gekro
GitHub LinkedIn
Dev

WebSocket / SSE Live Tester

Connect to any WebSocket or Server-Sent Events endpoint from your browser, see frames stream live, measure latency, send messages, validate JSON inline.

Endpoint

Disconnected
Advanced Subprotocols, auth, reconnect

Browsers cannot set Authorization headers on WebSocket / SSE handshakes. URL params, cookies (same-origin), and Sec-WebSocket-Protocol are the available options.

Frame log 0

No frames yet. Connect to an endpoint above.

Connection stats

Frames received0
Frames sent0
Bytes received0
Bytes sent0
First-frame latency
Median frame gap
Max frame gap

🔒 Local. The browser connects directly to the endpoint you typed — no gekro.com proxy. CORS rejections from the target server are real (and surfaced in the log) — that's the server's policy, not a bug here.

As-is, no warranty. These apps are free under their listed license and run entirely in your browser. Use at your own risk — don't blame me if your PC catches fire, your dog runs away, or the math turns out wrong. Verify anything that actually matters. None of this is professional financial, medical, legal, or engineering advice.

© 2026 Rohit Burani · MIT · Built at gekro.com · View source ↗

Guide

What It Does

Paste a ws://, wss://, http://, or https:// URL. Hit Connect. Watch frames stream live in the log on the left, with stats on the right.

  • WebSocket (ws:// or wss://) - bidirectional. Send text, JSON, or binary; receive in real time
  • Server-Sent Events (http:// or https://) - one-way stream from server to browser. Receive only
  • Live frame log - timestamps to the millisecond, direction badges (SENT / RECV / META / ERR), byte counts
  • JSON auto-pretty-print - any received payload that parses as JSON gets indented and token-colored automatically
  • Stats panel - frames in/out, bytes in/out, first-frame latency, median frame gap, max stall
  • Send messages (WebSocket only) - As text / As JSON (validates before sending) / As bytes (paste hex like DE AD BE EF)
  • WebSocket subprotocols - comma-separated, e.g. graphql-transport-ws, mqtt, ocpp1.6
  • Auth-via-URL helper - quick way to append a token query param without editing the URL manually
  • Auto-reconnect - optional, 5-second delay
  • Filter the log - show / hide sent, received, meta separately
  • Export - download the full session as JSON

When To Use It

  • Verifying an MCP server’s SSE transport handshake
  • Debugging a GraphQL subscription (graphql-transport-ws)
  • Testing an internal real-time API before wiring up a client
  • Watching a public event stream live (Wikimedia recent changes is a good demo)
  • Reproducing a “sometimes the connection drops” bug with first-frame and max-gap stats
  • Proving to your backend team that yes, the server is closing the socket with code 1006

Browser security model — what you should know

WebSocket and EventSource in browsers are deliberately less flexible than curl or a Node client:

You cannot set Authorization headers on the handshake. new WebSocket(url, protocols) and new EventSource(url, { withCredentials }) don’t accept a headers option. The browser controls the handshake. Workarounds: pass auth as a URL query param, send a cookie (same-origin only), or use the Sec-WebSocket-Protocol subprotocol for tokens. The Advanced panel surfaces the URL-param helper.

CORS is the server’s call. If the target server doesn’t accept connections from gekro.com, that’s correct security on the server’s part. The error appears in the log with context. To test those endpoints you need a tool that bypasses browser CORS (Node, curl, a desktop client).

WebSocket errors are intentionally vague. When ws.onerror fires the browser deliberately tells you nothing beyond “error” to prevent cross-origin information leaks. Check DevTools Network tab for the actual HTTP-level handshake response.

WebSocket ping/pong frames are not exposed to JS. The browser handles them internally to keep the connection alive. We measure latency as connect-to-open and frame-to-frame gaps instead.

Mixed-content blocks. A page served over https:// cannot open a ws:// connection. Use wss://.

What’s NOT Included

  • Bypassing CORS - that would defeat the security model. Use a desktop tool if you need to hit a server that won’t accept your origin
  • Custom request headers - browser security, see above
  • HTTP/2 push or QUIC streaming - not exposed to JS; SSE and WebSocket are the available APIs
  • Persistent state - reload disconnects and clears the log, intentional
  • Auto-discovery / endpoint scanning - this is a tester, not a scanner

For informational purposes only. Not financial, medical, or legal advice. You are solely responsible for how you use these tools.

All apps