Free curl Commands Cheat Sheet Online — 120+ Terminal HTTP Client Commands & API Request Reference

curl is the terminal's data courier — it transfers data between URLs, one command at a time. From simple GET requests to complex API workflows with client certificates, OAuth tokens, and parallel connections, curl has been the universal HTTP client since 1998. Our free interactive curl Commands Cheat Sheet gives you instant access to 120 commands and patterns across 10 categories, with real-time search, one-click copy, and a Data Courier aesthetic inspired by HTTP packets, status bars, and terminal cursors. No signup. No server. 100% client-side.

Why curl Is the Universal Data Courier

Every developer eventually faces the same problem: you need to talk to an API, download a file, test an endpoint, or debug a server response — and you need to do it from the command line. curl is always there. It ships with macOS, Linux, and Windows 10+. It speaks more protocols than any other CLI tool (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, LDAP, SMTP, POP3, IMAP, and dozens more). It handles authentication schemes from Basic to NTLM to OAuth 2.0 and AWS SigV4. It understands TLS 1.3, HTTP/2, and HTTP/3. And it's scriptable — every curl command is a one-liner that can be piped, looped, and orchestrated in shell scripts.

The curl ecosystem has grown far beyond its humble beginnings as a URL transfer tool. Built-in JSON support (--json, curl 7.82+), parallel transfers (--parallel, 7.66+), AWS SigV4 signing (--aws-sigv4), OAuth 2.0 Bearer tokens (--oauth2-bearer), and --fail-with-body for proper error handling make curl more powerful than ever. Our cheat sheet organizes curl's entire surface area into 10 focused categories with every flag, pattern, and practical example you need — from `curl URL` (the simplest GET) to `curl --unix-socket /var/run/docker.sock` (talking to the Docker daemon) to `curl --aws-sigv4 "aws:amz:us-east-1:s3"` (signed S3 requests without the AWS CLI).

HTTP Methods — The Verbs of the Web

HTTP methods are the entry point for every curl request. Our HTTP Methods category covers the complete spectrum: curl URL (the simplest GET request — fetches URL content to stdout), curl -X POST URL (send a POST request, typically with -d for data — POST creates new resources), curl -X PUT URL (full resource update/replace — send the complete new representation with -d), curl -X DELETE URL (remove a resource — usually no body needed), curl -X PATCH URL (partial resource update — only send the fields that need to change), curl -I URL (fetch only response headers via HEAD request — no body returned), curl -X OPTIONS URL (discover supported HTTP methods and CORS headers), curl -X HEAD URL (explicit HEAD — same as -I but with full flag), curl -X CONNECT URL (HTTP CONNECT method — establish a tunnel through an HTTP proxy for HTTPS), curl --request-target /path URL (custom request-target for advanced HTTP/1.1 use cases), curl -X POST -d @- URL (POST data from stdin using the @- syntax — great for piping), and curl URL1 URL2 URL3 (fetch multiple URLs sequentially in a single command).

Headers & Cookies — The Metadata Layer

Headers control how servers interpret your request, and cookies maintain state across requests. Our Headers & Cookies category covers: curl -H "Name: Value" URL (add any custom request header — use multiple -H flags for multiple headers), curl -H "Authorization: Bearer TOKEN" URL (pass a Bearer token for OAuth 2.0 / JWT authentication — the most common API auth pattern), curl -H "Accept: MIME" URL (tell the server what response format you want), curl -A "AgentString" URL (set a custom User-Agent — -A is shorthand for -H "User-Agent:"), curl -e "URL" URL (set the Referer header — -e is shorthand, some sites check this for CSRF), curl -b "name=value" URL (send a cookie with the request — use semicolons for multiple), curl -c cookies.txt URL (save response cookies to a Netscape-format cookie jar file), curl -b cookies.txt URL (read cookies from a file — use with -c to maintain sessions across requests), curl -H "X-API-Key: KEY" URL (API key authentication via custom header — common in Stripe, SendGrid, and many SaaS APIs), curl -H @headers.txt URL (read headers from a file — one header per line in Name: Value format), curl -H "If-Modified-Since: DATE" URL (conditional GET — only return content if modified after the given date, returns 304 otherwise), and curl -H "If-None-Match: ETAG" URL (conditional GET using ETags — more precise than If-Modified-Since).

Request Body & Data — Sending Payloads

The request body is where your data lives. Our Request Body & Data category covers every way curl can send a payload: curl -d "key=value" URL (URL-encoded form data with default Content-Type: application/x-www-form-urlencoded — like HTML form submission), curl -d '{"key":"value"}' URL (send JSON in the request body — pair with -H "Content-Type: application/json" for most APIs), curl --data-raw '...' URL (send raw data exactly as written — @ characters are treated literally, unlike -d), curl --data-binary @file URL (send binary data from a file — preserves newlines and doesn't strip anything), curl --data-urlencode "name=val" URL (URL-encode the data before sending — handles special characters that would break URL encoding), curl -F "file=@path" URL (upload a file using multipart/form-data — curl auto-detects MIME type from the file extension), curl -F "field=value" URL (add a form field to a multipart upload — use alongside -F "file=@path" for combined data), curl -F "file=@path;type=MIME" URL (upload with explicit MIME type override when auto-detection is wrong), curl -G -d "key=value" URL (send -d data as URL query parameters instead of POST body — -G converts the request to GET), curl --json '{"key":"value"}' URL (send JSON with automatic Content-Type and Accept headers — curl 7.82+ shorthand), curl -T file URL (upload a file using PUT — the file becomes the entire request body), and curl --form-string "key=value" URL (send a form field without @ filename interpretation — safer for user input containing @).

Authentication — Proving Your Identity

curl supports virtually every HTTP authentication scheme. Our Authentication category covers: curl -u user:pass URL (HTTP Basic Authentication — curl base64-encodes the credentials and adds the Authorization header), curl --basic -u user:pass URL (explicitly force Basic auth even if the server requests a different scheme), curl --digest -u user:pass URL (HTTP Digest Authentication — more secure than Basic, password is hashed via challenge-response), curl --ntlm -u user:pass URL (NTLM authentication for Windows/IIS/SharePoint/Exchange environments), curl --negotiate -u : URL (Kerberos/SPNEGO authentication — uses an existing Kerberos ticket from kinit, no password needed), curl -H "Authorization: Bearer TOKEN" URL (OAuth 2.0 Bearer token — the most common API authentication method for REST APIs), curl --oauth2-bearer TOKEN URL (OAuth 2.0 Bearer token via dedicated option — curl 7.82+, cleaner than the -H equivalent), curl --aws-sigv4 PROVIDER:REGION:SERVICE URL (sign the request with AWS Signature Version 4 — built-in, no awscli needed), curl -E cert.pem URL (use a client TLS certificate for mutual TLS / mTLS authentication), curl --key private.key URL (specify the private key file for the client certificate — use when cert and key are in separate files), curl --cert-type TYPE URL (specify certificate format: PEM, DER, P12 for PKCS#12, or ENG for engine), and curl --proxy-user user:pass URL (authenticate with a proxy server — separate from destination server auth).

Output & Response Handling — Capturing the Data

Controlling where curl's output goes is essential for scripting and automation. Our Output & Response category covers: curl -o file URL (write output to a file instead of stdout — overwrites existing files), curl -O URL (save output with the remote filename extracted from the URL or Content-Disposition header — uppercase -O), curl -s URL (silent/quiet mode — hides the progress meter and error messages, use -S with -s to show errors only), curl -w "FORMAT" URL (write out response metadata after completion — access variables like %{http_code}, %{time_total}, %{size_download} — powerful for scripting), curl -w "@format.txt" URL (read the write-out format from a file — keep complex format strings readable), curl -o /dev/null -s -w "FMT" URL (response metrics only — discard the body and show formatted status, the standard pattern for API health checks), curl --create-dirs -o DIR/FILE URL (create the directory structure for the output file if it doesn't exist — prevents 'No such file' errors), curl -J -O URL (use the filename from the Content-Disposition header — -J enables server-suggested filenames), curl -r 0-1023 URL (fetch a specific byte range — useful for large files, resuming, or testing range support), curl -C - -O URL (resume a previous download — -C - auto-detects where to resume from), curl --no-buffer URL (disable output buffering — each chunk outputs as it arrives, essential for streaming APIs and Server-Sent Events), and curl -D headers.txt URL (write response headers to a separate file while the body goes to stdout or -o).

TLS/SSL & Certificates — Securing the Couriers

curl gives you fine-grained control over TLS. Our TLS/SSL & Certificates category covers: curl --cacert ca.pem URL (use a custom CA certificate bundle to verify the server — override the system's default CA store for private PKI), curl -k URL (skip TLS certificate verification — insecure mode, only for testing, disables MITM protection), curl --cert-status URL (require OCSP stapling from the server — fails if the server doesn't provide a valid OCSP response), curl --tlsv1.2 URL (force TLS 1.2 minimum — curl negotiates the highest version by default, this pins to a specific version), curl --tlsv1.3 URL (force TLS 1.3 — fastest handshake, most secure, 0-RTT support), curl --tls-max 1.3 URL (set the maximum TLS version allowed — negotiate the best version up to this maximum), curl --ciphers 'LIST' URL (specify which TLS cipher suites to use — limit ciphers for security policy compliance), curl --ssl-reqd URL (require SSL/TLS — fails if TLS cannot be negotiated, safer than --ssl which allows fallback), curl --cert cert.pem --key key.pem URL (use a client certificate and private key for mutual TLS with separate files), curl --pinnedpubkey HASH URL (pin the server's public key — connection fails if the pubkey doesn't match, defense against rogue CAs), curl --crlfile crl.pem URL (check the server certificate against a Certificate Revocation List — fails if revoked), and curl --dns-servers IP URL (use specific DNS servers instead of system DNS — useful for testing DNS changes or bypassing local resolvers).

Connection & Timeouts — Controlling the Wire

Network conditions are unpredictable — curl's connection and timeout options keep your scripts resilient. Our Connection & Timeouts category covers: curl --connect-timeout 5 URL (maximum time to establish the TCP+TLS connection before giving up — prevents hanging on unreachable servers), curl --max-time 10 URL (maximum total time for the entire operation — includes DNS, connect, TLS, transfer, redirects), curl --retry 3 URL (retry up to N times on transient errors — timeouts, connection refused, 5xx status codes — does NOT retry on 4xx), curl --retry-delay 5 URL (wait N seconds between retry attempts — adds backoff instead of immediate retry), curl --retry-max-time 60 URL (maximum cumulative time for all retries combined — stops retrying when exceeded), curl --keepalive-time 60 URL (set TCP keepalive probe interval — helps detect dead connections on long idle periods), curl --no-keepalive URL (disable TCP keepalive probes entirely — reduces overhead for short requests), curl --interface IFACE URL (bind the connection to a specific network interface by name or IP address), curl --local-port 8000-9000 URL (bind to a local port within a specific range — useful for firewall rules), curl --resolve HOST:PORT:IP URL (resolve a hostname to a specific IP address, bypassing DNS — like /etc/hosts for a single request), curl --connect-to H1:P1:H2:P2 URL (rewrite connection targets — connect to HOST2:PORT2 but send HOST1 in the Host header, powerful for testing), and curl --speed-limit 1024 --speed-time 10 URL (abort if download speed drops below BYTES/sec for N seconds — prevents hanging on dead-slow transfers).

Redirects & History — Following the Trail

HTTP redirects are everywhere — shortened URLs, API version migrations, HTTPS enforcement. Our Redirects & History category covers: curl -L URL (follow HTTP redirects — without -L, curl stops at the 3xx response and shows the redirect response instead of following it), curl --max-redirs 5 URL (limit the number of redirects to follow — prevents infinite redirect loops, requires -L), curl -L -D headers.txt URL (follow redirects AND dump all response headers including intermediate ones to a file — see the full redirect chain), curl --post301 URL (keep POST method when following a 301 redirect — normally curl converts POST to GET on 301/302), curl --post302 URL (keep POST method when following a 302 redirect — use carefully with non-idempotent operations), curl --post303 URL (keep POST method when following a 303 redirect — 303 normally always converts to GET per HTTP spec), curl --location-trusted URL (send authentication credentials to hosts that redirects point to — normally auth is stripped on cross-origin redirects for security), curl --proto-redir =http,https URL (limit which protocols curl will follow on redirect — prevents redirects to unsafe protocols like file://), curl -w "%{redirect_url}" URL (show the final redirect URL using write-out variables — see where -L landed), curl -w "%{num_redirects}" URL (count how many redirects were followed — 0 if no redirect occurred), curl -v URL 2>&1 | grep "< Location:" (see redirect Location headers in verbose output — extract just the redirect chain), and curl --globoff URL (disable URL globbing — essential when URLs contain literal brackets or braces that curl would otherwise interpret as range expressions).

Debugging & Verbose — Inspecting Every Byte

When requests don't work, curl's debugging output tells you exactly why. Our Debugging & Verbose category covers: curl -v URL (verbose mode — shows request headers (>), response headers (<), TLS handshake details (*), and timing — the essential debugging tool), curl --trace FILE URL (full hex dump trace of all incoming and outgoing data — every byte sent and received, very detailed), curl --trace-ascii FILE URL (ASCII-only trace — no hex, non-printable characters shown as dots, more readable than --trace), curl --trace-time URL (add timestamps to each line of verbose/trace output — see exactly when each event occurs), curl -i URL (include response headers in the output alongside the body — unlike -I, this also gets the body), curl -w "\n%{http_code}\n" URL (print just the HTTP status code after the response — the quick health check pattern for shell scripts), curl -w "\n%{time_total}s\n" URL (print the total request time — includes DNS, TCP, TLS, and transfer), curl -w "@timing.fmt" -o /dev/null -s URL (detailed timing breakdown using a format file — shows DNS, connect, TLS, TTFB, and total times separately), curl --compressed URL (request compressed content with Accept-Encoding: gzip, deflate, br — curl auto-decompresses the response), curl --stderr FILE URL (redirect stderr to a file — separates diagnostics from the response body), curl -sS URL (silent mode but still show errors — the most common combo for scripts: quiet on success, visible on failure), and curl --fail-with-body URL (return exit code 22 on HTTP errors but still output the response body — curl 7.76+, better than --fail for API error handling since you can see the server's error message).

Advanced & Scripting — Power Tools for Power Users

curl's advanced features turn it from a simple HTTP client into a programmable network Swiss Army knife. Our Advanced & Scripting category covers: curl --parallel URL1 URL2 URL3 (fetch multiple URLs in parallel — curl 7.66+, dramatically faster than sequential for independent requests), curl --parallel-max N URL... (limit concurrent connections to N — controls concurrency for --parallel), curl --config FILE URL (read curl options from a config file — one option per line, # for comments, the ~/.curlrc file is auto-read on every invocation), curl --next URL1 --next URL2 (reset options between URLs — every --next starts a fresh set of options, great for different API formats in one command), curl --libcurl FILE URL (generate C source code that would perform the same request — bootstrap a libcurl program), curl --rate 10K URL (limit the request rate to N bytes/sec average — polite scraping without overwhelming servers), curl --limit-rate 1M URL (limit transfer speed to N bytes/sec — simulate slow network conditions for testing), curl --proxy http://PROXY:PORT URL (route the request through an HTTP proxy — supports HTTP, HTTPS, and SOCKS proxies with CONNECT tunneling), curl --socks5 PROXY:PORT URL (route through a SOCKS5 proxy like Tor or an SSH tunnel — add --socks5-hostname to resolve DNS through the proxy), curl --unix-socket PATH URL (connect via a Unix domain socket instead of TCP/IP — talk to the Docker daemon, systemd, or local services directly), curl --abstract-unix-socket NAME URL (connect via an abstract Unix domain socket on Linux — no filesystem path needed, @ prefix namespace), and curl --json @file.json URL (send JSON data from a file with automatic Content-Type and Accept headers — perfect for scripted API interactions, cleaner than -d @file -H ...).

The Data Courier — Aesthetic Design

curl is the terminal's data courier — transferring packets between URLs, carrying data across the network. Our curl Commands Cheat Sheet embraces The Data Courier aesthetic: a deep terminal void background (#0c1117) with a subtle network grid overlay — horizontal lines at 42% and 74%, vertical lines at 35% and 62% — creating the visual impression of data routing through a packet-switched network. A status bar runs along the top edge with an electric-green-to-info-blue-to-auth-gold-to-response-purple-to-secure-teal gradient, pulsing like a network status indicator monitoring connection health.

Thirty floating data packet particles — small rectangular blocks shaped like HTTP packets — drift upward with a blink animation, cycling through all ten category colors, evoking the constant flow of data that curl carries across the wire. A terminal block cursor (█) blinks after the title using a step-end animation — the cursor waiting to dispatch the next request. Outfit provides bold, distinctive display headings — clean, modern, with presence. Plus Jakarta Sans delivers clean, readable body text. JetBrains Mono serves all code snippets and commands with monospace precision. The color palette maps to curl's domains: Electric Green (#44ff44, HTTP Methods — the entry point), Info Blue (#4488ff, Headers & Cookies — metadata), Data Orange (#ff8844, Request Body & Data — payload), Auth Gold (#ffaa33, Authentication — security), Response Purple (#9966ff, Output & Response — answers), Secure Teal (#33ccaa, TLS/SSL & Certificates — encryption), Time Amber (#ff9933, Connection & Timeouts — timing), Redirect Coral (#ff6699, Redirects & History — following paths), Debug Cyan (#33ccdd, Debugging & Verbose — inspection), and Advanced Lime (#66ff44, Advanced & Scripting — power tools). Cards feature category-colored top borders (3px) and subtle left border accents — like a request/response pipeline. Each card has a glowing dot in the corner that pulses like an active network indicator, cycling through green and blue accent colors on hover. This is not another generic dark theme; it's a deliberate, crafted space that makes HTTP at the command line feel like operating a network dispatch center.

How This Cheat Sheet Fits Into Your Workflow

The curl Commands Cheat Sheet is part of the DevToolkit suite of free developer reference tools. It complements our Linux Commands Cheat Sheet (the terminal environment where curl runs), our Bash Scripting Advanced Patterns Cheat Sheet (automating curl in shell scripts), our DevOps Commands Cheat Sheet (the infrastructure pipelines curl connects to), our Docker Compose Cheat Sheet (services you test with curl health checks), our Cloudflare Workers Cheat Sheet (APIs you build and test with curl), our tmux Commands Cheat Sheet (the terminal multiplexer you run curl inside), and our Vim/Neovim Commands Cheat Sheet (the editor you use to craft curl commands into scripts). Together, curl, the Linux terminal, and your API toolkit form the complete command-line developer environment — the tools that work everywhere, on every server, speaking every protocol.

The workflow is simple: press Ctrl+K to focus the search bar, type what you need (a flag like "-d", a pattern like "Bearer", a concept like "timeout"), and the matching entries appear instantly. Click any card to copy its curl command to your clipboard — the toast notification prefixes every copy with "[curl]" to remind you where the command came from. Filter by category to narrow the view — jump directly to "Authentication" to review OAuth 2.0 and mTLS patterns, or "Debugging & Verbose" to find the exact tracing option you need. Everything runs in your browser — no server requests, no signup, no tracking. Bookmark it, keep it open while writing API scripts, and stop searching through `man curl` or `curl --help` for the flag you half-remember.