npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@apicircle/core

v1.0.9

Published

Request execution, environment resolution, auth signing, assertions, spec imports, and the applyMutation workspace engine for API Circle Studio.

Downloads

1,410

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

apicircleapicircle

Keywords

apicircleapiapi-circleapi-clienthttp-clientrestgraphqlrequestopenapiswaggerpostmaninsomniaharauthoauth2oidcjwtaws-sigv4ntlmhawkdigest-authassertionsworkspacegit-backed

Readme

What it is

@apicircle/core is the headless engine behind API Circle Studio. It does everything an API client needs to do — except draw a UI:

  • Builds and executes HTTP requests with redirect, retry, and timeout handling.
  • Signs 17 different auth schemes end-to-end, including the full OAuth2 grant set.
  • Imports OpenAPI 3.x, Swagger 2.0, Postman v2/v2.1, Insomnia v4, and cURL into a typed workspace.
  • Mutates workspace state through a single, audited choke point (applyMutation).
  • Runs saved execution plans headlessly — perfect for CI / regression gates.
  • Reads and writes workspace JSON to disk with advisory locking, in either a single-folder or multi-workspace registry layout.

If you've ever wanted to embed "the Postman engine" inside a Node script, a CI runner, an internal portal, or your own product — this is that engine, typed and treeshakable.

Install

npm install @apicircle/core @apicircle/shared
# pnpm add @apicircle/core @apicircle/shared

Dual ESM + CJS, full .d.ts, no native deps. Browser-safe — all crypto and signing primitives run on WebCrypto.

What you can do with it

Execute any request, with real auth

import { executeRequest } from '@apicircle/core';

const result = await executeRequest({
  method: 'POST',
  url: 'https://api.example.com/charges',
  headers: [{ key: 'X-Idempotency-Key', value: 'k-001' }],
  body: { kind: 'json', json: { amount: 4200, currency: 'usd' } },
  auth: {
    type: 'oauth2',
    grant: 'client_credentials',
    clientId: 'cid',
    clientSecret: 'csec',
    tokenUrl: 'https://auth.example.com/token',
    scope: 'charges:write',
  },
});

console.log(result.response.status, result.response.bodyText);

Behind the scenes the engine acquires a token, caches it for its TTL, refreshes it transparently when it expires, and signs the request. Every other auth scheme — Bearer, Basic, API key, custom header, AWS SigV4, Digest (with stale=true nonce rotation), NTLM (with the full 3-message handshake + MIC), Hawk, JWT — works the same way: declarative config in, signed request out.

The 17 auth schemes, in one place

| Family | Schemes | | ----------- | ------------------------------------------------------------------------------------------------------------ | | Token | Bearer, API key, custom header | | Credentials | Basic, Digest (MD5/SHA-256/SHA-512-256), NTLM v2, Hawk | | AWS | SigV4 (header & query) | | JWT | HS / RS / ES / PS family, custom claims | | OAuth2 | Client Credentials, Authorization Code (+ PKCE), Password, Implicit, Device Code, Refresh, private_key_jwt | | None | …because sometimes the API just lets you in |

Every implementation is verified against the original RFCs (1320, 1321, 2202, 2617, 7616, 7636, [MS-NLMP]) plus NIST CAVS vectors and Mozilla's Hawk fixtures. See docs/auth.md for the full matrix.

Import a spec, get a typed collection

import { importOpenApi, importPostman, importInsomnia, importCurl } from '@apicircle/core';

const { requests, folders, warnings } = await importOpenApi(rawYamlOrJson, {
  format: 'yaml',
});

All four importers return the same typed shape, ready to merge into a workspace with applyMutation.

Run a saved plan in CI

import { runPlan, loadFromFile } from '@apicircle/core/workspace/file-backed';

const { synced, local } = await loadFromFile('./workspace');
const planId = synced.plans.find((p) => p.name === 'Smoke Tests')!.id;

const result = await runPlan({ synced, local }, planId, { bail: true });
process.exit(result.passed ? 0 : 1);

Plans chain requests, evaluate assertions, and pass extracted variables forward — exit code 0 on green, non-zero on red. Drop it straight into GitHub Actions, GitLab CI, or any pipeline.

Mutate workspace state — one function, every entity

import { applyMutation, generateId } from '@apicircle/core';

const next = applyMutation(state, {
  kind: 'request.create',
  id: generateId(),
  name: 'List Users',
  parentFolderId: null,
  method: 'GET',
  url: 'https://api.example.com/users',
});

WorkspacePatch is a discriminated union over request.* | folder.* | environment.* | assertion.* | mock.* | plan.*. Adding a new entity in your own UI? One union variant + one switch case. The CLI, MCP server, and desktop app all flow through this single function — it's the audit log seam.

Entry points

// Engine API
import { executeRequest, applyMutation, runPlan } from '@apicircle/core';

// Disk-backed single-workspace helpers (load/save/withWorkspace under an advisory lock)
import { loadFromFile, saveToFile, withWorkspace } from '@apicircle/core/workspace/file-backed';

// Multi-workspace registry (registry.json + per-id subdirectories)
import {
  loadRegistry,
  saveRegistry,
  loadWorkspaceById,
  saveWorkspaceById,
  registerWorkspace,
  setActiveWorkspace,
  deleteWorkspaceById,
  findWorkspaceEntry,
  migrateLegacyWorkspace,
  workspaceDirFor,
  type WorkspaceRegistry,
} from '@apicircle/core/workspace/registry';
  • /workspace/file-backed — one workspace, one folder. proper-lockfile advisory locking, so concurrent CLI runs don't corrupt each other.
  • /workspace/registry — many workspaces, one root. registry.json at the top, per-id subdirectories underneath. The desktop app, CLI, and MCP server all read this same shape, so an edit in one is visible to the others on the next read.

Use cases

  • Build an internal API explorer for your engineering team.
  • Run regression smoke tests against staging in CI, with real OAuth2.
  • Generate a runtime mock from an OpenAPI spec on the fly.
  • Embed an AI-powered request authoring flow in your own product.
  • Migrate a Postman library into a typed, Git-trackable workspace.
  • Lint or validate workspaces in a pre-commit hook.

Where it fits

@apicircle/shared              (types + IDs + crypto + MCP catalog)
└── @apicircle/core            ◀── you are here
    ├── @apicircle/mcp-server  (wraps core as MCP tools)
    ├── @apicircle/cli         (wraps core as a CLI binary)
    └── @apicircle/mock-server-core (sister package — mock-server engine)

Stability & test coverage

  • 1,911 unit + integration tests in the OAuth2 / signing / executor suites alone (mock IdP exercises every grant, every refresh path, every CSRF guard).
  • Every auth primitive is CAVS-verified against the original spec vectors.
  • The engine is built ESM-first and ships dual CJS bundles for legacy consumers.

License

Released under the API Circle Studio License — a custom source-available license, not an OSI-approved open-source license. Free for personal, educational, and non-commercial use, plus a 30-day commercial evaluation period; ongoing commercial use requires a separate license. See LICENSE for the full terms, or contact [email protected] for commercial licensing.