NakliPoster — Local-First API Client

Appearance

Theme

Font Size

JSON Indent

Request

Timeout (ms)

Follow Redirects

Developer

JavaScript API (experimental)

Expose window.nakliposter for scripting & cross-tab injection

Making your first request

Pick a method (GET, POST, etc., WS for WebSocket, GQL for GraphQL) from the dropdown on the left of the URL bar.
Type or paste a URL into the bar and hit Send or press ⌘ Enter / Ctrl Enter.
The response appears below — status code, time, and size are shown at the top.

Request tabs

Params — query parameters, synced live with the URL bar.
Headers — add any request headers you need.
Body — send raw JSON/XML/text, form-data, or a file. Selecting a mode enables the editor.
Auth — Bearer token, Basic Auth, API Key, or OAuth 2.0 (Authorization Code + Client Credentials).
Pre-req / Tests — run JavaScript before and after the request (see Scripts & Tests tab).

Multiple requests

Click + in the tab bar to open a new request. Tabs are restored on reload.
An orange dot on a tab means unsaved changes.

Response panel

Body — Pretty (syntax-highlighted), Raw, or Preview (rendered HTML in a sandbox).
Headers — all response headers.
Tests — pass/fail results from your test script.
Console — output from console.log() in your scripts.

Try these public APIs

All CORS-enabled, no auth needed. Click any to open in a new tab.

GET jsonplaceholder.typicode.com/posts/1 — tiny JSON, first request
GET api.open-meteo.com/v1/forecast?… — query params (Berlin weather)
POST httpbin.org/post — echoes body & headers back
GET rickandmortyapi.com/api/character/1 — nested JSON
GQL graphqlzero.almansi.me/api — GraphQL sandbox
WS ws.postman-echo.com/raw — WebSocket echo server

These examples hit third-party sandbox services. Please don't script them — build your own tests against your own APIs. NakliPoster itself runs entirely in your browser; nothing leaves your machine unless you hit Send.

What is a collection?

A collection is a group of saved requests, stored as a .json file on your disk in Postman v2.1 format. You can open them in Postman, commit them to git, or share them with your team.

Opening a workspace

NakliPoster will ask for read/write access to the folder you pick. This is a standard browser file system permission — granted once per folder, per browser. No data leaves your machine. Collections, settings, and environments are stored as plain text files you own.

Click Open Folder in the sidebar to pick a directory via your browser's file picker.
Your browser will show a permission prompt — click Allow (or Edit files in Chrome).
NakliPoster reads all .json collections from that folder and shows them in the sidebar.
Changes are autosaved to disk — no save button needed. The files are plain JSON, git-trackable and portable.

Saving a request

Click Save in the request toolbar, or press ⌘ S / Ctrl S.
Choose an existing collection or create a new one. You can also create a folder inside the collection.

Importing

Click the ↓ (import) icon in the sidebar toolbar.
Supported formats: Postman Collection v2.1, OpenAPI 3.x / Swagger 2.0, cURL command (paste), HAR file.

Collection Runner

Click the ▶ (run) icon in the sidebar to open the Runner.
Pick a collection, set iterations and delay, optionally load a CSV or JSON data file to drive variable values across runs.

What are environments?

Environments let you define named variables (like baseUrl, token) and switch between sets of values — for example, dev vs. staging vs. production — without editing each request.

Using variables

Wrap any variable name in double curly braces: {{baseUrl}}/users/{{userId}}
Variables resolve in the URL, params, headers, body, and scripts.
Unresolved variables are highlighted red in the URL bar.

Creating an environment

Click Environments in the sidebar header, then + New Environment.
Add key/value pairs. Toggle the eye icon to mask secrets in the UI.
Switch the active environment from the dropdown in the bottom-right status bar.

Variable scopes

Resolution order (first match wins): Global → Collection → Environment → Local. Scripts can set variables at any scope using pm.globals.set(), pm.environment.set(), etc.

Response variable extraction

The fastest way to capture a value from a response — no scripting needed.

After a response arrives, click ⇢ Extract in the response body toolbar.
Click any value in the JSON (strings, numbers, booleans) to select it. The path and variable name are auto-filled.
Or type a path manually: data.token, users[0].id, etc.
Choose a scope (Environment, Globals, or Collection) and click Set Variable.
Check Also add pm.environment.set() to Tests script to persist the extraction for the Collection Runner.

Pre-request scripts

JavaScript that runs before the request is sent. Use it to set dynamic headers, compute a signature, or update a variable.

Test scripts

JavaScript that runs after the response arrives. Write assertions that appear in the Tests response panel.

Writing tests

pm.test('name', () => { ... }) — wraps a named assertion.
pm.expect(value).to.equal(200) — Chai-style assertions.
pm.response.code, pm.response.json(), pm.response.text()
pm.response.headers['content-type']

Common assertions

.to.equal(x) / .to.not.equal(x)
.to.be.a('number') / .to.be.a('string')
.to.have.property('key')
.to.include('substring')
.to.be.above(0) / .to.be.below(500)

Modifying variables from scripts

pm.environment.set('token', pm.response.json().token)
pm.globals.get('key') / pm.globals.set('key', value)

NakliPoster provides a Postman-compatible pm API, so most Postman test scripts run unmodified.

⚠ Security: only run scripts you trust

Pre-request and test scripts execute as real JavaScript in this page. A malicious script can read every environment variable (including secret-tagged ones), every saved request, and every token in browser storage — then send them anywhere.

Do not paste scripts from sources you don't trust — forums, Stack Overflow answers, random GitHub gists, AI chatbots. Treat a pm script the same as you'd treat eval() on your credentials.
If the AI Assistant generates a test script, read it before clicking → Tests or → Pre-req. The AI can be manipulated by malicious response content.
Imported Postman collections and shared NakliPoster links do not carry scripts — they are stripped on import for this reason. Scripts only ever exist on tabs you've authored yourself.

How sharing works

NakliPoster encodes your collection into the URL fragment (#...). The fragment never touches a server — the entire payload lives only in the link.

Sharing a request or collection

Click Share in the request toolbar to share the current request.
Right-click a collection in the sidebar → Share collection.
The modal shows the generated link and a QR code (if the link is short enough).

Encryption (optional)

Enter a passphrase in the Share modal before copying the link.
The payload is encrypted with AES-256-GCM. Only someone with the passphrase can import it.
Share the passphrase separately (e.g. via Signal). The link alone is useless without it.

Importing from a link

Open the link in a browser. NakliPoster detects the # fragment automatically.
A preview shows the collection name and request count before you confirm the import.
If the link is encrypted, you'll be prompted for the passphrase first.

Secret-tagged environment variables are excluded from shared links by default. You can opt in to include them if you trust the recipient and the channel.

Two modes — no account required for either

Local (WebGPU) — runs entirely in your browser using your GPU. The model downloads once (~1–4 GB depending on your choice) and is cached. No API key, no cloud, no usage limits.
API mode — connects to any OpenAI-compatible endpoint: OpenRouter, OpenAI, Groq, LM Studio (local), or Ollama (local). Enter a base URL and API key (leave blank for LM Studio / Ollama).

Loading a local model

Open the AI panel with AI ✦ in the status bar.
Pick a model from the dropdown. Gemma 4 E2B (~2 GB) is the default — good balance of speed and quality.
Click Load Model. The first load downloads from Hugging Face and caches in your browser. Subsequent loads are instant.
The settings section collapses automatically once the model is ready.

What the AI knows

Every message automatically includes the context of your current work:

The open request — method, URL, headers, body, auth type
The last response — status code, body (up to 2000 chars), timing
Active environment name and non-secret variable values

Quick actions

Diagnose — ask what's wrong with the current response and how to fix it.
Write Tests — generate a pm.test() script for the current response.
Explain — plain-English explanation of the response data.
Document — generate endpoint documentation (method, params, example response).

Inserting generated scripts

When the AI outputs code that looks like a test script, two buttons appear below the response: → Tests and → Pre-req. Click either to paste the script directly into that tab — no copy-paste needed.

Nothing is sent to any server in local mode. In API mode, your request context is sent to whichever API endpoint you configure — treat it like any other API call.

GraphQL

Select GQL from the method dropdown to switch to GraphQL mode.

Write your query or mutation in the query editor. Variables can be added in the collapsible Variables panel below it as a JSON object.
The Operation name field lets you specify which operation to run when a document contains multiple named operations.
NakliPoster sends the request as a POST with a JSON body {"query":"…","variables":{…}} — the standard GraphQL over HTTP convention.
Schema explorer — click ⟳ Fetch (or ⟳ Schema in the URL bar) to run an introspection query against the endpoint. The schema tree lists all types and their fields. Click any field name to insert it into the query editor at the cursor position.
Headers and Auth work the same as any other request — useful for APIs that require a Bearer token or API key.

The schema is cached in memory for the current session. If the endpoint changes, click ⟳ Fetch again to refresh it.

OAuth 2.0

Select OAuth 2.0 from the Auth dropdown to configure a full OAuth flow.

Client Credentials — enter Token URL, Client ID, and Secret. Click Get New Access Token. The token is fetched directly with no browser interaction and applied as a Bearer token for all subsequent requests.
Authorization Code — enter Auth URL, Token URL, Client ID, Client Secret, and Redirect URI. The Redirect URI defaults to the current page URL (http://localhost:8097/ in local use). Click Get New Access Token: a popup opens to the provider's login page. After you log in, the provider redirects to the Redirect URI, NakliPoster detects the code, exchanges it for a token, and closes the popup automatically.

For Authorization Code to work, you must register the Redirect URI in your OAuth provider's app settings. When running locally, register http://localhost:8097/ (or whichever port you use). The token is stored in the tab and sent as Authorization: Bearer <token> automatically.

Global Search — ⌘ K / Ctrl K

Opens a spotlight-style search across everything in the app — collection request names, URLs, body content, and recent history. Arrow keys to navigate, Enter to open, Esc to close.

WebSocket Client

Select WS from the method dropdown. The request/response panels are replaced with the WebSocket client.
Enter a ws:// or wss:// URL and click Connect.
The message log shows sent messages (↑), received messages (↓), and system events (—), each with a timestamp.
Select Text or JSON in the send bar. JSON mode validates the payload before sending.
Switching away from WS or opening a new tab automatically closes the connection.

Cookie Manager

Click Cookies in the sidebar to manage cookies.
Add a cookie with a domain, name, and value. The domain should be just the hostname — e.g. api.example.com, not https://api.example.com/.
Enabled cookies are automatically injected as a Cookie header on any request whose URL hostname matches the cookie's domain (exact match or subdomain).
Toggle the checkbox to disable a cookie without deleting it.

These are not real browser cookies — they cannot set or read HttpOnly or Secure cookies from servers. They are a key-value store injected as a request header, which is exactly what you need for session tokens and API cookies.

Git History

NakliPoster can browse the git history of your collection files — showing you every past version, who changed it, and when. You can restore any past version with one click.

Before you start — git init

NakliPoster does not run git for you. Git History reads an existing git repository in your workspace folder. You need to set this up yourself in a terminal, once:

cd /path/to/your/workspace
git init
git add .
git commit -m "Initial collections"

After that, commit whenever you want a snapshot. NakliPoster reads those commits — it does not write them.

Open a workspace folder (the folder you committed with git).
A ⎇ button appears on each collection row in the sidebar.
Click it to open the Git History modal for that collection.
The list shows commits that touched that collection's .json file — author, date, and commit message.
Click any commit to preview what the collection looked like at that point.
Click Restore to replace the current collection with that version. The file is written to disk immediately.

isomorphic-git (~220 KB) is loaded from CDN on first use and cached. No install required.

JavaScript API

Enable in Settings → Developer to expose window.nakliposter for scripting and cross-tab collection injection.

importCollection(json) — import a Postman v2.1 or OpenAPI collection
listCollections() — list all loaded collections
exportCollection(id) — export a collection as Postman v2.1 JSON

Bookmarklet — Send to NakliPoster

Drag this link to your bookmarks bar:

Send to NakliPoster

On any page with a Postman collection JSON: select the JSON text, click the bookmarklet. It opens NakliPoster and imports the collection automatically.

You must enable the JavaScript API toggle in Settings → Developer for this to work. The setting is remembered across sessions.

Don't see a bookmarks bar? Press ⌘⇧B (Mac) or Ctrl+Shift+B (Windows/Linux) to show it, then drag the button above.