Documentation
APIHop is a browser-based REST API testing tool built for developers who need instant, frictionless API exploration. This documentation covers the technical details of how the platform works.
Shareable URLs
The core viral mechanic of APIHop is its stateless shareable URL system. Every request configuration — including URL, method, headers, body, and authentication — is serialized to JSON, base64-encoded, and stored in the URL query parameter.
No database saves are required. Users copy the link and recipients open it to see the exact pre-filled request ready to execute.
How it works
- 1Current request state (URL, method, headers, body, auth) is serialized to JSON
- 2JSON string is encoded to URL-safe Base64
- 3Encoded string is appended to the URL as a query parameter (?r=)
- 4Full URL is copied to clipboard
Example
https://apihop.dev/?r=eyJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL29jdG9jYXQiLCJtZXRob2QiOiJHRVQifQ==
CORS Proxy
Browser same-origin policies prevent direct requests to external APIs. APIHop includes a backend CORS proxy that forwards your requests to the target API, bypassing these restrictions.
Target APIs will see the proxy server's IP address, not your end-user's IP. This may affect IP-based rate limiting or geo-restriction logic on the target API.
Proxy endpoint
POST /api/proxy
Content-Type: application/json
{
"url": "https://api.github.com/users/octocat",
"method": "GET",
"headers": { "Accept": "application/json" },
"body": null
}Response format
{
"status": 200,
"statusText": "OK",
"headers": { "content-type": "application/json" },
"body": "{"login":"octocat",...}",
"latencyMs": 142
}Security
APIHop implements several security measures to protect both users and the platform from abuse.
SSRF Protection
Server-Side Request Forgery (SSRF) attacks are prevented by blocking requests to private network IP ranges. The proxy will reject any request targeting:
- 127.0.0.0/8 (localhost)
- 10.0.0.0/8 (private network)
- 172.16.0.0/12 (private network)
- 192.168.0.0/16 (private network)
- 169.254.0.0/16 (link-local)
Rate Limiting
To prevent abuse, the API enforces rate limiting on a per-IP basis. When limits are exceeded, the proxy returns a 429 status code.
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
{
"error": "Rate limit exceeded",
"retryAfter": 60
}Rate Limits
The APIHop proxy enforces rate limits to ensure fair usage and prevent abuse. Limits are applied per client IP address.
Limits
- Requests per minute60
- Requests per hour1000
Rate limits are enforced at the proxy level. If you encounter 429 errors, wait for the rate limit window to reset before making additional requests.
Embedding
APIHop supports two embedding methods, allowing you to integrate interactive API examples directly into your documentation.
Hyperlink Method
The simplest approach is to link to a pre-configured playground URL.
<a href="https://apihop.dev/?r=eyJ1cmwiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsIm1ldGhvZCI6IkdFVCJ9" target="_blank"> Try this API </a>
Iframe Method
For a seamless integration, embed the playground directly in your page using an iframe.
<iframe src="https://apihop.dev/playground?r=eyJ1cmwiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsIm1ldGhvZCI6IkdFVCJ9" width="100%" height="600" frameborder="0"> </iframe>
Recommended dimensions: Minimum width of 800px and height of 600px for optimal user experience on desktop devices.
OpenGraph Integration
APIHop provides dynamic OpenGraph image generation for shareable URLs, enabling rich previews when your playground links are shared on social media platforms.
Standard social crawlers may display generic site previews for query-param-based URLs. The /api/og endpoint allows custom image generation for deep links.
OG Image Endpoint
GET /api/og?state=eyJ1cmwiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsIm1ldGhvZCI6IkdFVCJ9