Show HN: Restfox – Open source lightweight alternative to Postman (restfox.dev)

758 points by kermire ↗ HN
Last time I posted this it didn't garner much interest. There have been lots of improvements and fixes since the last release.

Quick list of features:

  - Workspaces
  - Tabs
  - Nested Folders
  - Lots of context menus
  - Response history
  - Plugins
  - Runs fully in the browser and runs offline if necessary
  - Chrome and Firefox extension to bypass CORS restrictions
  - Desktop builds for all platforms
  - GraphQL support
  - Import collections exported from Postman and Insomnia
  - Simple user friendly interface
I built this because I love Insomnia but wanted a portable version that I could run in the browser.

If you're tired of Postman's bloated interface and slow startup times, do give this a try.

208 comments

[ 4.6 ms ] story [ 211 ms ] thread
(comment deleted)
Switched away from Postman to a native Mac app and my RAM couldn't be happier (https://paw.cloud)
Seems pretty nice but $50 is a little high - is it really worth the premium?
$50 doesn't look high to me, assuming it does everything it says it does really well. Just designing an API in a nice UI is worth more than that!

(No affiliation.)

It isn’t been, in my experience. If my team used it collaboratively it might be.

It’s a solid app and worth it if you’ll use it a lot. I simply didn’t because piling things in there isn’t particularly valuable if it isn’t readily available to the people I work with.

No -- I used and paid for PAW for a while. I gave up on all MacPaw products once I realized their sales staff contacted me after I asked them not to -- they immediately lost me as customer. They just wanted to 'help' me get on to a more expensive plan that was for Teams.

There are plenty of great alternatives: HTTPie is one I like. Haven't found a good alternative to CleanMyMac yet though.

Unless I'm mistaken, Paw isn't owned by MacPaw? It's an unrealted product with a one time purchase price.
There is some financial relationship there. You get PAW with a SetApp bundle that MacPaw sell as a subscription.
You currently get 239 apps with the setapp bundle, I don't think there's anything special about that relationship.
There's zero 'relationship'. SetApp bundles popular Mac software, of which Paw is one.
>There's zero 'relationship'.

It's a reseller. They probably even charge a commission so there is a business/financial relationship.

I got $50 of value out of my purchase, but that was quite a few years ago. Dunno if I’d buy it today when there are other alternatives
Postman is $15, it just takes a bit more than 3 months to surpass the price :P
I’ve been using it for a long time and I’d happily pay $100 for it.

It can consume swagger/openapi docs and generate calls. It can generate code snippets and cURL requests. You can extract values from one response body to use as a variable in another request, the built in features go on and on- and there’s a decent extension ecosystem/write your own.

Most importantly, it just works, and it works well and quickly, with pretty much any auth scheme I’ve ever had to deal with.

I’ve only got really a couple of nits with the stand-alone version.

I still can’t figure out how to make it “use the same auth scheme” for every single request globally. Each request requires the auth config, but this is solved by just copying an existing request and starting from that. This could very well be my lack of knowledge, though I feel like I know the tool well.

The .paw file is binary and doesn’t do well checked into source control if you’ve got more than one person using it.

The Teams version, which requires a monthly sub kinda/sorta mimics a git style branch strategy for merging different members changes and handles the team problem pretty well.

All in all though, it is absolutely and BY FAR the best request tool I’ve ever used. A great combination of simple just get out of the way and advanced automation strategies. I use it every day.

EDIT TO ADD:

I forgot to mention their license is still a lifetime license. I paid them $50, probably 6 years ago now, and have never been forced to pay them another dime. I’d pay per major version or do the IntelliJ perpetual fallback if it came to it, but I’ve never once been bait and switched (looking at you Tower2).

It's quite nice. I think it's worth it but you could always do the same for free/cheaper with other tools out there and/or curl.

Depends on how much you value a tool like this. And it's a one-time purchase for life, not a subscription.

I bought it during a BF deal. Perhaps wait a month?
the difference in price reflects the extra time (and background experience) it takes to build a given thing as a native app instead of an electron app. not saying paw is especially good though
Now that they're maintaining versions based on web technologies and are now just a cog in the VC Funded RapidAPI machine, are you concerned that makes the writing on the wall for the native Mac app?
(comment deleted)
Nice. If you want to implement another feature: see the error response. My server returned 428, but I couldn't see the contents nor header, only a generic "preview".
That's very odd. Will look into this.
And the Cookie header isn't sent? (using it on Firefox 106.1).
I'm using the fetch API for making requests and fetch sadly forbids the Cookie header from getting passed. Will be looking into how I can bypass this.
~~I think axios can. Its API is similar to fetch, except for the return status. You could also manipulate the cookies before and after transmission, but that might be messy when you hit the browser's cookie limits.~~

Scratch that. I wasn't thinking clearly. I ran the call from restfox.dev, and it's another domain, of course. You'd need to write your own http client to get around it.

My version of Postman is to open a Jupyter notebook and

>> import requests

(comment deleted)
Page is not working for me. I'm in Firefox
Windows 10, Firefox 106.0.1, uBlock, multi-account containers, facebook container, bitwarden, DDG privacy, consent-o-matic, font contrast, dark reader

Works fine for me.

Opened a request to https://api.publicapis.org/entries and it fetched results.

My favorite testing HTTP Client is still just the IntelliJ built-in, pure text. You know exactly what you send without having to navigate menus and whatnot. In the end, 99% of HTTP requests are just that, text.
Can you chain requests together? Like if a request requires auth it will invoke login then take the token for use in the next request.
I haven't used it myself, but there is an option to parse responses with JavaScript and set variables.

  GET https://httpbin.org/get
  
  > {%
      client.global.set("my_cookie", response.headers.valuesOf("Set-Cookie")[0]);
  %}
https://www.jetbrains.com/help/idea/exploring-http-syntax.ht...
Interesting. I have 2 endpoints (login and get settings) I use for testing in a desktop app and sometimes firing up insomnia for that project is a hassle. But rider has that rest client too so maybe I’ll try it for this one thing.
Well... that's called programming, no? :)
This is what I wish all http clients could adopt.

Use plain text files (IntelliJ already introduced .http files, which work great) Sadly it will never work because that would break 90% of the incentives to pay, which his having a sync system. Because then I could simply commit my http requests and git would be my sync server.

Personally I don't like the IntelliJ Client, the UI is kind of ugly and requires a lot of actions each time I want to send and review a response. Insomnia is way better in that regard.

Good context might me my issue comment on Hoppscotch: https://github.com/hoppscotch/hoppscotch/issues/870#issuecom...

This is what I have been working on: https://hit.yolo42.com/.

Early days but would love some feedback if you get a chance to try it out.

The idea is good, but I want a GUI.
And it fits nicely into git!
I have been working on a CLI first workflow that doesn’t require IntelliJ: https://hit.yolo42.com/. I spend my days in the terminal and like curl and httpie for most parts. Hit is to fill in the gaps rather than redo the whole experience of sending HTTP requests.

I’ve a very early prototype. If you get a chance to try it out, please do and share your feedback.

I can't resist to propose my own solution: a cli tool, plain text based, curl, and Rust https://hurl.dev

The market is overcrowded by good solutions, best wishes to other tools!

Thank you for Hurl—I started using it a few months ago and it’s been a delight!
(comment deleted)
Be careful with Postman. It seems they upload all your secrets to their servers. We stopped to use it a time ago. I don't know if they changed in this regard.
How else would they sync all of the shared stuff in your workspace? I'm more interested if they properly encrypt my data in transit and at rest and whether Postman employees have free access to our secrets.
I got a bulletin from our security team saying Postman stores it all in plain text on their servers. Unbelievable if true. Haven't used it since. They have all your passwords.
I had this gut feeling, but no way to check. The handling of secrets is not explicitly states, i.e probably bad.

I like the looks of httpie’s new desktop client but no idea if their secret handling is any better.

This is from their website: https://www.postman.com/trust/security/

> Depending upon its sensitivity classification, customer data is AES-256-GCM encrypted at the server-side before storage. Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords. We have also added sessions in the 6.2 release onwards of Postman. We recommend using session variables for any data that you do not want to be synced to Postman's servers.

> Depending upon its sensitivity classification

What does this mean?

> Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords.

It reads to me that they encrypt Postman environment variables and encourage you to use those.

Not sure what else is "Customer data" in that regard but it seems they consider at least that bit worthy of encryption.

Does anyone have a source for this? I need to present this to our team if it's true.
They sync everything. If you store stuff in collections, requests, or environments, it’s uploaded.

Presuming it’s end-to-end, but don’t know about at rest encryption

I switched to insomnia when postman changed their pricing pulling the rug out from everyone wanting us to pay like $300 more per month. (Before they back tracked)

https://insomnia.rest/

I actually prefer it.

One thing I love from Insomnia.rest is the ability to import CURL commands, including an entire list of newline-delimited CURL commands from the clipboard. This makes it easier to modify XHR's you pulled from your browser via a right click -> "copy all as cURL (bash)".
Yup. Use this all the time, either when I want to automate something on an undocumented API, or if I want to do some basic security testing on API's at work.
Postman can do this as well. I've been using this a bunch recently due to some project limitations and it has made life so much easier.

ETA: I just tried the functionality on Insomnia and I have to admit the UX is nicer. Just paste into the URL bar. Whereas with Postman it's CMD+O, Click on "Raw Text", click in textarea, paste, press import. Insomnia looks to have added OpenAPI support too (it was missing it last time I played with it) so maybe it's time to re-evaluate Insomnia

Postman's UI is cluttered
I don't disagree. I've just been using it for so long (8 or 9 years now I think) and it's so ingrained in my workflows that I haven't bothered to re-evaluate it in ages. This is probably the kick in the butt I needed.
The world is your oyster, my friend. Restfox is pretty similar to Insomnia, which is what I use, so I'll probably give Restfox a shot and see about hosting my own instance on the LAN.
Same, my team and I started using Insomnia too when Postman pulled that stunt; doesn't matter if they went back on, good will lost in that way is a bridge burned that can't be rebuilt.
Same here, moved from postman to insomnia, now mostly using the rest plugin for visual studio code. Prefer using regular text files.
I similarly use restclient.el on Emacs and love it.

For those unfamiliar with these plugins, they allow you to simply write text files looking like:

    GET https://example.com/posts/5
    Accept: application/json
or

    POST https://example.com/posts
    Content-Type: application/json
    Authorization: Bearer abc

    {"title": "foo", "body": "bar"}
and simply execute the requests from the buffer.
There's one built into the JetBrains editors, too. And the upcoming release is going to allow one to wrap very long URLs for better visibility and include fun things like "$random.email" in the request: https://blog.jetbrains.com/idea/2022/10/intellij-idea-2022-3... (EAP releases are always free of charge, if one wanted to play with it right now; just please report bugs if you find them, as that's the reason they're free)
I have been using Thunder client in vs code. Love not having another app. Postman is horrible now.
Moved from Postman to Insomnia too. Postman was taking too much time to start and was very unresponsive compared to Insomnia, on my Work Laptop.
Same here, switched from postman to insomnia when it became impossible to ignore how slow, cluttered and generally bloated it became. Haven’t missed it since. Insomnia is pretty great. I’m sure there’s lots of stuff that postman can do that insomnia can’t, but insomnia is still very capable, while being snappy and not being in the way. Highly recommend it.
OP states they built this because they wanted a portable version of Insomnia.
(comment deleted)
Cool project! A true, open source alternative to Postman will be valuable. It seems like you’ve got the major elements in place.

Unsolicited UX notes…

I read Hacker News on mobile, so tried the app on mobile and ran into some challenges. In order to save space, eliminate the right click, and work on mobile please consider changing:

    You can right click here to create a new request or a new folder
To the following (illustrated using pseudo markdown):

    [Create request] or [Create a folder]
It would also be helpful to replace the GitHub star link with a link to your README. GitHub star links are problematic because they require a login that adds friction that prevents people from getting to your README page. People will login if they decide to star the project, but they might never get to your GitHub if they don’t have time to login or can’t easily login on the device where they’re reading.
Thank you. The UI is not currently built with mobile in mind. I have been thinking of implementing a responsive layout but haven't had the time to do it.

I did not know about the GitHub star login thing. Will try to rectify it when I can. Thanks for all your UX notes.

Github Star link looks fixed.
There is also hopscotch - unsure about licensing but it is self hostable
I dug into hoppscotch since my org balked at Postman enterprise costs, but was disappointed. It is open source and can run locally, but it still only talks to their cloud that stores your collections as a logged-in user (or session storage if you're offline). It's definitely a fledgeling commercial project, not a true open-source alternative, though you could fork it easily enough probably.

I had been hoping to keep all of our APIs centralized in git and run the local (or cloud for our ENVs) from that repo, but it doesn't read any query/API/collection defs from file.

(Not to come off as demanding of OSS, it's a wonderful product, but unfortunately you have to dig deep to figure out the limitations.)

EDIT: Also, what I'd go with now is Thunder client for VS code leveraging API defs stored within each repo + the localized vars such as auth info.

I tried Thunder too but their "please log in" popup is quite annoying. Wasn't aware it can leverage repo contents though - that seems like a killer feature.

> fledgeling commercial project, not a true open-source alternative

Yeah most of the self-host stuff tends to be like that unfortunately. Understandable but not ideal.

(comment deleted)
I don’t understand, what is it, what does it do?
Ok, it’s a tool to test rest api.
Good for you. Now did you check what postman does?
(comment deleted)
A nice feature would be import and export from/to Curl commands. When collaborating with clients or even colleagues it's easier to send curl commands.
Definitely something I'll be implementing soon. Importing and exporting curl commands is a good feature to have. Thanks for the feature suggestion.
I wonder if the chromium project has these functions all ready for you to grab from their dev tools?
My biggest gripe with Postman is the horrible theming. Except for light and dark, 0 control over the appearance of this app that I have to look at for hours almost every day.
You don't have to put up with postman. There are better alternatives.
> You don't have to put up with postman

Unless you work on a team that's standardized around it as a collaboration tool.

My biggest gripe is that its design leads to accumulating long list of slightly different "tests" whose purpose is soon forgotten. I suppose there are better practices that can stop that, but the path of least resistance is "copy, edit, run," and so a huge pile of meaningless garbage accumulates.

Something is missing.

I like it but please dont make me right click to do something! please add a little plus or something like it.

Otherwise great work! needs a little disclaimer though that you will not save any of my requests =)

Thank you. Will look into preventing the right click requirement and provide an alternative for that.

It should be saving your requests automatically. Maybe your browser is blocking IndexedDB somehow? That's what's used by the application to store the data locally. Also do make sure you're not in incognito mode, as changes will be lost once you're out of it.

Firefox private mode completely blocks indexeddb.
The offline part is critical for me. The only other thing I would prefer is an application that doesn't use Electron.
InvalidStateError: A mutation operation was attempted on a database that did not allow mutations.

[Edit]: I'm on Firefox (with ublock origin). I see others having issues too.

Firefox with ublock origin should not cause any issues. The issue might be caused by Firefox's private window implementation which does not allow IndexedDB operations, which is what Restfox uses for storing the data of the application locally.
If you are a minimalist, and are using VS Code, try https://marketplace.visualstudio.com/items?itemName=humao.re... which is a pure text syntax to describe API requests, and execute them right from the editor window. I now have api.http text file in every API-first project I am building and I love it.
Do you have a single api.http file or do you you multiple {route}.http files?
Not OP but you can store all your routes in one file or multiple, it's up to you.

Personally what I do is I script out full API workflows in different files. So one file might login, then POST to add an object, then GET that object off an endpoint, then patch that endpoint, then trigger the GET object again.

Another workflow might login, upload an image, get that image, etc. For me the scripting is what makes this appealing.

But you could setup one file that documents and tests all your endpoints similar to Postman.

I like this one because it's easy to keep API workflows with my projects. The scripting ability here is phenomenal. However only really useful if you code in VS Code.
Jetbrains also provides a similar, albeit slightly incompatible syntax for the same thing.

In the end, I think hurl [0] is nicer, because it’s open source and it’s a cli tool (and VS code also has a syntax highlighting plugin for it), making it editor independent.

[0]: https://github.com/Orange-OpenSource/hurl

(comment deleted)
I switched to "vscode-restclient" about a year ago and never looked back. It has variables, everything is saved as text, and I can commit my request suite to source control for collaboration's sake.

https://github.com/Huachao/vscode-restclient

Same here. Usually you just want to make simple queries, and this is a simple text based way to make m.
The only reason I use Postman still is the Authentication tab has really nice helpers for getting tokens (OAuth 1/2) and signing requests HMAC. It even works with Azure Active Directory.
Noticed a small bug, I can't paste into the URL bar.
I'm just now migrating my postman collections to .rest text files and the REST-client plugin for vscode (that name is both good and bad at the same time btw, it like marketing a new car and naming it "Car").

Grantet it does not do everything Postman does but I'm pretty happy so far. Environment variables and secrets stays in a workspace settings.json and the .rest files can be version controlled and shared.

Always bet on text!

This. My current hobby project[0] is basically something I started because I was frustrated with the inability to version control my tests in Postman alongside my API code. If it can't be committed to source control, then it's not really your code.

Now I can run all my tests FAST locally and set up a CI/CD pipeline in about 15 mins that will pick up and run them as well. At this point I'm not even sure a UI is necessary (maybe for the QA folks--maybe just an import from a postman collection will be enough for them, though).

[0]: https://github.com/davesheldon/nap

(comment deleted)
it is completly garbage on mobile
(comment deleted)
If you want something like Restfox but as a CLI, that tests your APIs automatically, give Step CI a try

https://stepci.com

It’s free and open-source on GitHub!

Disclaimer: I’m the author