DEV Community

Api Test Lab
Api Test Lab

Posted on

I built a Postman alternative. Here's what I actually learned.

I spent the last several months building API Test Lab a full-stack SaaS for API testing, load testing, and web analysis.

Not because I thought the market needed another tool.
Because I was frustrated with Postman's pricing, and I wanted to build something better.

Here's what I learned including the parts I wish someone had told me before I started.

Why I built it

Postman is great until it isn't.

The moment you need to collaborate with a team, the free tier disappears. You're looking at $14/user/month minimum. For a solo developer or a small startup, that adds up fast.

k6 and JMeter handle load testing but they're code-heavy. If you just want to throw 100 concurrent users at an endpoint and see what breaks, you don't want to write a test script first.

BlazeMeter works but costs more than most small teams can justify.

There was a gap: one tool that handles REST testing, GraphQL, load testing, and web analysis together without costing a company budget. So I built it.

What I built

API Test Lab does these things in one place:

REST API testing Postman-style collections, environments, {{variables}}, auth types
GraphQL testing schema introspection, query editor, variables, assertions
Load testing concurrent users, ramp-up, live WebSocket metrics, AI reports
Web scanner detect REST/GraphQL/SOAP endpoints from a URL
Web analysis SEO, performance, security checks
Mock server create fake endpoints for frontend teams to test against
Shared collections share a full collection with a public link, recipients can run requests directly from their browser without an account

The stack: Next.js 16 frontend, FastAPI backend, MongoDB, Google Gemini for AI features.

The technical decisions I got wrong

  1. I over-engineered authentication before anyone asked for it

I built 13 auth types. Basic, Bearer, JWT, OAuth 1.0, OAuth 2.0, Hawk, AWS SigV4, NTLM, Digest, API Key, Akamai EdgeGrid, ASAP Atlassian.

You know what percentage of API developers need Akamai EdgeGrid? Almost none.
You know what percentage need Bearer token? Almost all.

I spent weeks on auth types that maybe 2% of users will ever touch. I should have shipped Bearer, Basic, API Key, and OAuth 2.0 in week one and moved on.

Lesson: Build what 80% of users need first. The exotic 20% can wait until someone actually asks for it.

  1. localhost testing took me too long to figure out

My backend sits on a server. When a user sends a request to localhost:3000, my backend tries to call its own localhost not the user's machine.

This is obvious in hindsight. It took me embarrassingly long to figure out the right solution: detect local/private URLs and run them directly from the user's browser using the Fetch API, bypassing my backend entirely.

The tricky part is CORS. Local dev servers usually don't have CORS headers set. When the request fails, the browser gives you a useless "Failed to fetch" error with zero detail.

My solution: detect the CORS error specifically and show the user exactly what CORS headers to add to their server, with copy-paste code for Express, FastAPI, Django, etc.

javascript// Detect CORS error from browser
if (error instanceof TypeError && error.message.includes('Failed to fetch')) {
// Almost always a CORS error for local URLs
showCorsHelp(url)
}

  1. Shared collections needed careful security thinking

When you share a collection, it contains API endpoints, headers, and sometimes auth tokens in the variable values.

My first approach would have exposed the sender's actual API keys to anyone with the link. Bad.

The fix: strip sensitive header values before serving the public view, replace them with {{variable_name}} placeholders. The recipient sees the structure method, URL, header names but never the actual secret values. They fill in their own values in an environment bar.

pythonSENSITIVE_HEADERS = {"authorization", "x-api-key", "x-auth-token", "cookie"}

def strip_sensitive_headers(headers):
result = []
for h in headers:
if h["key"].lower() in SENSITIVE_HEADERS:
placeholder = h["key"].lower().replace("-", "_")
result.append({**h, "value": f"{{{{{placeholder}}}}}"})
else:
result.append(h)
return result

The shared view is also browser-side execution only. No anonymous user can use my server to fire requests at third-party APIs. That would have been an abuse vector.

  1. AI integration costs are predictable if you design for it

I integrated Google Gemini for AI features: explaining API responses, generating test assertions, load test analysis.

The concern with AI is runaway costs. Here's how I controlled it:

Context window limit: max 9,000 tokens per message (system prompt + request/response + history)
Response syntax highlighting and JSON analysis: client-side only, no AI
Conversation history: kept in browser state, not stored server-side
Free tier cap: 10 AI messages per day, enforced server-side
Rate limit: 20 messages per minute per user

At 1,000 active users each using 5 AI messages per day, cost is roughly $150/month using Gemini 1.5 Flash. Manageable.

The AI features I found most useful in practice: explaining what a 401 error means in context, and suggesting assertions after seeing a response. Not generating entire test suites that's too ambitious and rarely accurate.

  1. The webhook security detail that matters

Freemius (my payment processor) sends a webhook when a user pays. My first implementation logged a warning on signature mismatch but continued processing anyway.

That means anyone could have sent a fake webhook and gotten a Pro account for free.

The fix is one line: reject, not warn.

pythonif not hmac.compare_digest(expected_sig, received_sig):
raise HTTPException(400, "Invalid signature")

Before: just logged a warning and continued

Always use hmac.compare_digest for timing-safe comparison. Regular string comparison is vulnerable to timing attacks.

What I'm still figuring out

Distribution.

The product works. The technical problems are mostly solved. What I don't have yet is users.

Building is the easy part or at least it's the familiar part. Getting developers to switch from a tool they already know is a different problem entirely.

A few things I'm trying:

Writing articles like this one (hi)
Being specific about the Postman pain points I'm solving, not vague "it's better"
Targeting the exact moment someone hits Postman's free tier limit

If you've successfully grown a developer tool, I'm genuinely interested in what worked.

The honest comparison

I'm not going to pretend I've built a Postman killer. Postman has a decade of development, enterprise contracts, and brand recognition.

What I have is:

API Test LabPostman FreePostman TeamBasic API testing✅✅✅Collections✅✅ (limited)✅Load testing✅❌❌GraphQL tester✅✅✅Web scanner✅❌❌Mock server✅✅ (limited)✅AI analysis✅✅ (limited)✅PriceFree / $5 / $20Free (limited)$14/user/month

The honest use case for API Test Lab: solo developers, small teams, startups who want load testing and API testing in one tool without enterprise pricing.

Try it

API Test Lab is live at apitestlab.org.

Free tier exists. No credit card required. 7-day Pro trial on signup.

If you hit a bug, I want to know. If you think a feature is missing, tell me. I'm building this in public and actively improving it.

GitHub: github.com/Innocent-Developer

Built by a solo developer in Lahore, Pakistan. All feedback welcome.

Top comments (0)