Capture every API call on any website — fetch + XHR — while you browse normally. Perfect for reverse engineering undocumented APIs.
Built by @ctala | 🌐 cristiantala.com
Instead of digging through DevTools Network tab, this extension gives you a clean one-click recording experience:
- Open the extension on any tab
- Set an optional URL filter (e.g.
api.mysite.com) - Click Start Recording
- Use the website as you normally would
- Click Stop → Download JSON
You get a clean JSON file with every unique endpoint captured — methods, headers, request bodies, response bodies, status codes, and timing.
Recording is scoped to the active tab only. Other tabs are not affected.
Get the extension directly from the Chrome Web Store:
🔗 Install from Chrome Web Store
Privacy-First: Zero tracking, zero analytics, zero external servers. Read our Privacy Policy
- Clone or download this repository
- Open Chrome →
chrome://extensions/ - Enable Developer Mode (toggle in top-right corner)
- Click Load unpacked → select the project folder
- The 🟢 icon appears in your Chrome toolbar
Firefox support is planned (Manifest V3 with minor adjustments).
Fixed:
- CSP bypass for ultra-strict sites (Skool, etc.) — now uses
chrome.scripting.executeScriptwithworld: 'MAIN'instead of DOM script injection - Works on any site regardless of Content Security Policy
Fixed:
- CSP violation on strict sites (now injects via
<script src>instead of inline) - Storage access error in content script (removed premature
chrome.storage.session.get()) - Undefined
isRecordingcrash (simplified state management — only background controls state)
Fixed:
- Service worker persistence (state now saved to
chrome.storage.session)
Added:
- Tab-scoped recording (only captures in the tab where you clicked Start)
Initial release:
- fetch + XHR interception
- Live badge counter
- URL filtering
- Deduplication by endpoint
- JSON download
- Navigate to the website you want to analyze
- Click the extension icon in the toolbar
- (Optional) Enter a URL filter to narrow captures:
api2.skool.com— only calls to this domain/api/v1— only paths containing this stringgraphql— only GraphQL requests
- Click ▶ Start
- The badge shows live request count
- Click ⏹ Stop when done
- Click ⬇ Download JSON to save the capture file
The downloaded file is named api-capture-{hostname}-{timestamp}.json:
{
"meta": {
"capturedAt": "2026-02-20T14:32:00.000Z",
"total": 47,
"uniqueEndpoints": 23,
"site": "www.skool.com"
},
"endpoints": [
{
"type": "fetch",
"method": "POST",
"url": "https://api2.skool.com/posts",
"requestHeaders": {
"content-type": "application/json",
"x-aws-waf-token": "..."
},
"requestBody": {
"title": "Test post",
"body": "Hello world"
},
"status": 200,
"responseBody": {
"id": "abc123",
"created_at": "2026-02-20T14:32:01Z"
},
"duration": 142,
"timestamp": "2026-02-20T14:32:00.000Z",
"isNewEndpoint": true
}
],
"all": [...]
}endpoints — deduplicated list (one entry per unique METHOD:URL pair)
all — every single request captured, including repeated calls
- ✅ Intercepts fetch and XHR requests
- ✅ Captures request headers, body, response headers, response body
- ✅ Tab-scoped recording — only captures from the tab where you clicked Start
- ✅ Live counter badge on the extension icon
- ✅ Optional URL filter to reduce noise
- ✅ Deduplication —
endpointsarray has one entry per unique endpoint - ✅ Works on any website, any protocol
- ✅ Clean dark-mode popup UI
- ✅ Clear button to reset captures
- ✅ Manifest V3 (modern Chrome extension standard)
- Reverse engineering private APIs — document undocumented endpoints
- Building integrations — understand the exact payloads a web app sends
- API documentation — auto-generate docs for internal apps
- Security research — understand what data a site is sending
- Learning — see how modern web apps communicate with their backends
The extension uses a 3-layer architecture to capture requests in the page's actual execution context:
content.js (extension context)
└── injects → injected.js (page context)
├── Patches window.fetch
└── Patches window.XMLHttpRequest
injected.js → dispatches CustomEvent('__ARE_REQUEST__')
└── content.js listens → forwards to background.js
└── Stores + counts + updates badge
Why the injection layer? Chrome extensions run in an isolated context and can't directly access the page's fetch. By injecting a <script> tag, injected.js runs in the page's own JavaScript environment and can intercept real network calls.
api-reverse-engineer-extension/
├── manifest.json # Extension config (Manifest V3)
├── popup.html # Popup UI
├── src/
│ ├── popup.js # Popup logic
│ ├── background.js # Service worker (stores captures, manages state)
│ ├── content.js # Content script (bridge between page and extension)
│ └── injected.js # Page-context script (intercepts fetch + XHR)
├── icons/
│ ├── icon16.png
│ ├── icon48.png
│ └── icon128.png
└── README.md
- Firefox support (WebExtensions API)
- Export as OpenAPI / Swagger spec
- Copy individual endpoint as cURL command
- Response diffing (detect API changes over time)
- Replay captured requests
- HAR import/export compatibility
- Regex URL filter support
Contributions are welcome! See CONTRIBUTING.md.
- Fork the repo
- Create a feature branch:
git checkout -b feature/my-feature - Commit your changes:
git commit -m 'Add my feature' - Push:
git push origin feature/my-feature - Open a Pull Request
Your data stays on your device. No tracking, no analytics, no external requests.
📋 Read our Privacy Policy | 🌐 Hosted version
MIT — see LICENSE.
API Reverse Engineer is maintained with ❤️ by Cristian Tala — a developer, entrepreneur, and automation enthusiast.
Connect:
- 🌐 Website: cristiantala.com
- 💼 LinkedIn: @ctala
- 🐙 GitHub: @ctala
- 📦 Repository: github.com/ctala/api-reverse-engineer
Found a bug? Have a feature request?
Open an issue on GitHub
If you find this extension useful, please:
- ⭐ Star the repository on GitHub
- 🌟 Leave a review on the Chrome Web Store
- 🔗 Share with fellow developers
Privacy Policy: Read here | All data stays on your device.