glunty

curl Command Cheat Sheet

A searchable reference of common curl commands and what each flag does.

Common curl commands with a plain-English description of what each one does
Command What it does
curl https://example.com Fetch a URL and print the response body to standard output.
curl -o page.html https://example.com Save the response body to a named local file.
curl -O https://example.com/file.zip Save the response using the remote filename taken from the URL.
curl -L https://example.com Follow HTTP redirects through to the final destination.
curl -s https://example.com Silent mode: hide the progress meter and error messages.
curl -S https://example.com Show an error message even in silent mode; pair it with -s.
curl -v https://example.com Verbose mode: print the request and response headers for debugging.
curl -i https://example.com Include the response headers above the body in the output.
curl -I https://example.com Fetch only the response headers using a HEAD request.
curl --help Show a summary of the most common curl options.
curl -X GET https://api.example.com/items Send an explicit GET request, which is the default method.
curl -X POST https://api.example.com/items Send a POST request, usually to create a resource.
curl -X PUT https://api.example.com/items/1 Send a PUT request to replace a resource.
curl -X DELETE https://api.example.com/items/1 Send a DELETE request to remove a resource.
curl -X PATCH https://api.example.com/items/1 Send a PATCH request to partially update a resource.
curl --head https://example.com Fetch only the headers with a HEAD request; long form of -I.
curl -H "Accept: application/json" https://api.example.com Add a custom request header; repeat -H for more than one.
curl -H "Authorization: Bearer TOKEN" https://api.example.com Send an Authorization header carrying a bearer token.
curl -A "MyClient/1.0" https://example.com Set the User-Agent request header.
curl -e "https://referrer.example" https://example.com Set the Referer header for the request.
curl -b "session=abc123" https://example.com Send a cookie string with the request.
curl -b cookies.txt https://example.com Read the cookies to send from a file.
curl -c cookies.txt https://example.com Save any cookies the server sets into a cookie jar file.
curl --compressed https://example.com Request a compressed response and decompress it automatically.
curl -d "name=value" https://api.example.com Send URL-encoded form data in the body; this implies a POST.
curl -d "name=value&age=30" https://api.example.com Send several URL-encoded form fields in the POST body.
curl -d @payload.json https://api.example.com Send the contents of a file as the request body.
curl --data-raw "a=1&b=2" https://api.example.com Send POST data literally, without treating a leading @ as a file.
curl --data-urlencode "q=hello world" https://api.example.com URL-encode a value before sending it as form data.
curl --json {"name":"value"} https://api.example.com Send a JSON body and set the JSON Content-Type and Accept headers.
curl -F "field=value" https://api.example.com Send a single multipart form field.
curl -F "file=@photo.png" https://api.example.com/upload Upload a file as a multipart form field using the @ prefix.
curl -T upload.txt https://example.com/dir/ Upload a local file to the target with a PUT request.
curl -u alice:secret https://api.example.com Send HTTP Basic auth credentials as user:password.
curl --oauth2-bearer TOKEN https://api.example.com Send an OAuth 2 bearer token in the Authorization header.
curl --basic -u alice:secret https://api.example.com Force HTTP Basic authentication, which is the default scheme.
curl --digest -u alice:secret https://api.example.com Use HTTP Digest authentication instead of Basic.
curl -k https://self-signed.example.com Allow an insecure transfer that skips TLS certificate checks.
curl --cacert ca.pem https://internal.example.com Verify the server against a specific CA certificate bundle.
curl -O https://example.com/archive.tar.gz Download a file and save it under its remote name.
curl -o backup.zip https://example.com/latest Download and save the response under a filename you choose.
curl -C - -O https://example.com/big.iso Resume an interrupted download where it left off.
curl --limit-rate 2M https://example.com/big.iso Cap the transfer speed to a set rate, such as 2 megabytes per second.
curl --retry 5 https://example.com/flaky Retry the request up to five times on transient failures.
curl -z file.html https://example.com/file.html Download only if the remote file is newer than the time condition.
curl --output-dir downloads -O https://example.com/file.zip Save downloaded files into a specific directory.
curl -v https://api.example.com Verbose mode showing the full request and response headers.
curl -w "%{http_code}" https://example.com Print selected transfer details, such as the status code, after the request.
curl -w "%{time_total}s" -o /dev/null -s https://example.com Measure the total request time while discarding the body.
curl --trace trace.txt https://example.com Write a full hex and ASCII trace of the transfer to a file.
curl --trace-ascii trace.txt https://example.com Write a readable ASCII trace of the transfer to a file.
curl -i https://api.example.com Include the response headers in the output to inspect them.
curl -sS https://example.com Stay quiet but still surface errors by combining -s and -S.

Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.

What this tool does

This is a searchable quick reference for the curl options you reach for when testing an API or downloading a file, from a plain GET to posting JSON, sending headers, uploading files, handling authentication, and tracing a request. Each row pairs an exact command with a plain-English note on what it does. Type in the filter box to search across both columns, or tap a category button to focus on one task. The whole list is built into the page, so it works offline and sends nothing anywhere.

How to use it

Start typing in the Filter box. Entering post surfaces the request-body flags; entering header shows the ways to set request headers; entering upload or -F finds the form and file options. The category buttons (Basics, Methods, Headers, Data, Auth, Download, Debug) narrow the table to one family and combine with the text filter, so you can pick Data and type json to zero in on the JSON body option. Clear the box to see the full sheet again. Placeholders such as TOKEN and https://example.com stand in for your own values.

Common use cases

  • Recalling the exact flag for a task you do rarely, like resuming a download with -C - or measuring time with -w.
  • Copying a working request into your terminal instead of guessing at the option names.
  • Posting JSON to an API with --json and confirming the headers it sets for you.
  • Debugging a failing call with -v or a full --trace before you reach for a bigger tool.
  • Teaching a teammate the difference between -d, -F, and -T for sending data.

Common pitfalls

  • Using -X POST without a body. Adding -X POST alone sends an empty POST. If you supply data with -d, -F, or --json, curl already switches to POST for you, so the explicit -X is usually unnecessary.
  • Quoting JSON in the shell. A JSON body is full of double quotes and braces that your shell will try to interpret. Wrap the whole value in single quotes in the terminal, or read it from a file with -d @body.json, so the JSON reaches the server intact.
  • Disabling TLS verification with -k. The -k flag turns off certificate checking and removes the protection against interception. Keep it to local testing and use --cacert with a trusted certificate for real traffic.
  • Expecting -O to name every file. The -O flag builds the output filename from the end of the URL, so a URL that ends in a slash or has no filename gives a bad or empty name. Use -o with an explicit filename in those cases.

Frequently asked questions

How do I send a POST request with JSON?
Use the --json flag, which sends the body and sets both the Content-Type and Accept headers to application/json in one step, for example curl --json {"name":"value"} https://api.example.com. On older curl versions that lack --json, do it by hand with curl -X POST -H "Content-Type: application/json" -d {"name":"value"} https://api.example.com. Remember that -d alone already implies POST, so you rarely need -X POST as well.
What is the difference between -o and -O?
Lowercase -o lets you pick the output filename, as in curl -o report.html https://example.com/page. Uppercase -O reuses the filename from the end of the URL, so curl -O https://example.com/report.html writes a file called report.html. Because -O depends on the URL, it fails to choose a good name when the URL ends in a slash or has no filename part.
How do I follow redirects?
Add the -L flag so curl follows Location headers to the final URL, which matters for sites that redirect HTTP to HTTPS or have moved a resource. Without -L, curl prints the redirect response itself rather than fetching the target. You can pair -L with --max-redirs to cap how many hops it will make.
How do I add a request header?
Use -H followed by the full header line, for example curl -H "Accept: application/json" https://api.example.com. Repeat -H once for each header you need to send. Common cases are setting Accept, Content-Type, or an Authorization token.
How do I send form data or upload a file?
For URL-encoded form fields use -d, as in curl -d "name=value" https://api.example.com. For multipart forms and file uploads use -F, and prefix a filename with @ to attach a file: curl -F "file=@photo.png" https://api.example.com/upload. The -F form sets a multipart Content-Type with the correct boundary for you.
What does -k do and why is it risky?
The -k flag, also written --insecure, tells curl to skip verification of the server TLS certificate. That lets you reach a host with a self-signed or expired certificate, but it also drops the protection against a man-in-the-middle intercepting the connection. Use it only for local testing, and prefer --cacert with a trusted certificate for anything that matters.
Does this cheat sheet send my searches anywhere?
No. The whole command list is baked into the page and every filter runs in your browser with JavaScript, so nothing you type leaves your device. Open your browser DevTools and watch the Network tab while you search to confirm there are zero requests. This page is a reference only and does not run curl for you.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com