Every API client is racing to add AI features. But there's a fundamental problem nobody's talking about: API testing involves the most sensitive data in your stack.
Auth tokens. API keys. Production user data. Payment details. Internal service credentials.
When Postman added AI, they routed your data through their cloud. When Insomnia added MCP support, it's client-side only — your AI can call external services, but it can't actually interact with your API workspace.
I wanted something different. So I built RESTk — a native macOS API client with an embedded MCP server where AI helps you build, test, and debug APIs, but never sees your real data.
Here's how it works.
The Problem: AI + API Data = Privacy Nightmare
If you're using Claude, Cursor, or Windsurf for development, you've probably wanted AI to help with API work:
- "Debug why this endpoint returns 403"
- "Generate test scripts for this collection"
- "Compare these two responses and find what changed"
- "Create requests from this OpenAPI spec"
But to do any of that, the AI needs to see your requests and responses. And your requests contain:
{
"authorization": "Bearer sk-live-abc123def456",
"x-api-key": "prod_key_789xyz",
"response": {
"user": {
"email": "john.doe@company.com",
"ssn": "123-45-6789",
"balance": 42850.00
}
}
}
You can't just paste this into an AI chat and hope for the best. Not if you work in fintech, healthcare, or anywhere with compliance requirements. Not even if you just care about good security hygiene.
The Solution: Schema Extraction + Synthetic Data
RESTk takes a different approach. Instead of sending your real data to AI, it runs a schema extraction engine that:
- Analyzes the structure of your requests and responses (field names, types, nesting)
- Strips all real values — credentials, tokens, PII, everything
- Generates context-aware synthetic replacements that match the original types
- Sends only the sanitized schema to the AI
So when your API returns this:
{
"email": "john.doe@company.com",
"api_key": "sk-live-abc123",
"balance": 42850.00,
"created_at": "2026-03-15T10:30:00Z"
}
The AI sees this:
{
"email": "synthetic_7f2a@example.com",
"api_key": "[REDACTED]",
"balance": 12345.67,
"created_at": "2026-01-01T00:00:00Z"
}
The AI can still reason about the structure — "this endpoint returns a user object with email, API key, balance, and timestamp" — but it never has access to real values. Headers like Authorization, Cookie, and X-API-Key are redacted automatically.
And every AI interaction is logged in a full audit trail. You can see exactly what the AI accessed, when, and what it did. This isn't just privacy — it's accountability.
The AI Audit tab — every tool call logged with timestamps. The green banner confirms all data was sanitized before reaching AI.
How It Works: Embedded MCP Server
RESTk ships with a built-in MCP (Model Context Protocol) server. MCP is the open standard that Claude, Cursor, Windsurf, and other AI tools use to connect to external services.
The difference: most MCP servers are separate processes you have to install and configure. RESTk's MCP server runs inside the app — zero configuration. It starts automatically and exposes:
31+ MCP Tools
| Category | What AI Can Do |
|---|---|
| Discovery | List collections, requests, folders, environments |
| CRUD | Create/update/delete collections, folders, requests |
| Execution | Send saved requests, execute cURL commands, re-execute with overrides |
| Analysis | Analyze performance, detect error patterns, compare responses, infer schemas |
| Testing | Generate Nova test scripts, run assertions |
| Import | Bring in Postman, OpenAPI, Insomnia, cURL collections |
| Runner | Execute presets, check run status |
Plus 9 MCP resources (collections, environments, history, audit logs, scripting docs) and 4 AI prompts for common workflows.
Setup: One Click
Open RESTk's settings, hit Setup next to "Add to claude_desktop_config.json" — done. RESTk writes the MCP config for you and shows a green "Configured" badge when it's active.
For Claude Code, it's one command in your terminal:
claude mcp add --transport stdio --scope user restk -- "/Applications/Restk.app/Contents/Resources/restk-bridge"
No JSON editing. No manual config files. RESTk handles the wiring.
You can connect multiple AI sessions simultaneously — Claude Code in your terminal, Claude Desktop for visual work, Cursor in your editor — all talking to the same RESTk workspace at the same time.
Four AI agents connected simultaneously — 3 Claude Code sessions + Cursor. The "Share with AI" panel controls which collections are visible to agents, and credentials are always redacted.
What This Looks Like in Practice
Here's a real workflow I use daily:
Me (in Claude Code): "List all the requests in my Payments collection and find any that don't have error handling tests"
Claude (via RESTk MCP): Lists 12 requests, identifies 4 without post-response test scripts.
Me: "Generate Nova test scripts for those 4 requests — check for 4xx/5xx status codes and validate the response schema"
Claude: Creates test scripts using RESTk's Nova scripting engine, attaches them to each request.
Me: "Now send all 4 requests against the staging environment and show me the results"
Claude: Executes the requests (with my confirmation — destructive operations require approval), reports pass/fail.
At no point did Claude see my actual API keys, auth tokens, or response data. It worked with schema-extracted synthetic versions the entire time.
Beyond AI: It's a Full API Client
RESTk isn't just an MCP wrapper. It's a complete Postman replacement:
12 Authentication Methods
OAuth 2.0 (all grant types including PKCE), JWT (HS256, RS256, ES256), API Key, Basic, Digest, AWS SigV4, Hawk, NTLM, OAuth 1.0, Bearer, and auth inheritance through collection > folder > request hierarchy.
GraphQL
Dedicated editor with schema introspection, intelligent autocomplete, variables panel, and operation selection. Not an afterthought.
Nova Scripting Engine
JavaScript-based pre-request and post-response scripts. Set dynamic headers, chain auth tokens between requests, validate responses with nova.test() and nova.expect() assertions.
Import From Anything
Postman collections (v2.1), OpenAPI/Swagger (2.0 and 3.0), Insomnia exports, cURL commands. Drag and drop with auto-detection.
Real-Time Sync & Collaboration
Entity-level batch sync with three-way merge conflict resolution. 4-tier RBAC (Owner/Manager/Editor/Viewer). Offline-first — work without internet, sync when reconnected.
End-to-End Encryption
AES-256-GCM with workspace-level keys. SQLCipher encrypted local database. Your data is encrypted before it ever leaves your machine.
Native macOS
Built in Swift and SwiftUI. Not Electron. Multi-tab, multi-window, Cmd+K command palette, keyboard-first design. Feels like a Mac app because it is one.
How Does It Compare?
| Feature | RESTk | Postman | Bruno | Insomnia |
|---|---|---|---|---|
| Native App | Swift (macOS, Windows coming) | Electron | Tauri/Rust | Electron |
| AI Integration | Embedded MCP server | Cloud AI (Postbot) | None | MCP client only |
| AI Privacy | Schema extraction + synthetic data | Data goes to cloud | N/A | N/A |
| AI Audit Trail | Built-in | Enterprise only | None | None |
| E2E Encryption | Workspace-level | Enterprise ($$$) | None | None |
| Offline Sync | Yes (3-way merge) | Cloud-dependent | Git-based | Git sync |
| GraphQL | Full (introspection + autocomplete) | Full | Basic | Basic |
| Auth Methods | 12 | 12 | ~8 | ~8 |
| Scripting | Nova (JS) | Postman Scripts | Built-in | Plugins |
| Price | Free | $14/mo Pro | Free | Freemium |
Coming This Month
We're shipping a big release at the end of April:
- Windows Support — Native Windows app launching alongside macOS
- Runner — Execute preset request collections with scheduling and results tracking
- Git File Sync — Bi-directional Git sync for collections. Version control your API workspace like code.
-
CLI —
restk-clifor import, export, diff, status, and headless execution from your terminal
Try It
RESTk is free during beta. Available now on macOS 15.6+, with Windows launching later this month.
Download: restk.ai
Docs: restk.ai/docs
If you're using Claude Code or Claude Desktop, you can connect to RESTk in about 30 seconds. I'd genuinely love feedback — especially on the MCP integration and the schema extraction approach.
Built by Zynaty Technologies — a small team that believes AI should help you build APIs without requiring you to trust it with your secrets.
Top comments (0)