← Back to Blog
Developer Tools March 20, 2026 10 min read

The Ultimate curl Cheat Sheet for Developers (2026)

curl is the Swiss Army knife of HTTP. Whether you are testing APIs, debugging headers, uploading files, or automating workflows, this cheat sheet covers every command you will need with copy-paste examples.

Basic Requests

Simple GET Request

The simplest curl command fetches a URL and prints the response to stdout:

curl https://api.example.com/users

POST Request with Form Data

Send URL-encoded form data with -d. curl automatically sets the method to POST and the Content-Type to application/x-www-form-urlencoded:

curl -d "username=admin&password=secret" https://api.example.com/login

POST Request with JSON

For JSON APIs, set the Content-Type header explicitly:

curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice", "email": "alice@example.com"}'

PUT, PATCH, and DELETE

Use -X to specify any HTTP method:

# PUT - replace a resource
curl -X PUT https://api.example.com/users/42 \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice Updated"}'

# PATCH - partial update
curl -X PATCH https://api.example.com/users/42 \
  -H "Content-Type: application/json" \
  -d '{"email": "newemail@example.com"}'

# DELETE
curl -X DELETE https://api.example.com/users/42

Headers

Setting Custom Headers

Use -H to add any header. You can repeat it for multiple headers:

curl -H "Authorization: Bearer eyJhbGci..." \
     -H "Accept: application/json" \
     -H "X-Request-ID: abc-123" \
     https://api.example.com/protected

Viewing Response Headers

Use -i to include response headers in the output, or -I to fetch headers only (HEAD request):

# Show headers + body
curl -i https://example.com

# Headers only (HEAD request)
curl -I https://example.com

# Show response headers, write body to file
curl -D headers.txt -o body.json https://api.example.com/data

Authentication

Basic Auth

curl -u username:password https://api.example.com/secure

Bearer Token

curl -H "Authorization: Bearer YOUR_TOKEN_HERE" \
     https://api.example.com/protected

API Key in Header

curl -H "X-API-Key: your-api-key" https://api.example.com/data

Digest Auth

curl --digest -u username:password https://api.example.com/secure

Cookies

Sending Cookies

# Send a cookie
curl -b "session=abc123; lang=en" https://example.com

# Load cookies from a file (Netscape format)
curl -b cookies.txt https://example.com

Saving Cookies

# Save cookies from response to file
curl -c cookies.txt https://example.com/login -d "user=admin&pass=secret"

# Save and reuse cookies across requests
curl -c cookies.txt -b cookies.txt https://example.com/dashboard

File Upload and Download

Upload a File (multipart/form-data)

curl -F "file=@/path/to/document.pdf" \
     -F "description=Quarterly report" \
     https://api.example.com/upload

Upload Raw File Content

curl -X PUT --data-binary @image.png \
     -H "Content-Type: image/png" \
     https://api.example.com/images/42

Download a File

# Save to specific filename
curl -o output.zip https://example.com/file.zip

# Save using the remote filename
curl -O https://example.com/file.zip

# Resume a broken download
curl -C - -O https://example.com/large-file.iso

Following Redirects

By default, curl does not follow redirects. Use -L to follow them:

# Follow redirects (301, 302, etc.)
curl -L https://example.com/old-page

# Follow redirects with a maximum limit
curl -L --max-redirs 5 https://example.com/old-page

# Show redirect chain
curl -L -v https://bit.ly/some-link 2>&1 | grep "^< Location"

SSL/TLS

Skip Certificate Verification

Useful for testing against self-signed certificates (never use in production scripts):

curl -k https://self-signed.example.com

Specify a CA Bundle or Client Certificate

# Custom CA bundle
curl --cacert /path/to/ca-bundle.crt https://internal.example.com

# Client certificate authentication (mTLS)
curl --cert client.pem --key client-key.pem https://mtls.example.com

# Show SSL certificate details
curl -vI https://example.com 2>&1 | grep -A6 "Server certificate"

Verbose and Debug Mode

Verbose Output

The -v flag shows the full request and response, including TLS handshake, headers sent/received, and more:

curl -v https://api.example.com/health

Trace Full Request/Response Bytes

# Full hex + ASCII trace
curl --trace trace.log https://api.example.com/health

# ASCII-only trace
curl --trace-ascii trace.log https://api.example.com/health

Silent Mode

Suppress progress meters and error messages (useful in scripts):

curl -s https://api.example.com/data | jq .

Timing and Performance

Measure Request Timing

Use -w (write-out) with format variables to measure DNS, connection, TLS, and total times:

curl -o /dev/null -s -w "\
  DNS:        %{time_namelookup}s\n\
  Connect:    %{time_connect}s\n\
  TLS:        %{time_appconnect}s\n\
  TTFB:       %{time_starttransfer}s\n\
  Total:      %{time_total}s\n\
  Status:     %{http_code}\n\
  Size:       %{size_download} bytes\n" \
  https://example.com

Set Timeouts

# Connection timeout (seconds)
curl --connect-timeout 5 https://slow-server.example.com

# Maximum total time
curl --max-time 30 https://api.example.com/large-report

# Both together
curl --connect-timeout 5 --max-time 30 https://api.example.com/data

Saving Output

# Save response body to file
curl -o response.json https://api.example.com/data

# Save response with headers
curl -i https://api.example.com/data > full-response.txt

# Append to file
curl -s https://api.example.com/logs >> all-logs.txt

# Write to file and stdout simultaneously
curl https://api.example.com/data | tee response.json

Proxy

# HTTP proxy
curl -x http://proxy.example.com:8080 https://api.example.com/data

# SOCKS5 proxy
curl --socks5 127.0.0.1:9050 https://api.example.com/data

# Proxy with authentication
curl -x http://user:pass@proxy.example.com:8080 https://api.example.com/data

# Ignore proxy for specific hosts
curl --noproxy "localhost,127.0.0.1,.internal" \
     -x http://proxy.example.com:8080 https://api.example.com/data

Rate Limiting and Bandwidth

# Limit download speed (bytes per second)
curl --limit-rate 100K https://example.com/large-file.zip -o file.zip

# Limit upload speed
curl --limit-rate 50K -T big-file.tar.gz https://example.com/upload

# Retry on failure
curl --retry 3 --retry-delay 2 https://flaky-api.example.com/data

Sending Data from Files

# POST JSON from a file
curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d @payload.json

# POST from stdin
echo '{"name":"test"}' | curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d @-

Useful One-Liners

Check If a URL Is Up

curl -s -o /dev/null -w "%{http_code}" https://example.com

Get Your Public IP

curl -s https://ifconfig.me

Pretty-Print JSON Response

curl -s https://api.example.com/data | python3 -m json.tool

# Or with jq
curl -s https://api.example.com/data | jq .

Test API with Multiple Methods

for method in GET POST PUT DELETE; do
  echo "--- $method ---"
  curl -s -o /dev/null -w "%{http_code}" -X $method https://api.example.com/resource
  echo
done

Download Multiple Files

curl -O https://example.com/file1.txt \
     -O https://example.com/file2.txt \
     -O https://example.com/file3.txt

Share API Credentials Securely

Need to share API keys, tokens, or curl commands with credentials? Use SecureBin for encrypted, self-destructing pastes.

Create an Encrypted Paste

curl with SecureBin API

You can use curl to interact with the SecureBin API to create encrypted pastes programmatically:

# Create a paste via the SecureBin API
curl -X POST https://securebin.ai/api/paste \
  -H "Content-Type: application/json" \
  -d '{
    "content": "encrypted-content-here",
    "expiry": "1h",
    "burn_after_read": true
  }'

Since SecureBin uses client-side encryption, the content should be encrypted before sending it to the API. Check our API documentation for full details on available endpoints and encryption workflow.

Flags Quick Reference

Here are the most frequently used curl flags in one place:

  • -X METHOD — Set HTTP method (GET, POST, PUT, DELETE, PATCH)
  • -H "Header: value" — Add request header
  • -d "data" — Send request body (implies POST)
  • -F "field=value" — Multipart form upload
  • -u user:pass — Basic authentication
  • -b "cookies" — Send cookies
  • -c file — Save cookies to file
  • -o file — Write output to file
  • -O — Save using remote filename
  • -L — Follow redirects
  • -k — Skip SSL verification
  • -v — Verbose output
  • -s — Silent mode
  • -i — Include response headers
  • -I — Headers only (HEAD)
  • -w "format" — Custom output format
  • --max-time N — Total timeout in seconds
  • --connect-timeout N — Connection timeout
  • --retry N — Retry on failure

The Bottom Line

curl is available on virtually every operating system and is the standard tool for testing HTTP APIs, debugging connectivity issues, and automating web requests. Bookmark this cheat sheet and come back whenever you need a quick reference.

For more developer tools, check out our JSON Formatter, JWT Decoder, Base64 Encoder, and Hash Generator — all free, all running in your browser.