Requests
HTTP methods
Ironcall supports GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS. Select the method from the dropdown to the left of the URL bar.
Headers & query parameters
Use the Headers tab to add custom headers as key-value pairs. Toggle individual headers on or off without deleting them. A header name may appear more than once; repeated values are sent as separate header lines.
Use the Params tab to add query string parameters. Ironcall appends them to the URL automatically: ?key=value&key2=value2. Parameters can also be typed directly into the URL bar.
Request body
The Body tab is available for POST, PUT, and PATCH requests. Choose a body type:
| Type | Content-Type | Notes |
|---|---|---|
| JSON | application/json |
Syntax-highlighted editor |
| XML | application/xml |
|
| Plain text | text/plain |
|
| Form data | multipart/form-data |
Key-value fields |
| Raw | (none set) | Sends the body verbatim; set Content-Type yourself in the Headers tab |
Variables ({{var}}) are resolved in the body at send time.
There is no dedicated GraphQL mode. To call a GraphQL endpoint, send a JSON body with query and variables fields.
SSL settings
SSL verification is enabled by default. To disable it for a specific request (useful for self-signed certificates in development), toggle SSL verify off in the request settings panel.
Warning: Disabling SSL verification exposes the request to man-in-the-middle attacks. Only use this in local or trusted environments.
Ironcall validates the certificate chain and hostname against the system trust store. Custom CA bundles and client certificates (mTLS) are not configurable.
Timeouts & redirects
Each request has an optional timeout, set in milliseconds in the request settings panel. If the response is not received in time, the request fails with a timeout error. With no timeout set, the request waits indefinitely.
Ironcall follows up to 10 redirects automatically. On a redirect to a different host, sensitive headers (Authorization, Cookie, and similar) are stripped before the next hop, so credentials are never leaked to an unexpected origin.
Response bodies are capped at 100 MiB by default. Larger responses are truncated at the limit rather than loaded fully into memory.