Skip to content

Documentation

api-test

An HTTP REST fixture built specifically as an upstream for testing API gateways. Endpoint groups for identity, deterministic data, controlled failures, pagination styles, and SSRF probes; multiple inbound auth modes matching what the Plexara API gateway sends; and a Postgres-backed audit log of every request.

Quickstart GitHub
Portal preview

Inspect every request from the browser

Click any frame to open it full-size. Use the side rails or the arrow keys to step through.

Portal

Dashboard

1-hour totals, success / error counts, error rate, and the most recent calls across every endpoint group.

Portal

Audit log

Every request, filterable by method, path, and success / error. Auto-refreshing on a 5-second interval; click a row to inspect the full request and response.

Portal

Inspection panel

Side-pane detail card with timestamp, duration, request id, identity, remote address, byte counts, and the full headers / query / body trees for both sides of the call.

Portal

Endpoints

Catalog of every registered route, grouped by behavior — identity, deterministic data, echo, controlled failure modes.

Portal

Endpoint detail

Method, path, group, auth requirement, and an inline curl hint per route, plus a Try-It panel that dispatches a real call through the portal API.

Portal

Discovery

Native OpenAPI 3.1 reference rendered from /openapi.json — groups, operations, parameters, schemas, examples — with full light / dark parity against the portal's design tokens.

Portal

API keys

Create or revoke Postgres-backed bcrypt keys. Plaintext is shown once, then never again.

Portal

Config

Read-only view of the running server config, with secrets masked. Useful for sanity-checking what's actually loaded.

Portal

About

Build info plus the same well-known metadata an MCP / API client sees: api endpoint, OIDC issuer, audience.

What's inside

Capabilities

The endpoints are intentionally boring. They return predictable output for predictable input, fail in well-defined ways when asked to, and log every request. That's enough to write end-to-end assertions about a gateway's behavior without depending on real upstream data.

Endpoint groups by behavior

Identity (whoami, headers), data (deterministic fixtures: fixed, sized, lorem), failure modes (status, slow, flaky), and a generic echo. More groups (pagination styles, methods, security probes, export targets) land in upcoming releases.

Real inbound auth, four ways

File-loaded API keys (header or query placement, constant-time compare), bcrypt-hashed Postgres-backed keys, static bearer tokens, and OIDC JWT validation against an external IdP. Matches every auth mode the Plexara API gateway forwards.

Audit log of every request

Postgres-backed timeline with sanitized headers, query params, request and response bodies, identity, latency, and status. Browse, filter, and chart it in the embedded React portal.

Self-describing OpenAPI

Every route is published in an OpenAPI 3.x document at /openapi.json, generated in-tree from the same metadata the portal uses, so the Plexara gateway's api_list_endpoints tool sees an exact contract.

Pagination, the gateway recognizes

One endpoint per cursor style the gateway's pagination detector recognizes: RFC 5988 Link headers, OData @odata.nextLink, and the common cursor field variants. Negative tests included so detection failures are falsifiable.

By Plexara

Plexara is a unified MCP + API gateway with configurable enrichment built in. api-test is what we use to verify Plexara's API-gateway behavior end-to-end; we ship it as OSS so anyone building API gateways can use the same fixture.

Why this exists

Why a separate test fixture

Pair api-test with the audit log and you can write end-to-end assertions about gateway behavior without running fragile real-data fixtures.

  • Endpoints that return the same body for the same input (/v1/fixed/{key}, /v1/lorem?seed=…).
  • Endpoints that fail on demand with any HTTP status (/v1/status/{code}) and on a schedule (/v1/slow?ms=N, /v1/flaky?fail_rate=&seed=).
  • Endpoints that emit every pagination shape the gateway recognizes so detection logic is falsifiable.
  • Endpoints that echo identity and headers so you can confirm what's being forwarded (/v1/whoami, /v1/headers).