⚡️ zapreq
A blazing fast, developer-friendly HTTP client — HTTPie reimagined in Rust, featuring a TUI, a Tauri GUI, Local Regression Testing, and an AI Assistant.
zapreq is a next-generation API client that installs as a single, lightweight binary. It ships with http as a compatibility alias. If you know HTTPie, you already know zapreq — it features the same clean syntax, but boasts sub-5ms startup times, minimal memory usage, and an ecosystem of local-first tools (TUI, Tauri GUI, Regression Suite, Security Scanner, AI Assistant) that Postman and HTTPie do not ship out of the box.
🗺️ Table of Contents
- ✨ Core Highlights
- 📦 Installation
- 🚀 Quick Start
- 🧭 Request Items Syntax
- 🎨 Output Customization
- 🔐 Authentication Profiles
- 🔄 Sessions & Cookie Persistence
- 🌐 Environment Profiles
- 📂 Hierarchical Collections & Drag-and-Drop
- 🖥️ Tauri Desktop GUI
- 📟 Terminal TUI
- 🧪 API Testing & Regression Suites
- 📊 Performance Benchmarking
- 🛡️ Local Security Scanner
- 📝 Local Notes & Revision History
- 📖 API Documentation Generator
- 🧠 AI Request Assistant
- ⚖️ Response Diffing
- 📥 Resumeable Download Mode
- ⚙️ Configuration Reference
- 🔌 Extension Plugins
- 📊 zapreq vs. curl vs. HTTPie
- 🛠️ Contributing
- 📄 License
- 🏗️ System Architecture
🏗️ System Architecture
The following diagram illustrates how the zapreq CLI, terminal TUI, and Tauri desktop GUI interface with the core request engine, security scanners, test runners, and local SQLite/JSON storage:
graph TD
%% Define Styles
classDef ui fill:#4f46e5,stroke:#312e81,color:#ffffff,stroke-width:2px;
classDef engine fill:#10b981,stroke:#065f46,color:#ffffff,stroke-width:2px;
classDef db fill:#f59e0b,stroke:#78350f,color:#ffffff,stroke-width:2px;
classDef ext fill:#6b7280,stroke:#374151,color:#ffffff,stroke-width:2px;
%% Nodes
subgraph UI ["User Interfaces (Rust/Tauri)"]
CLI["CLI Command Line"]:::ui
TUI["Terminal TUI (ratatui)"]:::ui
GUI["Tauri Desktop App (React/TS)"]:::ui
end
subgraph Core ["Core Request & Analysis Engine (Rust Lib)"]
ReqEngine["Request Engine (reqwest)"]:::engine
Tester["Test & Assertions Engine"]:::engine
Scanner["Security Scanner"]:::engine
Benchmarker["Performance Benchmarker"]:::engine
AIAssistant["AI Prompt Parser"]:::engine
end
subgraph Data ["Local Storage (Local-First)"]
Config["config.json & Envs"]:::db
Sessions["Session Cookie Jars"]:::db
SQLite["SQLite DB (Notes, Reports, History)"]:::db
end
subgraph Ext ["External Systems"]
TargetAPI["Target API Endpoint"]:::ext
AIService["AI API Endpoint"]:::ext
Schemas["Postman / OpenAPI Files"]:::ext
end
%% Relations
CLI --> ReqEngine
TUI --> ReqEngine
GUI <--> |Tauri IPC Commands| ReqEngine
ReqEngine --> |HTTP Calls| TargetAPI
ReqEngine <--> Sessions
TUI & GUI & CLI <--> SQLite
Tester & Scanner & Benchmarker & AIAssistant --> ReqEngine
AIAssistant --> |LLM Prompts| AIService
Tester --> SQLite
Scanner --> SQLite
Benchmarker --> SQLite
CLI & TUI & GUI <--> Config
GUI <--> |Import/Export| Schemas
✨ Core Highlights
- Single Native Binary (~3 MB): Zero Python dependencies, virtual environments, or Node runtimes.
- ⚡️ Sub-5ms Startup Time: Instantly fires requests. HTTPie takes ~200ms due to Python interpreter overhead.
- 📂 Hierarchical Workspaces: Organise requests into collapsible folder structures using
/delimiters, with full interactive drag-and-drop support in the Tauri GUI. - 🧪 Local Test Automation: Write API assertions (
--expect-status,--expect-json) directly in the shell and run recursive test suites with a visual history dashboard. - 🛡️ Security First: Local-first static and live scanning for sensitive headers, exposed credentials, missing HTTPS transport, and overly permissive APIs.
- 🧠 AI-Powered Execution: Generate requests and explain execution paths using natural language descriptions powered by LLMs.
- 📟 Multi-modal: Fluidly transition between raw CLI commands, a keyboard-driven terminal TUI, or a modern Desktop GUI sharing the same local database.
📦 Installation
Cargo (Rust Toolchain)
Binary Downloads
Pre-built binaries for Linux, macOS (x86_64 + Apple Silicon), and Windows are attached to every GitHub release. Download the binary and place it in your system PATH.
Package Managers
# Arch Linux (AUR)
# macOS or Linux (Homebrew Tap)
🚀 Quick Start
# 1. Simple GET request
# 2. POST request with JSON payload (inferred from arguments)
# 3. Form-encoded payload
# 4. Custom Request Headers & Query Parameters
# 5. HTTP Digest Authentication (includes automatic 401 challenge retry)
# 6. Save a request into a Collection Workspace
🧭 Request Items Syntax
zapreq uses positional arguments after the URL to define query params, headers, and body payloads. The operator character determines the data type.
| Operator | Syntax Type | Example | Compiled Output |
|---|---|---|---|
: |
Request Header | X-Custom-Header:value |
X-Custom-Header: value |
= |
String Body Field | username=faizan |
"username": "faizan" |
:= |
Raw JSON Field | items:=["a", "b"] |
"items": ["a", "b"] |
== |
Query Parameter | search==rust |
?search=rust |
@ |
File Upload | avatar@/tmp/avatar.png |
Multipart form file |
@ with MIME |
File with MIME | data@/tmp/data.bin;type=application/octet-stream |
Explicit MIME file attachment |
=@ |
String Field from File | pubkey=@~/.ssh/id_ed25519.pub |
File content read as string |
:=@ |
JSON Field from File | config:=@/tmp/config.json |
File content parsed as JSON |
💡 Precedence Order: Operator parsing evaluates from left to right with strict precedence:
:=/:=@➔==➔:➔=/=@➔@.
🎨 Output Customization
Fine-tune output verbose levels, syntax themes, and color formatting.
# Print response headers only (useful for status checks)
# Print request + response headers (no body payload)
# Print full details (Request headers/body + Response headers/body)
# Change color theme (supported: monokai, solarized, dracula, autumn)
# Format output summary line (Status code, latency, content length)
--print Flags Matrix
Combine these flags together (e.g. --print=Hb):
H: Request headersB: Request body payloadh: Response headersb: Response body payload
🔐 Authentication Profiles
zapreq provides comprehensive authentication protocols. Passed credentials are automatically masked as **** in --verbose outputs.
# HTTP Basic Auth (default type)
# OAuth2 / Bearer Token
# HTTP Digest Auth (RFC 7616 - supports MD5 & SHA-256 with handshake sequence)
🔄 Sessions & Cookie Persistence
Sessions serialize cookie jars, headers, and authentication parameters locally, allowing you to persist API state between independent CLI invocations. Sessions are saved in ~/.config/zapreq/sessions/{hostname}/{session_name}.json.
# Authenticate and initialize a session named 'dev-user'
# Subsequent requests automatically load and write back updated cookie updates
# Load session in read-only mode (prevents updating the cookie jar on response)
🌐 Environment Profiles
Easily manage variables across environmental configurations (dev, staging, prod). Profiles are JSON files saved in ~/.config/zapreq/envs/{profile_name}.json.
Example Profile File (prod.json)
CLI Substitution
Tokens matching {KEY} in the URL or request parameters are replaced dynamically:
📂 Hierarchical Collections & Drag-and-Drop
Organize saved API requests in namespaces and folder hierarchies. Workspaces store requests under named aliases in a local database.
Command Line Workspace Actions
# Create a new workspace
# Save a request under a hierarchical folder segment path (using `/` delimiters)
# List all requests in a workspace
# Run a saved request (replaces tokens dynamically)
Drag-and-Drop Organizing
In the Tauri Desktop GUI, folders and request nodes are displayed in a clean directory tree. You can drag and drop request items to relocate them between folders or drag them to the root panel zone. Moving requests automatically updates their database path names. Empty folders are tracked and preserved on screen when child elements are moved or deleted.
🖥️ Tauri Desktop GUI
Open the fully integrated desktop interface by running zapreq without subcommands or calling gui explicitly:
# or
GUI Key Capabilities:
- Multi-pane Layout: Workspace directory tree (left), Request Editor & tabbed controls (center), Response Viewer (right).
- Workspace Management: Interactive creation, migration, import, and export of workspace definitions (Zapreq, Postman, and OpenAPI schemas supported).
- Tabs-based Request Builders: Dedicated visual sections for query parameters, custom headers, body fields (JSON, URL Form, Multipart, Raw File), script editors, and authorization.
- Regression Suites Tab: Run automated test suites sequentially with visual progress bars and live status feedback.
- Interactive Summary Dashboard: A homepage view featuring an animated SVG Donut Chart showing test pass/fail distributions and a scrollable feed of recent request runs with latency metrics.
📟 Terminal TUI
For keyboard-first developers, zapreq includes a full-featured terminal workspace TUI built in Rust:
It supports workspace switching, interactive request running, headers/body tab toggle, and environment variable expansions using native terminal widgets.
🧪 API Testing & Regression Suites
Perform automated assertions on API responses. Test suites and execution history are stored in a local SQLite file.
CLI Ad-hoc Assertions
# Assert HTTP status and header patterns
# Assert nested JSON keys using dot-notation syntax
Local Regression Suites
Create test suites and cases to execute multiple requests in sequence.
# Add a regression test case linking to a saved workspace request
# List cases in a suite
# Run a suite
# Inspect test history for a specific case
📊 Performance Benchmarking
Benchmark endpoint response times and latencies locally.
# Run a request 100 times in sequence to measure latency metrics
# Benchmark a workspace over a specific duration (runs continuously for 30s)
Benchmark Metrics Tracked:
- Iterations & Success Rate: Number of executions, HTTP 2xx vs. 4xx/5xx status rates, and network errors.
- Latency Distribution: $min$, $p50$ (median), $p95$ (tail latency), $p99$, and $max$ execution times in milliseconds.
- Payload Size Analysis: Total headers and body size processed.
🛡️ Local Security Scanner
Scan saved requests, imported schemas, or live endpoints to check for security vulnerabilities.
# Scan a specific saved command alias
# Scan an entire workspace for vulnerabilities with a severity filter
# Perform a live active scan (executes safe GET/HEAD requests to check live response headers)
Issues Scanned & Flagged:
- HTTPS Transport: Flag requests communicating over unencrypted
http://. - Credential Exposure: Detect secrets, API keys, private keys, or passwords saved inside request text fields.
- Sensitive Query Parameters: Warn against sending tokens or credentials in the URL query string.
- Missing Security Headers: Detect absence of
Content-Security-Policy,X-Content-Type-Options,Strict-Transport-Security, etc., during live checks. - Excessive Data Exposure: Analyzes live payloads for potential over-fetching of sensitive user metadata.
📝 Local Notes & Revision History
Document your endpoints directly inside zapreq with local notes linked to aliases, workspaces, or requests. Notes keep a local version history in SQLite.
# Add a note with tags
# List and search notes
# View note edit revisions
📖 API Documentation Generator
Generate documentation files locally from workspace definitions.
# Generate clean Markdown documentation
# Generate static HTML API documentation
# Export workspace schema as an OpenAPI 3.0 specification file
🧠 AI Request Assistant
Translate plain English prompts into runnable HTTP commands using LLMs. Provide your OpenAI-compatible endpoint key:
# Describe a request in natural language (defaults to dry-run verification mode)
# Generate and immediately send the request
# Explain how the generated command was built
⚖️ Response Diffing
Flatten two JSON response payloads and compare them side by side. Highlights differences in keys, structure types, and values.
Example Visual Diff Output
A: GET https://api.example.com/v1/users/1 → 200 OK
B: GET https://api.example.com/v2/users/1 → 200 OK
id 1
name "Faizan"
- role "admin" (only in A)
+ privilege "super_admin" (only in B)
~ updated_at "2026-01-01" ➔ "2026-06-18"
📥 Resumeable Download Mode
Download large files from the command line with standard visual progress indicators.
# Download file, saving to current directory
# Continue/resume a partial download
⚙️ Configuration Reference
Configuration parameters are stored in ~/.config/zapreq/config.json.
| Config Parameter | Value Type | Default Value | Description |
|---|---|---|---|
default_options |
string[] |
[] |
CLI flags prepended before every command execution |
default_scheme |
string |
"https" |
HTTP scheme assumed when URL lacks scheme prefix |
plugins_dir |
string |
"~/.config/zapreq/plugins" |
Path scanned for TOML plugin definitions |
output_theme |
string |
"monokai" |
Syntax highlighting style theme |
pretty |
string |
"all" |
Formatting mode (all, colors, format, none) |
verify |
boolean |
true |
Enable/disable TLS certificate verification checks |
🔌 Extension Plugins
zapreq discovers external plugins via TOML manifests located in plugins_dir.
Example Plugin Manifest (aws-hmac.toml)
[]
= "aws-hmac"
= "1.2.0"
= "AWS Signature Version 4 Signing"
= ["aws"]
= "./aws-hmac-plugin"
Plugin CLI Commands
# List all registered plugins
# Verify plugin manifest configuration and permissions
# Run a plugin binary manually
📊 zapreq vs. curl vs. HTTPie
| Capability | curl |
HTTPie | zapreq |
|---|---|---|---|
| Syntax Style | Verbose / Low-level | Clean / Developer-focused | Clean / Developer-focused |
| Startup Overhead | Minimal (< 3ms) | Slow (~200ms) | Minimal (< 5ms) |
| Dependencies | None (C library) | Python Runtime (~15MB) | None (Self-contained binary) |
| Named Sessions | ❌ | ✅ | ✅ |
| Tauri Desktop GUI | ❌ | ❌ | ✅ (zapreq gui) |
| Terminal TUI Interface | ❌ | ❌ | ✅ (zapreq tui) |
| Regression Testing | ❌ | ❌ | ✅ (zapreq test / regression) |
| Performance Benchmarks | ❌ | ❌ | ✅ (zapreq perf) |
| Local SQLite DB | ❌ | ❌ | ✅ (Reports, Notes, History) |
| AI Assistant | ❌ | ❌ | ✅ (zapreq ai) |
| Response Diffing | ❌ | ❌ | ✅ (zapreq diff) |
🛠️ Contributing
- Clone the repository:
- Run unit and integration tests:
- Run code formatting and lint checkers:
- Build release binaries:
📄 License
Licensed under either of the following, at your option:
- MIT License (LICENSE-MIT)
- Apache License, Version 2.0 (LICENSE-APACHE)
Standard Rust ecosystem dual licensing applies.
Copyright © 2026 Muhammad Faizan. All rights reserved.