curl Command Cheat Sheet
A searchable reference of common curl commands and what each flag does.
| Command | What it does |
|---|---|
curl https://example.com | Fetch a URL and print the response body to standard output. |
curl -o page.html https://example.com | Save the response body to a named local file. |
curl -O https://example.com/file.zip | Save the response using the remote filename taken from the URL. |
curl -L https://example.com | Follow HTTP redirects through to the final destination. |
curl -s https://example.com | Silent mode: hide the progress meter and error messages. |
curl -S https://example.com | Show an error message even in silent mode; pair it with -s. |
curl -v https://example.com | Verbose mode: print the request and response headers for debugging. |
curl -i https://example.com | Include the response headers above the body in the output. |
curl -I https://example.com | Fetch only the response headers using a HEAD request. |
curl --help | Show a summary of the most common curl options. |
curl -X GET https://api.example.com/items | Send an explicit GET request, which is the default method. |
curl -X POST https://api.example.com/items | Send a POST request, usually to create a resource. |
curl -X PUT https://api.example.com/items/1 | Send a PUT request to replace a resource. |
curl -X DELETE https://api.example.com/items/1 | Send a DELETE request to remove a resource. |
curl -X PATCH https://api.example.com/items/1 | Send a PATCH request to partially update a resource. |
curl --head https://example.com | Fetch only the headers with a HEAD request; long form of -I. |
curl -H "Accept: application/json" https://api.example.com | Add a custom request header; repeat -H for more than one. |
curl -H "Authorization: Bearer TOKEN" https://api.example.com | Send an Authorization header carrying a bearer token. |
curl -A "MyClient/1.0" https://example.com | Set the User-Agent request header. |
curl -e "https://referrer.example" https://example.com | Set the Referer header for the request. |
curl -b "session=abc123" https://example.com | Send a cookie string with the request. |
curl -b cookies.txt https://example.com | Read the cookies to send from a file. |
curl -c cookies.txt https://example.com | Save any cookies the server sets into a cookie jar file. |
curl --compressed https://example.com | Request a compressed response and decompress it automatically. |
curl -d "name=value" https://api.example.com | Send URL-encoded form data in the body; this implies a POST. |
curl -d "name=value&age=30" https://api.example.com | Send several URL-encoded form fields in the POST body. |
curl -d @payload.json https://api.example.com | Send the contents of a file as the request body. |
curl --data-raw "a=1&b=2" https://api.example.com | Send POST data literally, without treating a leading @ as a file. |
curl --data-urlencode "q=hello world" https://api.example.com | URL-encode a value before sending it as form data. |
curl --json {"name":"value"} https://api.example.com | Send a JSON body and set the JSON Content-Type and Accept headers. |
curl -F "field=value" https://api.example.com | Send a single multipart form field. |
curl -F "file=@photo.png" https://api.example.com/upload | Upload a file as a multipart form field using the @ prefix. |
curl -T upload.txt https://example.com/dir/ | Upload a local file to the target with a PUT request. |
curl -u alice:secret https://api.example.com | Send HTTP Basic auth credentials as user:password. |
curl --oauth2-bearer TOKEN https://api.example.com | Send an OAuth 2 bearer token in the Authorization header. |
curl --basic -u alice:secret https://api.example.com | Force HTTP Basic authentication, which is the default scheme. |
curl --digest -u alice:secret https://api.example.com | Use HTTP Digest authentication instead of Basic. |
curl -k https://self-signed.example.com | Allow an insecure transfer that skips TLS certificate checks. |
curl --cacert ca.pem https://internal.example.com | Verify the server against a specific CA certificate bundle. |
curl -O https://example.com/archive.tar.gz | Download a file and save it under its remote name. |
curl -o backup.zip https://example.com/latest | Download and save the response under a filename you choose. |
curl -C - -O https://example.com/big.iso | Resume an interrupted download where it left off. |
curl --limit-rate 2M https://example.com/big.iso | Cap the transfer speed to a set rate, such as 2 megabytes per second. |
curl --retry 5 https://example.com/flaky | Retry the request up to five times on transient failures. |
curl -z file.html https://example.com/file.html | Download only if the remote file is newer than the time condition. |
curl --output-dir downloads -O https://example.com/file.zip | Save downloaded files into a specific directory. |
curl -v https://api.example.com | Verbose mode showing the full request and response headers. |
curl -w "%{http_code}" https://example.com | Print selected transfer details, such as the status code, after the request. |
curl -w "%{time_total}s" -o /dev/null -s https://example.com | Measure the total request time while discarding the body. |
curl --trace trace.txt https://example.com | Write a full hex and ASCII trace of the transfer to a file. |
curl --trace-ascii trace.txt https://example.com | Write a readable ASCII trace of the transfer to a file. |
curl -i https://api.example.com | Include the response headers in the output to inspect them. |
curl -sS https://example.com | Stay quiet but still surface errors by combining -s and -S. |
No commands match your search.
Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.
What this tool does
This is a searchable quick reference for the curl options you reach for when testing an API or downloading a file, from a plain GET to posting JSON, sending headers, uploading files, handling authentication, and tracing a request. Each row pairs an exact command with a plain-English note on what it does. Type in the filter box to search across both columns, or tap a category button to focus on one task. The whole list is built into the page, so it works offline and sends nothing anywhere.
How to use it
Start typing in the Filter box. Entering post surfaces
the request-body flags; entering header shows the ways to set request
headers; entering upload or -F finds the form and file
options. The category buttons (Basics, Methods, Headers, Data, Auth,
Download, Debug) narrow the table to one family and combine with the text filter, so
you can pick Data and type json to zero in on the JSON body option. Clear
the box to see the full sheet again. Placeholders such as TOKEN and
https://example.com stand in for your own values.
Common use cases
- Recalling the exact flag for a task you do rarely, like resuming a download with
-C -or measuring time with-w. - Copying a working request into your terminal instead of guessing at the option names.
- Posting JSON to an API with
--jsonand confirming the headers it sets for you. - Debugging a failing call with
-vor a full--tracebefore you reach for a bigger tool. - Teaching a teammate the difference between
-d,-F, and-Tfor sending data.
Common pitfalls
- Using -X POST without a body. Adding
-X POSTalone sends an empty POST. If you supply data with-d,-F, or--json, curl already switches to POST for you, so the explicit-Xis usually unnecessary. - Quoting JSON in the shell. A JSON body is full of double quotes and
braces that your shell will try to interpret. Wrap the whole value in single quotes
in the terminal, or read it from a file with
-d @body.json, so the JSON reaches the server intact. - Disabling TLS verification with -k. The
-kflag turns off certificate checking and removes the protection against interception. Keep it to local testing and use--cacertwith a trusted certificate for real traffic. - Expecting -O to name every file. The
-Oflag builds the output filename from the end of the URL, so a URL that ends in a slash or has no filename gives a bad or empty name. Use-owith an explicit filename in those cases.
Frequently asked questions
- How do I send a POST request with JSON?
- Use the --json flag, which sends the body and sets both the Content-Type and Accept headers to application/json in one step, for example curl --json {"name":"value"} https://api.example.com. On older curl versions that lack --json, do it by hand with curl -X POST -H "Content-Type: application/json" -d {"name":"value"} https://api.example.com. Remember that -d alone already implies POST, so you rarely need -X POST as well.
- What is the difference between -o and -O?
- Lowercase -o lets you pick the output filename, as in curl -o report.html https://example.com/page. Uppercase -O reuses the filename from the end of the URL, so curl -O https://example.com/report.html writes a file called report.html. Because -O depends on the URL, it fails to choose a good name when the URL ends in a slash or has no filename part.
- How do I follow redirects?
- Add the -L flag so curl follows Location headers to the final URL, which matters for sites that redirect HTTP to HTTPS or have moved a resource. Without -L, curl prints the redirect response itself rather than fetching the target. You can pair -L with --max-redirs to cap how many hops it will make.
- How do I add a request header?
- Use -H followed by the full header line, for example curl -H "Accept: application/json" https://api.example.com. Repeat -H once for each header you need to send. Common cases are setting Accept, Content-Type, or an Authorization token.
- How do I send form data or upload a file?
- For URL-encoded form fields use -d, as in curl -d "name=value" https://api.example.com. For multipart forms and file uploads use -F, and prefix a filename with @ to attach a file: curl -F "file=@photo.png" https://api.example.com/upload. The -F form sets a multipart Content-Type with the correct boundary for you.
- What does -k do and why is it risky?
- The -k flag, also written --insecure, tells curl to skip verification of the server TLS certificate. That lets you reach a host with a self-signed or expired certificate, but it also drops the protection against a man-in-the-middle intercepting the connection. Use it only for local testing, and prefer --cacert with a trusted certificate for anything that matters.
- Does this cheat sheet send my searches anywhere?
- No. The whole command list is baked into the page and every filter runs in your browser with JavaScript, so nothing you type leaves your device. Open your browser DevTools and watch the Network tab while you search to confirm there are zero requests. This page is a reference only and does not run curl for you.
Cite this tool
For academic, journalistic, or technical references. Pick a format:
Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.