kalil0321/reverse-api-engineer
Overview
This skill reverse engineers web APIs by capturing browser traffic (HAR files) and producing production-ready Python API clients. It orchestrates browser capture, HAR filtering and analysis, client code generation, and validation. Use it to automate website interactions, understand undocumented endpoints, or scaffold a maintainable API wrapper quickly.
How this skill works
The skill controls a Playwright-driven browser with HAR recording enabled, navigates flows to trigger API calls, and saves the recording to a run-specific HAR file. Helper Python scripts filter noise from the HAR, extract structured endpoint patterns (methods, paths, headers, bodies, response schemas, auth), and produce a typed, documented Python client module. A validation pass compares generated code to the analysis and reports coverage and missing features.
When to use it
- You need a Python client for a website with no public SDK.
- You have a HAR file or can capture browser traffic to discover endpoints.
- You want to automate authenticated workflows or form submissions programmatically.
- You need to document undocumented or private API endpoints for integration.
- You want a repeatable workflow to iterate on fragile endpoints or pagination patterns.
Best practices
- Record focused user flows (login, search, pagination) to capture relevant endpoints and auth tokens.
- Run har_filter.py first to remove static assets and analytics—this improves analysis accuracy and reduces noise.
- Inspect analysis.json before generation to confirm detected auth patterns and request schemas.
- Include type hints, docstrings, and logging in generated clients; validate with har_validate.py to reach >=90% coverage.
- Iterate up to a few refinement attempts: run examples, fix headers/auth handling, and re-validate.
Example use cases
- Generate a client for a public job listings site by capturing search and detail page XHRs.
- Automate form submissions and file uploads by reverse engineering the POST endpoints and required headers.
- Create a reuseable client for a single-tenant SaaS with token-based auth by recording login and token refresh calls.
- Audit an internal web app to extract undocumented endpoints and produce typed client methods for integration tests.
FAQ
You need Playwright MCP access for browser control, HAR recording enabled, and Python to run the helper scripts and generated client.
How do I handle authentication discovered in the HAR?
The analysis detects auth patterns; generated clients include session management and hooks for token injection or refresh logic. Validate with har_validate.py and iterate if tokens expire.
Can this handle GraphQL or paginated endpoints?
Yes. The analyzer extracts GraphQL operations and pagination parameter patterns; generated methods include pagination helpers when patterns are detected.