@cocaxcode/api-testing-mcp
v0.11.12
Published
The most complete MCP server for API testing. 35 tools: HTTP requests, assertions, request flows, OpenAPI import, mock data, load testing, collections, environments, native export/import, Postman import/export, cURL export, response diffing. Zero config,
Maintainers
cocaxcodeReadme
Quick Overview
The most complete MCP server for API testing — 35 tools, zero config, nothing else comes close. This is not just a request sender. It is a full testing workbench: HTTP requests with assertions, multi-step flows with variable extraction, OpenAPI import with schema-aware mock data, load testing with percentile metrics, response diffing across environments, bulk test runners, reusable collections, project-scoped environments, Postman import/export, and cURL export. All from natural conversation. No accounts, no cloud, no generated files. Everything runs inline and stores as plain JSON you own.
Just Talk to It
You don't need to learn tool names or parameters. Describe what you want and the AI picks the right tool.
"Set up an environment called dev with BASE_URL http://localhost:3000"
"Import my API spec from /api-docs-json"
"Show me all user endpoints"
"GET /users"
"Create a user with random data"
"Verify that DELETE /users/5 returns 204"
"Login as admin, extract the token, then fetch dashboard stats"
"How fast is /health with 50 concurrent requests?"
"Run all my saved smoke tests"
"Compare the users endpoint between dev and prod"
"Export the create-user request as curl"
"Export my collection to Postman"If you've imported an OpenAPI spec, the AI already knows every endpoint, every required field, every valid enum value. When you say "create a blog post", it reads the schema and builds the request correctly — no guessing.
Installation
Claude Code
claude mcp add --scope user api-testing -- npx -y @cocaxcode/api-testing-mcp@latestClaude Desktop
Add to your config file (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):
{
"mcpServers": {
"api-testing": {
"command": "npx",
"args": ["-y", "@cocaxcode/api-testing-mcp@latest"]
}
}
}Cursor / Windsurf
Add to .cursor/mcp.json or .windsurf/mcp.json in your project root:
{
"mcpServers": {
"api-testing": {
"command": "npx",
"args": ["-y", "@cocaxcode/api-testing-mcp@latest"]
}
}
}VS Code — add to .vscode/mcp.json:
{
"servers": {
"api-testing": {
"command": "npx",
"args": ["-y", "@cocaxcode/api-testing-mcp@latest"]
}
}
}Codex CLI (OpenAI):
codex mcp add api-testing -- npx -y @cocaxcode/api-testing-mcp@latestOr add to ~/.codex/config.toml:
[mcp_servers.api-testing]
command = "npx"
args = ["-y", "@cocaxcode/api-testing-mcp@latest"]Gemini CLI — add to ~/.gemini/settings.json:
{
"mcpServers": {
"api-testing": {
"command": "npx",
"args": ["-y", "@cocaxcode/api-testing-mcp@latest"]
}
}
}Quick Start
Once installed, set up an environment so relative paths resolve automatically:
"Create an environment called dev with BASE_URL http://localhost:3000"If your API has a Swagger/OpenAPI spec, import it:
"Import my API spec from http://localhost:3000/api-docs-json"Verify with: "List my environments" — you should see the one you just created.
Features
HTTP Requests
Send any HTTP method with headers, query params, JSON body, auth, and {{variable}} interpolation. Relative URLs auto-resolve against BASE_URL.
"POST to /api/users with name Jane and email [email protected] using my bearer token"Supports: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS — Bearer / API Key / Basic auth — custom timeouts.
Assertions
Validate responses with structured pass/fail results:
"Verify that GET /api/health returns 200, body.status is ok, and responds in under 500ms"PASS — 3/3 assertions passed
status === 200
body.status === "ok"
timing.total_ms < 50010 operators: eq, neq, gt, gte, lt, lte, contains, not_contains, exists, type
Request Flows
Chain requests with variable extraction between steps. Perfect for auth flows and CRUD sequences.
"Login as [email protected], extract the access token, then use it to fetch all users"flow_run({
steps: [
{
name: "login",
method: "POST",
url: "/auth/login",
body: { email: "[email protected]", password: "SecurePass#99" },
extract: { "TOKEN": "body.access_token" }
},
{
name: "get-users",
method: "GET",
url: "/api/users",
headers: { "Authorization": "Bearer {{TOKEN}}" }
}
]
})OpenAPI Import
Import specs from a URL or local file (JSON and YAML). Once imported, the AI knows every endpoint, parameter, and schema.
"Import my API spec from http://localhost:3000/api-docs-json"
"Import the spec from ./openapi.yaml"
"What parameters does POST /users expect?"Supports OpenAPI 3.x with full $ref resolution, allOf, oneOf, anyOf. OpenAPI 2.0 partially supported.
Mock Data Generation
Generate realistic fake data from your OpenAPI schemas. Respects types, formats (email, uuid, date-time), enums, and required fields.
"Generate mock data for creating a user"{
"email": "[email protected]",
"name": "Test User 73",
"password": "TestPass123!",
"role": "admin"
}Load Testing
Fire N concurrent requests and get performance metrics:
"How fast is the health endpoint with 50 concurrent requests?"LOAD TEST — GET /api/health
Requests: 50 concurrent
Successful: 50 | Failed: 0
Req/sec: 23.31
Min: 45ms | Avg: 187ms
p50: 156ms | p95: 412ms | p99: 523ms
Max: 567msResponse Diffing
Execute two requests and compare their responses field by field. Detect regressions or compare environments.
"Compare the users endpoint between dev and prod"Bulk Testing
Run every saved request in a collection (or filter by tag) and get a summary:
"Run all my saved smoke tests"BULK TEST — 8/8 passed | 1.2s total
health — GET /health → 200 (45ms)
list-users — GET /users → 200 (123ms)
create-post — POST /blog → 201 (89ms)
login — POST /auth/login → 200 (156ms)Collections
Save requests for reuse with tags. Build regression suites.
"Save this request as create-user with tags auth, smoke"
"List all requests tagged smoke"Environments
Environments hold your variables — BASE_URL, tokens, API keys, passwords — and keep them separated by context. Create dev, staging, and prod once, then switch between them in a single command. No restart, no config reload.
Global vs project-scoped. Every environment you create is global by default: available from any project, any conversation. But each project can pin its own active environment independently. If project A is pointing at dev and you switch to project B, it can be pointing at prod — without touching anything. When you switch back to A, it is still on dev. The resolution is simple: project-specific override wins, then global active.
Your credentials never leave your machine. Environment files are plain JSON stored in ~/.api-testing/environments/. Nothing syncs to any cloud. Nothing gets embedded in exports. Nothing gets tracked by git. Your tokens and secrets stay exactly where they should: on your disk, under your control.
Automatic interpolation. Any {{variable}} in URLs, headers, query params, or request bodies is resolved against the active environment before the request fires. Set BASE_URL once and every relative path just works.
"Create an environment called dev with BASE_URL http://localhost:3000 and AUTH_TOKEN my-secret"
"Create another called prod with BASE_URL https://api.example.com"
"Switch to dev"
"GET /users" ← hits localhost:3000/users with AUTH_TOKEN resolved
"Switch to prod"
"GET /users" ← hits api.example.com/users
"Pin this project to dev" ← this project always uses dev, regardless of globalPostman Import & Export
Bidirectional Postman support. Migrate seamlessly between Postman and your AI workflow.
"Import my Postman collection from ./exported.postman_collection.json"
"Export my collection to Postman"
"Export the dev environment for Postman"Collection: Postman v2.1 format. Folders become tags. Auth inherited from folders/collection level. Supports raw JSON, x-www-form-urlencoded, form-data bodies.
Environment: Prefers currentValue over value. Skips disabled variables. Optional activate flag.
Collection: Requests grouped in folders by tag. Auth mapped to Postman's native format. {{variables}} preserved as-is.
Environment: All variables exported as enabled: true in Postman-compatible format.
Native Export & Import
Export collections and environments to a portable .atm/ folder. Share with your team or copy between projects.
"Export my collection and dev environment"your-project/
└── .atm/
├── collection.json
└── dev.env.jsonNote:
.atm/is automatically added to.gitignoreon first export.
cURL Export
Convert any saved request into a ready-to-paste cURL command with resolved variables.
"Export the create-user request as curl"curl -X POST \
'https://api.example.com/users' \
-H 'Authorization: Bearer eyJhbGci...' \
-H 'Content-Type: application/json' \
-d '{"name":"Jane","email":"[email protected]"}'Tool Reference
35 tools across 8 categories:
| Category | Tools | Count |
|----------|-------|:-----:|
| Requests | request | 1 |
| Testing | assert | 1 |
| Flows | flow_run | 1 |
| Collections | collection_save, collection_list, collection_get, collection_delete | 4 |
| Environments | env_create, env_list, env_set, env_get, env_switch, env_rename, env_delete, env_spec, env_project_clear, env_project_list | 10 |
| API Specs | api_import, api_spec_list, api_endpoints, api_endpoint_detail | 4 |
| Mock | mock | 1 |
| Utilities | load_test, export_curl, diff_responses, bulk_test, export_collection, import_collection, export_environment, import_environment, export_postman_collection, import_postman_collection, export_postman_environment, import_postman_environment | 12 |
Tip: You don't need to call tools directly. Describe what you want and the AI picks the right one.
Storage
Everything is local. No database, no cloud sync, no telemetry. All data lives in ~/.api-testing/ as plain JSON files you can read, back up, or delete at any time.
~/.api-testing/
├── active-env # Global active environment name
├── project-envs.json # Per-project active environment overrides
├── collections/ # Saved requests (shareable, no secrets)
├── environments/ # Environment variables — tokens, keys, passwords
└── specs/ # Imported OpenAPI specsGlobal storage vs project exports. The ~/.api-testing/ directory is your private, global store — this is where credentials live and they never leave. When you export a collection or environment, it goes to .atm/ in your project root. That folder is auto-added to .gitignore on first export, but even if you choose to commit it, your credentials stay in ~/.api-testing/ and are never copied into .atm/. You can safely share .atm/ exports with your team without leaking secrets.
Override the default storage path:
{
"env": { "API_TESTING_DIR": "/path/to/custom/.api-testing" }
}Warning: If you override
API_TESTING_DIRto a path inside a git repository, add.api-testing/to your.gitignoreto avoid pushing credentials.
Architecture
src/
├── index.ts # Entry point (shebang + StdioServerTransport)
├── server.ts # createServer() factory
├── tools/ # 35 tool handlers (one file per category)
│ ├── request.ts # HTTP requests (1)
│ ├── assert.ts # Assertions (1)
│ ├── flow.ts # Request chaining (1)
│ ├── collection.ts # Collection CRUD (4)
│ ├── environment.ts # Environment management (10)
│ ├── api-spec.ts # OpenAPI import/browse (4)
│ ├── mock.ts # Mock data generation (1)
│ ├── load-test.ts # Load testing (1)
│ └── utilities.ts # curl, diff, bulk, import/export (12)
├── lib/ # Business logic (no MCP dependency)
│ ├── http-client.ts # fetch wrapper with timing
│ ├── storage.ts # JSON file storage engine
│ ├── schemas.ts # Shared Zod schemas
│ ├── url.ts # BASE_URL resolution
│ ├── path.ts # Dot-notation accessor (body.data.0.id)
│ ├── interpolation.ts # {{variable}} resolver
│ └── openapi-parser.ts # $ref + allOf/oneOf/anyOf resolution
└── __tests__/ # 10 test suites, 110+ testsStack: TypeScript (strict) · MCP SDK · Zod · Vitest · tsup