A modern, professional API testing tool built with Electron, TypeScript, and modern web technologies. Restbro is a secure, feature-rich desktop application that provides comprehensive API testing, automation, and development tools — all in one place.
Restbro combines the best features of tools like Postman and Insomnia with powerful additions like load testing, mock servers, AI assistance, and advanced JSON tools. Built with security-first architecture and enterprise-grade practices, Restbro is designed for developers who need a reliable, fast, and comprehensive API testing solution.
- Full HTTP Method Support: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
- Advanced Request Builder:
- URL with dynamic variable resolution
{{variable}} - Query parameters editor
- Headers editor with key-value pairs
- Multiple body types: JSON, Raw text, Form data, Form URL-encoded
- Request validation and formatting
- URL with dynamic variable resolution
- Smart Response Viewer:
- Auto-formatted JSON with syntax highlighting
- Collapsible/expandable JSON nodes with state persistence
- Headers display in table format
- Response metadata (status code, time, size, timestamp)
- Powerful search with regex support and navigation
- Multiple view modes: Pretty, Raw, Headers
- Export responses (JSON, Text, CSV)
- Fullscreen mode
- Copy to clipboard
- Request Tabs: Multi-request workflow with tab management
- Request History: Track all requests with timestamp, method, URL, and ability to reload
- Hierarchical Collections: Organize requests in nested folders with unlimited depth
- Folder-Level Variables: Scope variables to folders and inherit through folder chains
- Drag-and-Drop Ordering: Arrange collections and folders
- Context Menus: Quick access to rename, delete, duplicate operations
- Expanded/Collapsed State: Folder state persistence across sessions
- Basic Auth: Username and password
- Bearer Token: Token-based authentication
- API Key: Custom header or query parameter
- OAuth 2.0 (Full implementation):
- Authorization Code flow with PKCE
- Client Credentials flow
- Device Code flow
- Automatic token refresh
- Token expiration tracking
- Secure auth window handling
- Multiple Environments: Create and switch between different environments
- Environment Variables: Environment-scoped variable management
- Global Variables: Workspace-wide variables
- Variable Precedence: Request → Environment → Folder → Global
- Variable Resolution: Supports
{{var}}syntax with default values{{var:default}} - System Variables: Built-in timestamp and dynamic variables
- Variable Highlighting: Visual indicators in URL, headers, and body fields
- RPM-Based Testing: Configure requests per minute (RPM)
- Configurable Duration: Set test duration in seconds
- Two Target Types:
- Load test from saved collection requests
- Ad-hoc load test with custom configuration
- Real-Time Metrics:
- Scheduled, sent, completed, in-flight request counts
- Elapsed time tracking
- Progress indicators
- Performance Analytics:
- Min/Max/Avg response times
- Percentiles: p50, p95, p99
- Response status code distribution
- Throughput (requests per second)
- Export Results:
- CSV export with all samples
- PDF export with summary report and charts
- Token Bucket Algorithm: Accurate rate limiting
- Cancellation Support: Stop tests mid-execution
- Multiple Mock Servers: Create and manage multiple server instances
- Flexible Configuration:
- Custom host (default: 127.0.0.1)
- Dynamic port selection
- Advanced Route Matching:
- Exact path match
- Prefix match
- Wildcard patterns (
*for single segment,**for multiple) - Regex patterns
- Rich Response Options:
- Custom status codes
- Custom response headers
- Response body (JSON, text, binary, file)
- Configurable response delays
- File-based responses
- Route Management:
- Enable/disable individual routes
- Multiple HTTP methods per route
- Runtime Control: Start/stop servers with status tracking
-
JSON Viewer:
- Syntax highlighting with Monaco editor
- Collapsible/expandable nodes
- Search within JSON structures
- Copy individual values
- Expand/collapse all shortcuts
- Node expansion state persistence (LRU cache)
-
JSON Compare:
- Side-by-side JSON comparison
- Diff highlighting (added, removed, modified)
- Change statistics
- Filterable results
- Web worker-based processing (non-blocking UI)
- Interactive React component
- AI-Powered Assistant: Qwen 2.5 7B model via local LLM server
- Session Management:
- Multiple chat sessions
- Session history persistence
- Session renaming and deletion
- Contextual Intelligence:
- Use current request as context
- Use current response as context
- File upload support
- Streaming Responses: Real-time AI response generation
- Context Size Management: Automatic validation (12,000 char limit)
- Quick Suggestions: Pre-built prompts for common tasks
- Multi-Tab Editor: Multiple file tabs with Monaco editor
- File Operations:
- Open files from disk
- Save and Save As
- Auto-save prompts on exit
- Editor Features:
- Syntax highlighting
- Line numbers
- Word wrap
- Font size adjustment (zoom in/out)
- Cursor position tracking
- Keyboard Shortcuts:
Cmd/Ctrl+S: SaveCmd/Ctrl+O: Open fileCmd/Ctrl+N: New tabCmd/Ctrl+W: Close tabCmd/Ctrl+Tab: Next tabCmd/Ctrl+Shift+Tab: Previous tab
- Smart Tab Management: Dirty state detection, unsaved changes prompts
- Import Support:
- Postman Collections (v2.1)
- Postman Environments
- Insomnia Exports (v4 and v5)
- Import Features:
- File preview before import
- Automatic format detection
- Collections and environments import
- Folder structure preservation
- Variable mapping
- Export Options:
- Export responses (JSON, Text, CSV)
- Export load test results (CSV, PDF)
- Color Themes: Blue, Green, Purple, Orange, Red, Magenta
- Persistent Preferences: Theme selection saved across sessions
- Resizable Panels: Drag-to-resize layout
- Responsive Design: Adaptive to different screen sizes
- Clean Interface: Minimal, professional design
- Node.js: Version 18 or higher
- npm: Latest version
- (Optional) Local LLM Server: For AI features, run a compatible server at
http://localhost:9999(Qwen 2.5 7B recommended)
-
Clone the repository:
git clone <repository-url> cd restbro
-
Install dependencies:
npm install
-
Build the application:
npm run build
-
Start the application:
npm start
For development with hot reload:
npm run devThis will:
- Start the webpack dev server for the renderer process
- Watch for file changes in the main process
- Enable hot module replacement (HMR)
npm run build- Build all processes (main, preload, renderer)npm run build:main- Build main process onlynpm run build:preload- Build preload script onlynpm run build:renderer- Build renderer process onlynpm run clean- Remove all build artifactsnpm run rebuild- Clean and rebuild allnpm run fresh- Rebuild and start application
- Run
npm run devfor development - Make changes to source files in
src/ - Changes to renderer will hot-reload automatically
- Changes to main/preload require restart (Cmd/Ctrl+R in dev tools)
npm run dist:unsignedProduces a .dmg and .zip in release/. The app will be blocked by
Gatekeeper, but is useful for local smoke-testing the packaged build.
Copy .env.example → .env and fill in your Apple credentials, then:
npm run distTag commits with a semver tag — the CI pipeline takes over from there:
git tag v1.2.3
git push origin v1.2.3| What | Where to get it |
|---|---|
Developer ID Application certificate (.p12) |
Xcode → Settings → Accounts, or developer.apple.com |
App Store Connect API Key (.p8 + Key ID + Issuer ID) |
appstoreconnect.apple.com/access/api |
| Apple Team ID | developer.apple.com/account → Membership |
cp .env.example .env
# Edit .env and fill in:
# CSC_LINK (base64 of your .p12: base64 -i cert.p12)
# CSC_KEY_PASSWORD (password for the .p12)
# APPLE_TEAM_ID
# APPLE_API_KEY_ID
# APPLE_API_ISSUER
# APPLE_API_KEY (paste full .p8 content)The notarization hook (scripts/notarize.js) reads these variables
automatically. It skips silently when the variables are absent so
unsigned / dev builds still work.
Add the following repository secrets at Settings → Secrets → Actions:
| Secret | Description |
|---|---|
CSC_LINK |
base64 -i MyCert.p12 output |
CSC_KEY_PASSWORD |
Password for the .p12 |
APPLE_TEAM_ID |
10-char team ID |
APPLE_API_KEY_ID |
App Store Connect key ID |
APPLE_API_ISSUER |
App Store Connect issuer UUID |
APPLE_API_KEY |
Full .p8 file contents (multi-line secret) |
GH_TOKEN |
PAT with contents: write (or leave blank to use GITHUB_TOKEN) |
Push a version tag to trigger the release pipeline:
git tag v1.0.0 && git push origin v1.0.0Restbro uses electron-updater with a GitHub Releases provider.
- Updates are checked 10 s after launch, then every 4 h.
- In dev mode (
npm run dev) updating is disabled — no side-effects. - Once a new tag is published via CI, users on the previous version will be notified and prompted to install the update.
The renderer receives these IPC events from the main process:
| IPC event | Payload |
|---|---|
update:available |
{ version } |
update:download-progress |
{ percent, bytesPerSecond, transferred, total } |
update:downloaded |
{ version } |
update:error |
{ message } |
Call window.restbro.update.install() (once exposed in preload) to quit
and install the downloaded update.
- Bump the version:
npm version patch(orminor/major) - Push commit + tag:
git push && git push --tags - CI builds, signs, notarizes, and creates a GitHub Release automatically.
- Release artifacts available in
release/:Restbro-<version>-x64.dmg(Intel)Restbro-<version>-arm64.dmg(Apple Silicon)Restbro-<version>-x64.zip(for auto-update)Restbro-<version>-arm64.ziplatest-mac.yml(auto-update manifest)
Restbro is built with security-first architecture following Electron security best practices:
- Context Isolation:
contextIsolation: true- Renderer cannot access Node/Electron APIs directly - Sandbox Mode:
sandbox: true- Renderer runs in a restricted environment - No Node Integration:
nodeIntegration: false- No direct Node.js API access in renderer - Explicit IPC: Whitelisted IPC channels only - No dynamic or generic invocations
- Main Process Operations: All file, network, and native operations execute in main process
- Secret Redaction: Tokens, passwords, and secrets are never logged or exposed
┌─────────────────────────────────────────────────────────────┐
│ Main Process │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Modules (Request, OAuth, AI, LoadTest, Mock, etc.) │ │
│ │ • HTTP/HTTPS Client │ │
│ │ • File System Operations │ │
│ │ • Store Manager (database.json) │ │
│ │ • IPC Handler (whitelisted channels) │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
↕ IPC (secure bridge)
┌─────────────────────────────────────────────────────────────┐
│ Preload Script │
│ • contextBridge API (window.restbro.*) │
│ • Type-safe IPC wrapper │
│ • No business logic │
└─────────────────────────────────────────────────────────────┘
↕
┌─────────────────────────────────────────────────────────────┐
│ Renderer Process │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ UI Components (Vanilla TS + React Islands) │ │
│ │ • Collections Manager │ │
│ │ • Request Builder │ │
│ │ • Response Viewer │ │
│ │ • Load Test UI │ │
│ │ • Mock Server UI │ │
│ │ • JSON Tools (Monaco Editor) │ │
│ │ • AI Chat Interface │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
src/
├── main/
│ ├── index.ts # Main entry point, boot sequence
│ └── modules/
│ ├── request.ts # HTTP request execution
│ ├── oauth.ts # OAuth 2.0 flows
│ ├── ai-engine.ts # AI assistant integration
│ ├── loadtest.ts # Load testing engine
│ ├── mock-server.ts # Mock server runtime
│ ├── store.ts # Persistence layer
│ ├── ipc-manager.ts # IPC channel handlers
│ ├── variables.ts # Variable resolution
│ └── ... # Other modular services
│
├── preload/
│ └── index.ts # Secure IPC bridge (contextBridge)
│
├── renderer/
│ ├── components/ # UI managers (vanilla TS)
│ ├── react-components/ # React islands (JSON Compare)
│ ├── styles/ # SCSS stylesheets
│ ├── utils/ # Helper functions
│ └── index.html # App shell
│
└── shared/
├── types.ts # Shared TypeScript types
└── ipc.ts # IPC channel constants
- Storage Location:
app.getPath('userData')/database.json - Write Strategy: Debounced writes (prevents excessive disk I/O)
- Graceful Shutdown: Automatic flush on app exit
- Migration Strategy: Additive, backward-compatible migrations
- State Includes:
- Collections and folders
- Environments and variables
- Request history
- UI state (theme, open tabs, expanded folders)
- Mock server configurations
- AI chat sessions
- Notepad content
- Runtime: Electron 26+, Node.js 18+
- Language: TypeScript (strict mode)
- UI: Vanilla TypeScript + React (isolated islands)
- Editors: Monaco Editor, CodeMirror
- Build: Webpack 5, TypeScript Compiler
- Styling: SCSS, CSS Modules
- HTTP Client: Node.js native
http/httpsmodules - Testing: Vitest
- Code Quality: ESLint, Prettier
-
Creating a Collection:
- Click the "+" button in the Collections panel
- Choose "New Folder" to create a folder
- Choose "New Request" to create a request
- Right-click folders for context menu (rename, delete, add subfolder)
-
Making Your First Request:
- Select a request from collections or create a new one
- Choose HTTP method (GET, POST, etc.)
- Enter the URL (supports variables like
{{baseUrl}}/api/users) - Add headers, query params, or body as needed
- Click "Send" or press
Cmd/Ctrl+Enter - View response in the right panel
-
Using Variables:
- Create an Environment from the top dropdown
- Add variables (e.g.,
baseUrl,authToken) - Use in requests:
{{baseUrl}}/api/{{endpoint}} - Set folder-level variables for organization
- Use Global Variables for workspace-wide values
-
Setting Up Authentication:
- Select Auth tab in request builder
- Choose auth type: Basic, Bearer, API Key, or OAuth 2.0
- For OAuth: Configure grant type, endpoints, and scopes
- Token refresh is automatic when expired
- Navigate to Load Testing tab
- Choose "From Collection" or "Ad-hoc" test
- Configure RPM (requests per minute) and duration
- Click "Start Load Test"
- Monitor real-time metrics
- Export results as CSV or PDF when complete
- Go to Mock Server tab
- Click "Create Server"
- Add routes with path patterns (exact, wildcard, regex)
- Configure response body, headers, status codes
- Click "Start Server"
- Use the server URL in your requests
- JSON Viewer: Paste JSON, explore with collapsible nodes, search
- JSON Compare: Paste two JSON objects, view side-by-side diff
- Open Ask AI tab
- Create a new session or select existing
- Use "Include Request" or "Include Response" for context
- Ask questions about API responses, debugging, or general help
- Get streaming AI responses (requires local LLM server)
- Click Notepad tab
- Use
Cmd/Ctrl+Nfor new tab Cmd/Ctrl+Oto open fileCmd/Ctrl+Sto save- Full Monaco editor with syntax highlighting
| Shortcut | Action |
|---|---|
Cmd/Ctrl+Enter |
Send request |
Cmd/Ctrl+S |
Save current (notepad/file) |
Cmd/Ctrl+O |
Open file (notepad) |
Cmd/Ctrl+N |
New tab (notepad) |
Cmd/Ctrl+W |
Close tab |
Cmd/Ctrl+Tab |
Next tab |
Cmd/Ctrl+Shift+Tab |
Previous tab |
Cmd/Ctrl+F |
Find in response |
Esc |
Cancel request / Close dialog |
- Click Import button in Collections panel
- Select file type: Postman Collection, Postman Environment, or Insomnia Export
- Preview the import
- Click "Import"
- Collections and environments will be added to your workspace
- Use folders to group related requests (e.g., Auth, Users, Products)
- Use nested folders for complex APIs (e.g., Admin → Users, Admin → Settings)
- Name requests descriptively (e.g., "Get User by ID", "Create New Product")
- Use Environments for different deployment targets (dev, staging, prod)
- Store base URLs, API keys, and common values in environment variables
- Use folder variables for endpoint-specific values
- Use global variables for truly cross-cutting values
- Never commit
database.jsonwith sensitive tokens - Use environment variables for secrets
- Rotate API keys and tokens regularly
- Use OAuth 2.0 when possible (automatic token refresh)
- Use Load Testing to identify performance bottlenecks
- Monitor p95 and p99 latencies for real-world scenarios
- Test with realistic RPM values
- Export results for historical tracking
- Use Mock Server to develop frontend before backend is ready
- Use History to replay previous requests
- Use Notepad for quick API response analysis or documentation
- Use AI Assistant for debugging and understanding responses
Restbro follows enterprise-grade development practices:
- TypeScript: Strict mode, no
anyexcept at boundaries - ESLint + Prettier: Enforced code style and linting
- Modular Design: Files ≤300 lines (main), ≤150-300 lines (renderer)
- Type Safety: Shared types in
src/shared/types.ts - Testing: Vitest for unit tests on pure logic
- Never disable security features (context isolation, sandbox)
- Never use Node/Electron APIs directly in renderer
- Always use whitelisted IPC channels
- Always redact secrets in logs
- Never store sensitive data in localStorage
- Read CLAUDE.md for repo instructions
- Follow the IPC sequence: types → IPC constants → handler → preload → renderer
- Keep modules small and focused
- Write tests for complex logic
- Run
npm run lintandnpm run formatbefore commits - Ensure
npm run buildpasses
- Fork and create a feature branch
- Make your changes following code standards
- Add tests if applicable
- Update documentation if needed
- Run
npm run buildto ensure no errors - Submit PR with clear description
- GraphQL support
- WebSocket testing
- gRPC support
- API documentation generation
- Team collaboration features
- Cloud sync (optional)
- Performance profiling
- Request chaining/workflows
- Custom plugins/extensions
- Multi-language code generation
MIT License - see LICENSE file for details.
- Issues: Report bugs or request features on GitHub Issues
- Discussions: Ask questions or share ideas on GitHub Discussions
- Documentation: Full docs available in the repo
Built with ❤️ for developers who demand security, performance, and features.