cURL to HTTP
VS Code extension that converts a cURL command in the active document into the .http file format, automatically extracting debug-relevant variables and discarding headers added automatically by the browser.
Ideal for developers who copy cURL requests from browser DevTools and want to turn them into reusable .http files for REST Client or similar extensions.
Features
- In-place conversion — replaces the document content with the
.http result (Ctrl+Alt+C)
- Copy to clipboard — converts without modifying the file
- Variable extraction — creates
@variables for the base URL, authorization token, and all form body parameters
- Browser header filtering — automatically discards headers calculated by the browser (
sec-*, user-agent, accept-encoding, origin, referer, etc.)
- Form body variables — each
key=value pair in application/x-www-form-urlencoded bodies becomes a named variable
- JSON body formatting — JSON bodies are pretty-printed automatically
- ANSI-C quoting support — handles
$'...' syntax produced by some browsers when copying as cURL
Usage
Open any file containing a cURL command and:
| Action |
Shortcut |
Command Palette |
| Convert and replace document |
Ctrl+Alt+C |
cURL: Convert to .http format |
| Convert and copy to clipboard |
— |
cURL: Copy .http result to clipboard |
Both commands are also available via the Command Palette (Ctrl+Shift+P).
Examples
GET request with Authorization
Input (cURL)
curl 'https://api.example.com/v1/orders?status=pending&page=1' \
-H 'accept: application/json' \
-H 'authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMSJ9.sig' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)' \
-H 'accept-encoding: gzip, deflate, br'
Output (.http)
@baseUrl = https://api.example.com
@authorization = Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMSJ9.sig
GET {{baseUrl}}/v1/orders?status=pending&page=1
accept: application/json
authorization: {{authorization}}
POST with JSON body
Input (cURL)
curl 'https://api.example.com/v1/orders' \
-X POST \
-H 'accept: application/json' \
-H 'authorization: Bearer eyJhbGciOiJSUzI1NiJ9.token' \
-H 'content-type: application/json' \
-H 'origin: https://app.example.com' \
-H 'sec-fetch-dest: empty' \
-H 'user-agent: Mozilla/5.0' \
--data-raw '{"customerId":"abc-123","items":[{"sku":"PROD-1","qty":2}]}'
Output (.http)
@baseUrl = https://api.example.com
@authorization = Bearer eyJhbGciOiJSUzI1NiJ9.token
POST {{baseUrl}}/v1/orders
accept: application/json
authorization: {{authorization}}
content-type: application/json
{
"customerId": "abc-123",
"items": [
{
"sku": "PROD-1",
"qty": 2
}
]
}
POST with form-urlencoded body (OAuth2 token)
Input (cURL)
curl 'https://auth.example.com/oauth2/token' \
-H 'accept: */*' \
-H 'accept-language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7' \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'origin: https://app.example.com' \
-H 'pragma: no-cache' \
-H 'priority: u=1, i' \
-H 'sec-ch-ua: "Not:A-Brand";v="99", "Google Chrome";v="145"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)' \
--data-raw 'grant_type=password&client_id=MyApp&username=john.doe&password=S3cr3t%21'
Output (.http)
@baseUrl = https://auth.example.com
@grantType = password
@clientId = MyApp
@username = john.doe
@password = S3cr3t!
POST {{baseUrl}}/oauth2/token
accept: */*
content-type: application/x-www-form-urlencoded;charset=UTF-8
grant_type={{grantType}}&client_id={{clientId}}&username={{username}}&password={{password}}
URL-encoded values (e.g. %21) are automatically decoded in the variable definitions so they are readable and easy to edit.
Input (cURL)
curl 'https://api.example.com/v1/sessions/abc-123' \
-X DELETE \
-H 'authorization: Bearer eyJhbGciOiJSUzI1NiJ9.token' \
-H 'x-tenant-id: tenant-42' \
-H 'x-request-id: req-789' \
-H 'sec-fetch-dest: empty' \
-H 'user-agent: Mozilla/5.0'
Output (.http)
@baseUrl = https://api.example.com
@authorization = Bearer eyJhbGciOiJSUzI1NiJ9.token
DELETE {{baseUrl}}/v1/sessions/abc-123
authorization: {{authorization}}
x-tenant-id: tenant-42
x-request-id: req-789
How it works
| Variable |
Source |
Example |
@baseUrl |
Protocol + host from the URL |
https://api.example.com |
@authorization |
Authorization header value |
Bearer eyJ... |
@<paramName> |
Each field in a form-urlencoded body |
@grantType, @clientId |
Form parameter names are converted to camelCase for the variable name while the original key is preserved in the body line:
grant_type=password → @grantType = password
client_id=MyApp → @clientId = MyApp
The following headers are automatically removed from the output because they are calculated and managed by the browser and carry no value for API debugging:
| Category |
Headers removed |
| Security/CORS |
All sec-* headers (sec-fetch-*, sec-ch-*, etc.) |
| Browser identity |
user-agent, referer, origin |
| Transport |
accept-encoding, connection, content-length, te |
| Cache hints |
cache-control, pragma |
| Performance hints |
priority |
| Privacy |
dnt |
| Routing |
host |
| Legacy |
upgrade-insecure-requests |
| Locale |
accept-language |
Custom application headers (x-*, authorization, content-type, accept, cookie, etc.) are always preserved.
License
MIT
