -sf -X "$method" \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      -d "$data" \
      "$API_BASE$path"
  else
    curl -sf -X "$method" \
      -H "Authorization: Bearer $TOKEN" \
      "$API_BASE$path"
  fi
}

# Use the helper
USERS=$(api_call GET /users)
echo "$USERS" | jq '.[].email'

api_call POST /users '{"name":"Bob","email":"[email protected]"}'
api_call DELETE /users/42