Capture every API call on any website — fetch + XHR — while you browse normally. Perfect for reverse engineering undocumented APIs.
Built by @ctala | 🌐 cristiantala.com
Instead of digging through DevTools Network tab, this extension gives you a clean one-click recording experience:
- Open the extension on any tab
- Set an optional URL filter (e.g.
api.mysite.com) - Click Start Recording
- Use the website as you normally would
- Click Stop → Download JSON
You get a clean JSON file with every unique endpoint captured — methods, headers, request bodies, response bodies, status codes, and timing.
Recording is scoped to the active tab only. Other tabs are not affected.
Get the extension directly from the Chrome Web Store:
🔗 Install from Chrome Web Store
Privacy-First: Zero tracking, zero analytics, zero external servers. Read our Privacy Policy
- Clone or download this repository
- Open Chrome →
chrome://extensions/ - Enable Developer Mode (toggle in top-right corner)
- Click Load unpacked → select the project folder
- The 🟢 icon appears in your Chrome toolbar
Firefox support is planned (Manifest V3 with minor adjustments).
Added:
- Profile presets —
[Generic],[LinkedIn Voyager],[GraphQL],[JSON API]. One-click pre-fill of URL filter and redact patterns. - Multi-line URL filter with AND/OR mode. Patterns can be literal, glob, or
/regex/. - Redact secrets toggle (default ON) — cookies, CSRF tokens, auth headers, password / token body fields are replaced with
[REDACTED:<key>]placeholders in the MAIN-world interceptor, before any serialization crosses a process boundary. The raw secret never appears inpostMessage,chrome.runtime.sendMessage,chrome.storage, the popup preview, or the downloaded file. - JSON-Lines export (default) + legacy JSON array toggle. New schema documented in
docs/spec/capture-mode-spec.md. - 5 MB body cap + binary skip (
image/*,video/*,audio/*,application/pdf,application/octet-stream) + 10,000-event per-session cap with auto-stop warning. - Privacy — updated
PRIVACY-POLICY.mdfor v1.3.0 Capture Mode. Added sections on local data processing, user controls, and what is NOT captured. No changes to data flow. Newdocs/spec/PRIVACY-COMPLIANCE-SUMMARY.mdfor Chrome Web Store reviewers.
Not in this release:
- WebSocket capture, Service Worker internals, cross-origin iframes, replay, HAR import/export, redaction level slider — deferred to v1.4.
Fixed:
- CSP bypass for ultra-strict sites (Skool, etc.) — now uses
chrome.scripting.executeScriptwithworld: 'MAIN'instead of DOM script injection - Works on any site regardless of Content Security Policy
Fixed:
- CSP violation on strict sites (now injects via
<script src>instead of inline) - Storage access error in content script (removed premature
chrome.storage.session.get()) - Undefined
isRecordingcrash (simplified state management — only background controls state)
Fixed:
- Service worker persistence (state now saved to
chrome.storage.session)
Added:
- Tab-scoped recording (only captures in the tab where you clicked Start)
Initial release:
- fetch + XHR interception
- Live badge counter
- URL filtering
- Deduplication by endpoint
- JSON download
- Navigate to the website you want to analyze
- Click the extension icon in the toolbar
- (Optional) Enter a URL filter to narrow captures:
api2.skool.com— only calls to this domain/api/v1— only paths containing this stringgraphql— only GraphQL requests
- Click ▶ Start
- The badge shows live request count
- Click ⏹ Stop when done
- Click ⬇ Download JSON to save the capture file
The downloaded file is named api-capture-{hostname}-{timestamp}.json:
{
"meta": {
"capturedAt": "2026-02-20T14:32:00.000Z",
"total": 47,
"uniqueEndpoints": 23,
"site": "www.skool.com"
},
"endpoints": [
{
"type": "fetch",
"method": "POST",
"url": "https://api2.skool.com/posts",
"requestHeaders": {
"content-type": "application/json",
"x-aws-waf-token": "..."
},
"requestBody": {
"title": "Test post",
"body": "Hello world"
},
"status": 200,
"responseBody": {
"id": "abc123",
"created_at": "2026-02-20T14:32:01Z"
},
"duration": 142,
"timestamp": "2026-02-20T14:32:00.000Z",
"isNewEndpoint": true
}
],
"all": [...]
}endpoints — deduplicated list (one entry per unique METHOD:URL pair)
all — every single request captured, including repeated calls
- ✅ Intercepts fetch and XHR requests
- ✅ Captures request headers, body, response headers, response body
- ✅ Tab-scoped recording — only captures from the tab where you clicked Start
- ✅ Live counter badge on the extension icon
- ✅ Optional URL filter to reduce noise
- ✅ Deduplication —
endpointsarray has one entry per unique endpoint - ✅ Works on any website, any protocol
- ✅ Clean dark-mode popup UI
- ✅ Clear button to reset captures
- ✅ Manifest V3 (modern Chrome extension standard)
- Reverse engineering private APIs — document undocumented endpoints
- Building integrations — understand the exact payloads a web app sends
- API documentation — auto-generate docs for internal apps
- Security research — understand what data a site is sending
- Learning — see how modern web apps communicate with their backends
The extension uses a 3-layer architecture to capture requests in the page's actual execution context:
content.js (extension context)
└── injects → injected.js (page context)
├── Patches window.fetch
└── Patches window.XMLHttpRequest
injected.js → dispatches CustomEvent('__ARE_REQUEST__')
└── content.js listens → forwards to background.js
└── Stores + counts + updates badge
Why the injection layer? Chrome extensions run in an isolated context and can't directly access the page's fetch. By injecting a <script> tag, injected.js runs in the page's own JavaScript environment and can intercept real network calls.
api-reverse-engineer-extension/
├── manifest.json # Extension config (Manifest V3)
├── popup.html # Popup UI
├── src/
│ ├── popup.js # Popup logic
│ ├── background.js # Service worker (stores captures, manages state)
│ ├── content.js # Content script (bridge between page and extension)
│ └── injected.js # Page-context script (intercepts fetch + XHR)
├── icons/
│ ├── icon16.png
│ ├── icon48.png
│ └── icon128.png
└── README.md
- Firefox support (WebExtensions API)
- Export as OpenAPI / Swagger spec
- Copy individual endpoint as cURL command
- Response diffing (detect API changes over time)
- Replay captured requests
- HAR import/export compatibility
- Regex URL filter support
Contributions are welcome! See CONTRIBUTING.md.
- Fork the repo
- Create a feature branch:
git checkout -b feature/my-feature - Commit your changes:
git commit -m 'Add my feature' - Push:
git push origin feature/my-feature - Open a Pull Request
Your data stays on your device. No tracking, no analytics, no external requests. v1.3.0 Capture Mode adds secret redaction in the page (cookies, CSRF tokens, and auth headers are replaced with placeholders before they ever leave the page), so even the in-memory capture buffer never contains raw secrets.
📋 Privacy Policy · Compliance Summary (for reviewers) · 🌐 Hosted version
MIT — see LICENSE.
API Reverse Engineer is maintained with ❤️ by Cristian Tala — a developer, entrepreneur, and automation enthusiast.
Connect:
- 🌐 Website: cristiantala.com
- 💼 LinkedIn: @ctala
- 🐙 GitHub: @ctala
- 📦 Repository: github.com/ctala/api-reverse-engineer
Found a bug? Have a feature request?
Open an issue on GitHub
If you find this extension useful, please:
- ⭐ Star the repository on GitHub
- 🌟 Leave a review on the Chrome Web Store
- 🔗 Share with fellow developers
Privacy Policy: Read here | All data stays on your device.