Restura is one API client that speaks every protocol I actually use β HTTP, GraphQL, gRPC, WebSocket, SSE, Kafka, MQTT, and MCP. It stores everything locally, needs no account, and runs in the browser, as a native desktop app (macOS / Windows / Linux), or self-hosted in Docker behind your firewall. Free β not "free tier with the useful stuff locked," just free.
It started because I was tired of juggling four tools to debug one service, each with its own collection format and auth setup. Then Postman changed its pricing and Insomnia went cloud-first β syncing auth tokens, internal hostnames, and payload bodies to someone's server by default. That felt wrong, so Restura signs auth at the wire and keeps your data on your machine.
| Protocol | What works today | |
|---|---|---|
HTTP |
||
| REST / HTTP | All methods, params, headers, body types, cookies, code gen | |
GQL |
||
| GraphQL | Query builder, schema introspection, subscriptions | |
RPC |
||
| gRPC | Unary, server streaming, reflection Β· client/bidi streaming desktop only | |
WS |
||
| WebSocket | Connect, send/receive, full message history | |
IO |
||
| Socket.IO | Connect, emit/listen events, acks | |
SSE |
||
| Server-Sent Events | Live event stream viewer with reconnection | |
KFK |
||
| Kafka | Produce / consume, SASL + TLS Β· desktop only | |
MQT |
||
| MQTT | Publish / subscribe, QoS, TLS Β· desktop only | |
MCP |
||
| Model Context Protocol | Proxy to any MCP server β and Restura can be one |
Request scripting | Pre-request and test scripts in JavaScript, sandboxed in |
WorkflowsImport everythingEnvironments{{base_url}}
between staging and prod in one click.**Auth built-in*AI assistant Desktop only.*Private by default Restura signs auth at the wire and guards every outbound request β on both the web Worker and the desktop main process.
Desktop (Electron)β Keys wrapped by the OS keychain viasafeStorage
(macOS Keychain / Windows Credential Manager / libsecret), data sealed with AES-256-GCM. mTLS, custom CA certs, SOCKS proxies, PAC resolution, and TLS-verify-off all run through Node's TLS /net
stack.Webβ Keys default to ephemeral in-memory (regenerated per session) so the key never sits beside the ciphertext; encrypted data won't survive a reload. mTLS, custom CA, SOCKS, and TLS-verify-off aren't available in the browser sandbox.Networkβ SSRF guards (RFC 1918, CGNAT, link-local, cloud-metadata, IPv6 ULA, IPv4-mapped IPv6) on every path; desktop adds a DNS-rebind guard at lookup time. AWS SigV4 is signed in the Worker / Electron handler β never the renderer β so the signature matches the exact bytes upstream receives.Sandboxβ User scripts run in aQuickJSWASM VM with memory and time limits. No host bridge, no filesystem, no network.Privacyβ No accounts, no cloud sync. Optional, opt-out error reporting (on by default) can be turned off in** Settings βΊ Privacy**. Desktop routes errors toSentryvia a rendererβmain IPC bridge; web routes them to a self-hosted Cloudflare Worker (/api/telemetry/error
). Either way: error message, stack, version, OS only β never request URLs, headers, bodies, secrets, or identity (sendDefaultPii: false
). Both paths gate onsettings.telemetry.errorsEnabled
and send nothing until checked. The only usage signal is anonymous aggregate session counts (desktop Sentry Release Health, gated by the same opt-out); the self-hosted server collects nothing. See.docs/adr/0027-telemetry-and-privacy-preserving-usage-analytics.md
See docs/adr/0004-security-hardening.md for the design rationale.
Prerequisites: Node.js 24+ and npm. Or skip the setup and open the web app directly.
git clone https://github.com/dipjyotimetia/restura.git
cd restura
npm install
npm run dev # β http://localhost:5173
One command boots the Vite dev server and the Cloudflare Worker proxy (via Miniflare).
Desktop app (build from source)
Prebuilt installers live on the releases page. To build locally:
npm run electron:dev # development (live reload)
npm run electron:dist:mac # macOS β DMG + ZIP (x64 + arm64)
npm run electron:dist:win # Windows β NSIS + portable (x64 + ia32)
npm run electron:dist:linux # Linux β AppImage + deb + rpm (x64)
Self-hosting (Docker)
Run the web app behind your firewall in a single Node container β no Cloudflare account required.
cp .env.example .env # set WORKER_PROXY_TOKEN + ALLOWED_ORIGIN
docker compose up -d --build
curl -fs http://localhost:3000/health
See docs/SELF_HOSTING.md for the full operations guide β auth modes, internal-network access, reverse-proxy examples, healthchecks.
The same React SPA powers both targets. The only thing that differs is the transport layer, chosen at runtime by isElectron()
.
ββββββββββββββββββββββββββββββββββββββββ
β React SPA (renderer) β
β Vite Β· React 19 Β· React Router v7 β
ββββββββββββββ¬ββββββββββββββ¬ββββββββββββ
β β
web β β desktop
βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββββββ
β Cloudflare β β Electron main β
β Worker (Hono) β β Native IPC handlers β
ββββββββββ¬βββββββββ ββββββββββββ¬βββββββββββββ
β β
βββββββββββββ¬ββββββββββββ
βΌ
Target API / Service
Protocol logic lives once in shared/protocol/
β SSRF validation, header policy, body construction, response shaping β and each backend supplies only a thin Fetcher
adapter. The Cloudflare Worker is never bundled into the desktop app. See docs/ARCHITECTURE.md for the full breakdown.
Project layout
src/
βββ features/
β βββ http/ # REST request builder & executor
β βββ grpc/ # gRPC client + server reflection
β βββ graphql/ # GraphQL builder + schema explorer
β βββ websocket/ # WebSocket client
β βββ socketio/ # Socket.IO client
β βββ sse/ # Server-Sent Events client
β βββ kafka/ # Kafka producer/consumer (desktop only)
β βββ mqtt/ # MQTT client (desktop only)
β βββ mcp/ # MCP client
β βββ ai/ # AI assistant (chat + request context)
β βββ ai-lab/ # LLM / prompt eval workbench (desktop only)
β βββ workflows/ # Request chaining + variable extraction
β βββ collections/ # Sidebar, runner, Postman/Insomnia import
β βββ environments/ # Environment variable manager
β βββ auth/ # Auth config (shared across protocols)
β βββ load-testing/ # Collection load/perf runner
β βββ mcp-server/ # Restura-as-MCP-server
β βββ registry/ # Lightweight service registry / request runner
β βββ contracts/ # Contract testing (provider / consumer)
β βββ scripts/ # Script editor + QuickJS executor
β
shared/protocol/ # Backend-agnostic protocol orchestrators
shared/capture/ # Browser-capture pipeline (used by the extension)
worker/ # Shared Hono app β Cloudflare Worker + self-hosted Node
electron/main/ # Electron main process + IPC handlers
extension/chrome/ # Browser capture extension (MV3)
extension/vscode/ # VS Code extension (OpenCollection support)
cli/ # restura-cli β run collections in CI
| Concern | Choice |
|---|---|
| Build | Vite 8 + @cloudflare/vite-plugin |
| UI | React 19 Β· Tailwind CSS v4 Β· shadcn/ui Β· Radix UI |
| Routing | React Router v7 (hash mode β works on file:// and https:// ) |
| State | Zustand v5 with persist middleware |
| Validation | Zod v4 |
| Editor | Monaco Editor |
| Script VM | QuickJS WASM (quickjs-emscripten ) |
| Worker | Hono on Cloudflare Pages Functions |
| Desktop | Electron 42 |
| Tests | Vitest + React Testing Library + Playwright |
npm run dev # web dev server (port 5173)
npm run validate # type-check + lint + tests (same as CI)
npm run test:run # run tests once
npm run test:coverage # coverage report
npm run lint # Biome lint
npm run format # Biome format
Every PR runs type-check (renderer + Electron main + Worker), lint, security audit, tests, build, and a Cloudflare Pages preview deploy β the URL is posted to the PR automatically.
This started as a personal tool and I'd genuinely love help making it better. Bug fixes, new protocol support, UI polish, docs, security hardening β all welcome.
git checkout -b fix/my-thing
npm run validate # type-check + lint + tests β same gates as CI
git commit -m 'fix: my thing'
If you're thinking about adding a new protocol or something significant, open an issue first so we can talk through the approach. For smaller things, just send the PR. good first issue is a good place to start. See
CONTRIBUTING.mdfor branch naming and commit format, and
CODE_OF_CONDUCT.mdfor the code of conduct.
β guides, references, and how-tosDocumentationβ system design, security model, IPC internals** Architecture**β what's planned** Roadmap**β what's shipped** Changelog**β pipeline, supply-chain hardening, release runbook** CI/CD & Releases**β how to report vulnerabilities** Security**β capture HTTP/GraphQL/WebSocket/SSE/gRPC-web traffic from Chrome into a collection** Browser extension**β schema validation, Test Explorer, and inline send for OpenCollection files** VS Code extension**
MIT License Β· Hosted on Cloudflare Pages Β· Made by dipjyotimetia
If this saves you a context-switch, a β helps other developers find it.