I Built an API Client With an Embedded MCP Server — Here's Why AI Shouldn't See Your Real API Data published

Praveen Sharma — Tue, 07 Apr 2026 13:16:08 +0000

Every API client is racing to add AI features. But there's a fundamental problem nobody's talking about: API testing involves the most sensitive data in your stack.

Auth tokens. API keys. Production user data. Payment details. Internal service credentials.

When Postman added AI, they routed your data through their cloud. When Insomnia added MCP support, it's client-side only — your AI can call external services, but it can't actually interact with your API workspace.

I wanted something different. So I built RESTk — a native macOS API client with an embedded MCP server where AI helps you build, test, and debug APIs, but never sees your real data.

Here's how it works.

The Problem: AI + API Data = Privacy Nightmare

If you're using Claude, Cursor, or Windsurf for development, you've probably wanted AI to help with API work:

"Debug why this endpoint returns 403"
"Generate test scripts for this collection"
"Compare these two responses and find what changed"
"Create requests from this OpenAPI spec"

But to do any of that, the AI needs to see your requests and responses. And your requests contain:

{
  "authorization": "Bearer sk-live-abc123def456",
  "x-api-key": "prod_key_789xyz",
  "response": {
    "user": {
      "email": "john.doe@company.com",
      "ssn": "123-45-6789",
      "balance": 42850.00
    }
  }
}

You can't just paste this into an AI chat and hope for the best. Not if you work in fintech, healthcare, or anywhere with compliance requirements. Not even if you just care about good security hygiene.

The Solution: Schema Extraction + Synthetic Data

RESTk takes a different approach. Instead of sending your real data to AI, it runs a schema extraction engine that:

Analyzes the structure of your requests and responses (field names, types, nesting)
Strips all real values — credentials, tokens, PII, everything
Generates context-aware synthetic replacements that match the original types
Sends only the sanitized schema to the AI

So when your API returns this:

{
  "email": "john.doe@company.com",
  "api_key": "sk-live-abc123",
  "balance": 42850.00,
  "created_at": "2026-03-15T10:30:00Z"
}

The AI sees this:

{
  "email": "synthetic_7f2a@example.com",
  "api_key": "[REDACTED]",
  "balance": 12345.67,
  "created_at": "2026-01-01T00:00:00Z"
}

The AI can still reason about the structure — "this endpoint returns a user object with email, API key, balance, and timestamp" — but it never has access to real values. Headers like Authorization, Cookie, and X-API-Key are redacted automatically.

And every AI interaction is logged in a full audit trail. You can see exactly what the AI accessed, when, and what it did. This isn't just privacy — it's accountability.

The AI Audit tab — every tool call logged with timestamps. The green banner confirms all data was sanitized before reaching AI.

How It Works: Embedded MCP Server

RESTk ships with a built-in MCP (Model Context Protocol) server. MCP is the open standard that Claude, Cursor, Windsurf, and other AI tools use to connect to external services.

The difference: most MCP servers are separate processes you have to install and configure. RESTk's MCP server runs inside the app — zero configuration. It starts automatically and exposes:

31+ MCP Tools

Category	What AI Can Do
Discovery	List collections, requests, folders, environments
CRUD	Create/update/delete collections, folders, requests
Execution	Send saved requests, execute cURL commands, re-execute with overrides
Analysis	Analyze performance, detect error patterns, compare responses, infer schemas
Testing	Generate Nova test scripts, run assertions
Import	Bring in Postman, OpenAPI, Insomnia, cURL collections
Runner	Execute presets, check run status

Plus 9 MCP resources (collections, environments, history, audit logs, scripting docs) and 4 AI prompts for common workflows.

Setup: One Click

Open RESTk's settings, hit Setup next to "Add to claude_desktop_config.json" — done. RESTk writes the MCP config for you and shows a green "Configured" badge when it's active.

For Claude Code, it's one command in your terminal:

claude mcp add --transport stdio --scope user restk -- "/Applications/Restk.app/Contents/Resources/restk-bridge"

No JSON editing. No manual config files. RESTk handles the wiring.

You can connect multiple AI sessions simultaneously — Claude Code in your terminal, Claude Desktop for visual work, Cursor in your editor — all talking to the same RESTk workspace at the same time.

Four AI agents connected simultaneously — 3 Claude Code sessions + Cursor. The "Share with AI" panel controls which collections are visible to agents, and credentials are always redacted.

What This Looks Like in Practice

Here's a real workflow I use daily:

Me (in Claude Code): "List all the requests in my Payments collection and find any that don't have error handling tests"

Claude (via RESTk MCP): Lists 12 requests, identifies 4 without post-response test scripts.

Me: "Generate Nova test scripts for those 4 requests — check for 4xx/5xx status codes and validate the response schema"

Claude: Creates test scripts using RESTk's Nova scripting engine, attaches them to each request.

Me: "Now send all 4 requests against the staging environment and show me the results"

Claude: Executes the requests (with my confirmation — destructive operations require approval), reports pass/fail.

At no point did Claude see my actual API keys, auth tokens, or response data. It worked with schema-extracted synthetic versions the entire time.

Beyond AI: It's a Full API Client

RESTk isn't just an MCP wrapper. It's a complete Postman replacement:

12 Authentication Methods
OAuth 2.0 (all grant types including PKCE), JWT (HS256, RS256, ES256), API Key, Basic, Digest, AWS SigV4, Hawk, NTLM, OAuth 1.0, Bearer, and auth inheritance through collection > folder > request hierarchy.

GraphQL
Dedicated editor with schema introspection, intelligent autocomplete, variables panel, and operation selection. Not an afterthought.

Nova Scripting Engine
JavaScript-based pre-request and post-response scripts. Set dynamic headers, chain auth tokens between requests, validate responses with nova.test() and nova.expect() assertions.

Import From Anything
Postman collections (v2.1), OpenAPI/Swagger (2.0 and 3.0), Insomnia exports, cURL commands. Drag and drop with auto-detection.

Real-Time Sync & Collaboration
Entity-level batch sync with three-way merge conflict resolution. 4-tier RBAC (Owner/Manager/Editor/Viewer). Offline-first — work without internet, sync when reconnected.

End-to-End Encryption
AES-256-GCM with workspace-level keys. SQLCipher encrypted local database. Your data is encrypted before it ever leaves your machine.

Native macOS
Built in Swift and SwiftUI. Not Electron. Multi-tab, multi-window, Cmd+K command palette, keyboard-first design. Feels like a Mac app because it is one.

How Does It Compare?

Feature	RESTk	Postman	Bruno	Insomnia
Native App	Swift (macOS, Windows coming)	Electron	Tauri/Rust	Electron
AI Integration	Embedded MCP server	Cloud AI (Postbot)	None	MCP client only
AI Privacy	Schema extraction + synthetic data	Data goes to cloud	N/A	N/A
AI Audit Trail	Built-in	Enterprise only	None	None
E2E Encryption	Workspace-level	Enterprise ($$$)	None	None
Offline Sync	Yes (3-way merge)	Cloud-dependent	Git-based	Git sync
GraphQL	Full (introspection + autocomplete)	Full	Basic	Basic
Auth Methods	12	12	~8	~8
Scripting	Nova (JS)	Postman Scripts	Built-in	Plugins
Price	Free	$14/mo Pro	Free	Freemium

Coming This Month

We're shipping a big release at the end of April:

Windows Support — Native Windows app launching alongside macOS
Runner — Execute preset request collections with scheduling and results tracking
Git File Sync — Bi-directional Git sync for collections. Version control your API workspace like code.
CLI — restk-cli for import, export, diff, status, and headless execution from your terminal

Try It

RESTk is free during beta. Available now on macOS 15.6+, with Windows launching later this month.

Download: restk.ai
Docs: restk.ai/docs

If you're using Claude Code or Claude Desktop, you can connect to RESTk in about 30 seconds. I'd genuinely love feedback — especially on the MCP integration and the schema extraction approach.

Built by Zynaty Technologies — a small team that believes AI should help you build APIs without requiring you to trust it with your secrets.

DEV Community: Praveen Sharma