curl is the universal command-line tool for transferring data over HTTP, HTTPS and many other protocols. Its power lives in its options: dozens of flags control the method, headers, body, authentication, TLS behaviour and output. This reference lets you search the most-used flags with their short forms and examples.
How it works
A curl invocation is curl [flags] URL. Flags either take a value (like
-H 'Header: value' or -d 'body') or are simple switches (like -L or -k).
Many flags have a long --name form and a single-letter short alias; this
reference lists both. curl applies the flags in order to build the request, sends
it, and writes the response to stdout (or to a file with -o/-O).
Common recipes
# POST JSON and follow redirects
curl -L -X POST -H 'Content-Type: application/json' \
-d '{"name":"A"}' https://api.example.com/users
# Download a file keeping its remote name
curl -O https://example.com/archive.zip
# Basic auth, show response headers, verbose
curl -i -u user:pass -v https://example.com/private
Flag categories at a glance
| Category | Key flags | What they control |
|---|---|---|
| Method | -X GET/POST/PUT/DELETE/PATCH | HTTP verb |
| Headers | -H 'Name: value' | Request headers (repeat for multiple) |
| Body | -d 'data', --data-binary @file, --json '...' | Request body for POST/PUT |
| Form upload | -F field=value, -F file=@path | Multipart form data / file upload |
| Auth | -u user:pass, --oauth2-bearer token | HTTP basic auth, Bearer tokens |
| TLS | --cacert, --cert, --key, -k | Certificate pinning and verification |
| Redirects | -L, --max-redirs N | Follow HTTP 3xx responses |
| Output | -o file, -O, -s, -w '%{http_code}' | Save response, suppress noise, print status |
| Debugging | -v, -i, -I, --trace | Verbose request/response, headers only |
| Proxy | -x proxy:port, --socks5 host:port | Route through a proxy |
| Timeout | --connect-timeout N, --max-time N | Connection and total time limits |
Notes and tips
-d implies POST and form encoding; pair it with an explicit -H 'Content-Type: application/json' (or use --json) when sending JSON. Use -F for file uploads (multipart). -s silences the progress meter for scripting, and -w '%{http_code}' prints the status code. Reserve -k/--insecure for local testing only — it disables certificate verification.
A few flag interactions worth knowing:
-dsets the method to POST implicitly. If you also supply-X GET, the body is ignored by most servers — explicitly set-X POSTwhen using-d.- Multiple
-Hflags stack, so you can add several headers in one command without any joining syntax. --retry Nretries on transient failures; combine with--retry-delayand--retry-max-timefor robust scripted downloads.-o /dev/null -s -w '%{http_code}'is the canonical incantation for health-check scripts that only care about the HTTP status code.