Top
Best
New

Posted by darubramha 4/7/2025

Show HN: Uncurl.dev – Convert curl commands to a shareable, executable UI(uncurl.dev)
Hey HN,

I built uncurl.dev to scratch my own itch: I kept getting curl commands in API docs, bug reports, or Slack messages and wanted a quick way to visualize, run, and debug them without firing up Postman or writing code to dissect them. It was also sometimes painful to create a test page specifically for non-tech users to consume an API. I originally vibe-coded this over a weekend just to make it easier for myself to debug API requests shared as curl commands. It slowly grew into something I found surprisingly useful in my workflow, so I decided to clean it up and share it.

uncurl.dev takes a curl command and: - Converts it into a visual representation - Lets you edit and inspect all parts of the request - Allows sharing via a unique link - (Optionally) executes it from the server, so business or non-technical users can see results

Execution is currently behind login, with a cap (5/min) to avoid abuse and manage costs. Non-logged-in users can still build and share curl commands—they just can’t execute them. The server runs each request in a Docker sandbox with strict resource/time limits (cpu, memory, timeout, no network access outside the request).

It’s not meant to replace full-featured tools like Postman or Hoppscotch. It’s more of a “CLI-to-UI bridge” for fast sharing and debugging, especially in dev workflows where curl is the starting point. Think of it like Pastebin or JSFiddle, but for curl commands.

If you’ve ever copied a curl from an API doc and wanted a cleaner way to see it or send it to someone else, I’d love your feedback.

Thanks! (You can try it without signup here: https://uncurl.dev)

115 points | 59 commentspage 2
flipperto 4/7/2025|
While it looks good and even possibly useful, it seems to be a great way to leak sensitive cookies (especially since "copy as cURL" is so easy on the browser's network tab).

I would 100% forbid its use in a company environment and I would encourage people in general not to use it for any non-trivial use case.

byearthithatius 4/7/2025|
Thank you. I literally already accidentally uploaded a cookie that I now need to reset because the website doesn't let me delete the curl -_-
byearthithatius 4/7/2025||
This is just waiting for people to leak cookies oh my lord....
fitsumbelay 4/7/2025||
This is a pretty cool project.

One thing: it's rejecting dict lookups as invalid URL, eg. `curl dict://dict.org/d:failure:fd-eng-fra`

I'm checking first here whether I missed something in the docs about not supporting DICT before I add issue to the GH repo

darubramha 4/8/2025|
You didn’t miss anything in the docs. Right now uncurl.dev only supports http/https (and technically ftp, though it’s untested). Protocols like dict://, smtp://, etc. aren’t parsed or handled correctly yet, which is why you’re seeing that “invalid URL” error.

I hadn’t actually considered dict:// usage, I see the bug report as well, thanks, will see if I can include it.

byearthithatius 4/7/2025||
I already accidentally uploaded a cookie that I now need to reset because the website doesn't let me delete the curl -_-
dwrowe 4/7/2025||
There is both this post about not being able to delete a curl, and other posts about being able to delete curls unauthenticated. Looks like you should be able to issue a DELETE curl request, to delete your curl.
markerz 4/7/2025|||
Definitely reset your password/account even if you can delete it from their website. Otherwise, you are trusting a stranger with no privacy policy or reputation.
byearthithatius 4/7/2025||
Great point, true!
darubramha 4/8/2025||
You can delete the curl request if created from a logged in account.

Non-logged in curls are auto purged after 30 days.

ustad 4/7/2025||
Hey, that looks great.

Could you describe more about the docker sandbox that you have? I am especially interested in the network restrictions.

darubramha 4/8/2025|
The sandbox is a lightweight Alpine-based container, it runs as a non-root user for security, it has minimal dependencies installed (curl, bash, coreutils)

The container has restricted outbound access—only HTTP/S requests are allowed. It runs inside an isolated network namespace with no access to the host network or other infrastructure components. There's no inbound access, and the container can't receive unsolicited requests from the outside world.

The sandbox container can only communicate with other containers in the same network, the main application container and sandbox container are on the same network, allowing them to communicate.

ustad 4/8/2025||
Thanks for the details!

Do you think there could be ways for someone to abuse the network setup you have?

For example, accessing other internet hosts or other containers in the same container network?

What happens when curl gets redirect responses?

polishdude20 4/7/2025|
Why the need for an account to execute? Are you executing the command on behalf of the user on your server? Is it possible to just do it locally in browser?
darubramha 4/8/2025||
Yes — executions are done server-side, inside a resource-limited, sandboxed Docker container. That’s why login is required: to prevent abuse, rate-limit usage.

I have a feature working to allow users browser side execution, but as others have also pointed out CORS is a big blocker for client side execution not working for all APIs.

zamadatix 4/7/2025||
The post mentions the server is used during the optional execution. My guess as to why would be primarily because there are plenty of curl commands which are impossible to execute via the browser due to browser restrictions and secondarily because the execution is literally running curl, not trying to approximate the equivalent action.

Local execution could still be a handy feature for at least the most common basic commands though, but it'd start to have to wade into "explaining a lot to the user why this isn't really what the result might look like" territory.

VWWHFSfQ 4/7/2025||
It actually looks like the server is used regardless. It's sending the full curl command to the backend even if not executing it.
zamadatix 4/7/2025||
Well yeah, it's generating short links. I mean to highlight the server runs curl in a sandbox against the 3rd party host on behalf of the user, not just that the server and client talk to each other as you use the page.