English | Tiếng Việt | 中文 | 繁體中文 | Español | Português do Brasil | 日本語 | 한국어 | Français | Deutsch | Italiano | Türkçe | Polski | Nederlands | Русский | Українська | العربية | فارسی | বাংলা | Română | ქართული
The open-source, auditable debugging proxy for macOS.
Intercept, inspect, and modify HTTP/HTTPS/WebSocket/GraphQL traffic with a native Swift app you can inspect, build, and trust.
Built for API, mobile, MCP-assisted, AI, and blockchain-era debugging workflows as Rockxy evolves.
A local-first, AGPL-3.0 alternative to Proxyman and Charles Proxy.
Inspect HTTP, HTTPS, WebSocket, and GraphQL traffic from any Mac app, CLI, or iOS device. Browser DevTools end at the browser — Rockxy sees the rest of your stack.
`HTTP / HTTPS` · `WebSocket` · `GraphQL` · `iOS Device & Simulator` · `Filter by Process ID` · `Timing Waterfall`
### Advanced Filter & Search
Narrow thousands of captured requests in seconds. Combine method, host, status, header, body, and process filters — or run a full-text search across the whole session.
`Multi-Field Filters` · `Full-Text Search` · `Status / Method` · `Header / Body Match` · `Process / Host` · `Saved Filters`
### MCP Server for AI Assistants
Let Claude Desktop or Cursor read your captured traffic through a local MCP server. Ask "why did this 500?" instead of pasting headers into chat. Local, redaction-aware, and open source.
`Claude Desktop` · `Cursor` · `Local stdio` · `Redaction` · `Open Source`
### Developer Setup Hub
Copy-paste proxy snippets for Python, Node.js, Go, Rust, cURL, Docker, and browsers, then click Run Test to confirm traffic is actually flowing.
`Python` · `Node.js` · `Go / Rust / Java` · `cURL / Docker` · `One-Click Verify` · `Trust Diagnostics`
### Certificate Management for HTTPS Debugging
A P-256 ECDSA root CA generated on first launch, sealed in your Keychain. Decrypt HTTPS on the first try; pinned hosts pass through automatically.
`P-256 ECDSA Root CA` · `Keychain-Sealed Key` · `Per-Host Leaf Certs` · `Trust Wizard` · `Pinned-Host Passthrough` · `Rotate / Reset`
### SSL Proxy & HTTPS Decryption
Pick which hosts get TLS decryption. Decrypted traffic shows real headers and JSON; everything else passes through encrypted. Wildcard rules let you scope by domain in one click.
`Per-Host Decryption` · `Wildcard Rules` · `Allow / Deny List` · `TLS 1.2 / 1.3` · `Pinned Host Passthrough`
### Bypass Proxy
Skip specific hosts so cert-pinned apps, internal services, or noisy telemetry never enter the capture. Wildcards keep the list short and your request log focused on what you actually care about.
`Per-Host Bypass` · `Wildcard Patterns` · `Skip Pinned Hosts` · `Mute Telemetry` · `Reduce Noise` · `Toggle Anytime`
### Block List
Make any host fail. Drop ad networks, third-party trackers, or a flaky dependency to see how your app degrades when it's gone — without changing a line of code.
`Per-Host Block` · `Wildcard Match` · `Simulate Outage` · `Test Fallbacks` · `Strip Trackers` · `Toggle Anytime`
### Map Local
Serve a saved file or a directory tree in place of a live response. Swap a JSON payload, replay a snapshot, or pin a flaky third-party API to a local copy while you debug.
`File or Directory` · `Response Snapshot` · `Regex Patterns`
### Map Remote
Rewrite the destination of a captured request without touching app code or /etc/hosts. Point production traffic at staging, your dev server, or a colleague's machine for a reproducible bug repro.
`Host Rewrite` · `Regex Patterns` · `Preserve Host Header`
### Breakpoints & Rules
Pause a request or response, edit method, headers, body, or status, then continue. The fastest way to test "what if the API returns 401?" without touching the backend.
`Request Breakpoints` · `Response Breakpoints` · `Block` · `Throttle` · `Regex / Wildcard Match` · `Inject Failure States`
### Modify Headers
Add, remove, or replace headers on any host without redeploying. Test CORS, auth, or cache changes in seconds with built-in presets.
`Add / Remove / Replace` · `CORS Presets` · `Auth Stripping` · `Request Phase` · `Response Phase` · `URL Pattern Scope`
### Custom Request & Response Headers
Override headers per host with full control over both phases. Inject auth tokens on outgoing requests, strip Set-Cookie on responses, or pin a custom User-Agent — saved as named rules you can toggle anytime.
`Per-Host Override` · `Request Phase` · `Response Phase` · `Auth Token Inject` · `Cookie Strip` · `Named Rules`
### Network Conditions
Throttle to 3G, EDGE, LTE, WiFi, or a custom delay. Your laptop is on fiber; your users aren't — see the UX at 400 ms RTT before they do.
`3G` · `EDGE` · `LTE` · `WiFi` · `Very Bad Network` · `Custom Latency`
### Compose — Edit & Replay
Rebuild any captured HTTP request — change method, URL, headers, query params, or body — and re-send without leaving Rockxy. No Postman, Insomnia, or curl copy-paste loop. Iterate on LLM prompts, fuzz auth boundaries, or reproduce a failing case for OpenAI, Anthropic, and Cohere endpoints in seconds.
`Edit Headers` · `Edit Body` · `Edit Query` · `Edit Method` · `LLM Prompt Iteration` · `Postman Alternative` · `OAuth Flow Debug` · `Webhook Replay`
### Compare
Stack two captured responses side-by-side and spot every field that flipped — status, headers, JSON keys, body bytes. Catch silent API regressions, non-deterministic LLM outputs, and prompt drift without piping anything into a third-party diff tool. Side-by-side diff highlights what changed; deep JSON compare ignores key ordering.
`Diff Compare` · `Side-by-Side` · `JSON Diff` · `Header Diff` · `Body Diff` · `LLM Output Compare` · `Non-determinism` · `API Regression` · `Schema Drift`
### Custom Previewer Tabs
Render request and response bodies the way you want. Pin extra tabs to the inspector for JSON, GraphQL, JWT, image, or your own format — reusable across every captured request.
`JSON` · `GraphQL` · `JWT Decoder` · `Image / Hex` · `Custom Format` · `Pinned per Inspector`
### Sessions & Export
Save sessions, import/export HAR for cross-tool handoff, copy any request as cURL or JSON. Redact authorization headers, cookies, and bearer tokens before sharing — hand a teammate a working bug repro without leaking secrets.
`.rockxysession` · `HAR Import / Export` · `Copy as cURL` · `Copy as JSON` · `Raw HTTP` · `Secret Redaction` · `Token Sanitize` · `Privacy-Safe Share`
### Multi-Tab Workspaces
Run independent capture sessions side-by-side — one tab for staging, one for prod, one for the iOS device build. Each tab has its own filters, selection, and inspector state, so context switching costs nothing.
`Independent Sessions` · `Per-Tab Filters` · `Per-Tab Inspector` · `Compare Environments` · `Mac & iOS Together` · `Detach & Rename`
### JavaScript Scripting
JS hooks on requests and responses for the cases a static rule can't cover — redact PII, sign tokens, rewrite payloads. Errors surface inline instead of corrupting traffic.
`Request Hooks` · `Response Hooks` · `Programmatic Filtering` · `PII Redaction` · `Inline Error Feedback`
## AI, Web3, and Future Protocol Work
Rockxy is adding protocol-aware inspection while keeping the normal HTTP debugging workflow intact. Features ship only when the implementation, tests, privacy behavior, and documentation are ready.
### AI Traffic Inspection
Make model traffic easier to debug inside the normal capture workflow. Detect recognized AI requests, inspect selected model calls, review streaming state, usage fields when present, warnings, retrieval hints, and tool-call summaries without pasting sensitive payloads into another service.
`AI Requests` · `Model Inspector` · `Streaming State` · `Tool Calls` · `Retrieval Hints` · `Usage Signals`
### Web3/RPC Inspection
Turn blockchain-era network calls into readable debugging evidence. Inspect EVM and Solana-style HTTP JSON-RPC traffic with provider host, request ID, method, batch summary, error, chain, transaction, payload, and debug-intent details without becoming a wallet or block explorer.
`JSON-RPC` · `Solana RPC` · `Request ID` · `RPC Errors` · `Batch Summary` · `Network Evidence`
### x402 Payment Flow Hints
Understand payment-gated HTTP flows from the network layer. Highlight payment-required and retry-oriented hints while keeping debugging evidence local and redaction-aware.
`Payment Required` · `Retry Flow` · `Headers` · `Redaction` · `Local First`
### Protocol-Aware Filters & Rules `Future`
Rockxy can label and inspect AI and Web3 traffic today. Deeper rule matching by model, tool call, JSON-RPC method, chain, transaction hash, or batch subcall remains future work; current traffic modification tools still match URL, HTTP method, and headers.
`Smart Filters` · `Request Badges` · `Protocol Column` · `Inspector Tabs` · `Future Rule Metadata`
### Redacted Evidence Bundles `Coming Soon`
Share the facts needed to reproduce a bug without leaking secrets. Package selected traffic with protocol summaries, redaction previews, and source-backed context a teammate can audit.
`Debug Bundles` · `Protocol Summary` · `Export Preview` · `Secret Redaction` · `Repro Context`
### Team Sharing & Collaboration `Coming Soon`
Send a captured session to a teammate with one click. Annotate failing requests inline, see who's looking at what in real time, and pair-debug HTTPS traffic without screen-sharing. Targeted for a future release.
`Shared Sessions` · `Team Workspaces` · `Inline Comments` · `Live Cursor` · `Cloud Sync` · `Pair Debug` · `SSO` · `Audit Log`
> 100% native macOS. No Electron. No web views. SwiftUI + AppKit + SwiftNIO.
## Quick Start
```bash
git clone https://github.com/RockxyApp/Rockxy.git
cd Rockxy
open Rockxy.xcodeproj
```
Build and run in Xcode. The Welcome window guides you through root CA setup, helper installation, and proxy activation.
**Requirements:** macOS 14.0+, Xcode 16+, Swift 5.9
If you want to connect Rockxy to a local MCP client after installation, see the [MCP Integration guide](docs/features/mcp.mdx).
## Rockxy vs. Alternatives
| | **Rockxy** | **Proxyman** | **Charles Proxy** |
|---|---|---|---|
| **Project model** | AGPL-3.0 open-source project | Proprietary commercial app | Proprietary commercial app |
| **Source code** | Public, auditable, forkable | Closed source | Closed source |
| **Build from source** | Free with Xcode from this repo | Not available from public source | Not available from public source |
| **Native macOS foundation** | Swift + SwiftNIO + SwiftUI/AppKit | Native macOS commercial app | Cross-platform commercial app |
| **Local-first capture** | Local proxy, certificates, helper, and capture data stay on your Mac | Desktop proxy app | Desktop proxy app |
| **Developer setup workflow** | Built-in Developer Setup Hub for runtimes, clients, devices, frameworks, and environments | Product-specific setup guidance | Product-specific setup guidance |
| **External proxy + PAC routing** | HTTP/HTTPS upstream proxy, PAC auto-configuration, and bypass rules | Mature commercial proxy tooling | Mature commercial proxy tooling |
| **MCP/local automation bridge** | Built in, token-authenticated, redaction by default | Not claimed in public docs reviewed | Not claimed in public docs reviewed |
| **Open contribution path** | Public issues, discussions, roadmap, and PRs | Vendor-controlled product | Vendor-controlled product |
On the roadmap: deeper replay/diff/rules/scripting workflows, improved WebSocket and GraphQL inspection, deeper protocol-aware AI and Web3/RPC debugging, x402-style payment-flow visibility, and exploration of gRPC/Protobuf plus HTTP/2 and HTTP/3 support.
## Security
Rockxy intercepts network traffic — security is foundational, not optional.
- XPC helper validates callers via **certificate-chain comparison**, not just bundle ID
- Plugins run in **sandboxed JavaScriptCore** with 5-second timeout, no filesystem/network access
- **Input validation** on all boundaries — body size caps, URI limits, regex DoS protection, path traversal prevention
- Credentials **automatically redacted** in captured logs
- Sensitive files stored with **0o600 permissions**
Report vulnerabilities via [SECURITY.md](SECURITY.md). See the [full security architecture](docs/development/security.mdx) for details.
## Roadmap
Rockxy's public roadmap is workflow-oriented and date-free. It focuses on reliability, native macOS UX, debugging workflows, protocol support, AI/Web3-era traffic visibility, documentation, and contributor onboarding.
- [ROADMAP.md](ROADMAP.md): high-level public engineering direction
- [Rockxy Public Roadmap](https://github.com/orgs/RockxyApp/projects/1): operational visibility for roadmap-tracked issues
## Documentation
Full documentation available at the [Rockxy Docs](docs/index.mdx):
- [Quickstart Guide](docs/quickstart.mdx) — get up and running in minutes
- [Developer Setup Hub](docs/features/developer-setup-hub.mdx) — runtime snippets, device guides, validation probes, and support matrix
- [MCP Integration](docs/features/mcp.mdx) — connect Rockxy to local MCP clients
- [Architecture](docs/development/architecture.mdx) — proxy engine, actor model, data flow
- [Security Model](docs/development/security.mdx) — trust boundaries, XPC validation, certificate management
- [Design Decisions](docs/development/design-decisions.mdx) — why SwiftNIO, NSTableView, actors
- [Building from Source](docs/development/building.mdx) — build, test, lint, and debug
- [Code Style](docs/development/code-style.mdx) — SwiftLint, SwiftFormat, and conventions
- [Changelog](CHANGELOG.md) — unreleased work and tagged releases
## Contributing
Contributions welcome — code, tests, docs, bug reports, and UX feedback.
See **[CONTRIBUTING.md](CONTRIBUTING.md)** for setup instructions, code style, and the full PR checklist.
Good first issues are labeled [`good first issue`](https://github.com/RockxyApp/Rockxy/labels/good%20first%20issue). By opening a PR, you agree to the [CLA](CLA.md).
## Sponsors & Partners
Rockxy is independently maintained. Sponsorships help fund continued development, release infrastructure, documentation, and security work.
Rockxy is fiscally hosted by [Open Source Collective](https://docs.oscollective.org/). Contributions and project expenses are recorded on Rockxy's [public Open Collective page](https://opencollective.com/rockxy), giving supporters a transparent view of how funds are received and used.
| Tier | Contribution | What it supports |
|------|--------------|------------------|
| **Backer** | From $5/month | Open-source maintenance, documentation, testing, and releases |
| **Builder** | From $25/month | Regression testing, performance improvements, and everyday debugging workflows |
| **Sponsor** | $100/month | Long-term maintenance of a privacy-focused tool that remains freely available to developers |
| **Sustaining Sponsor** | $500/month | Focused maintenance and product development, including release automation and protocol support |
**Partnership inquiries** — developer tool companies, security firms, and enterprise teams looking for custom integrations or white-label solutions: [rockxyapp@gmail.com](mailto:rockxyapp@gmail.com)
## Support
- [Open Collective](https://opencollective.com/rockxy/donate) — contribute to Rockxy through its transparent project budget
- [GitHub Sponsors](https://github.com/sponsors/LocNguyenHuu) — support Rockxy's development
- [GitHub Issues](https://github.com/RockxyApp/Rockxy/issues) — bug reports and feature requests
- [GitHub Discussions](https://github.com/RockxyApp/Rockxy/discussions) — questions and community chat
- **Email** — [rockxyapp@gmail.com](mailto:rockxyapp@gmail.com)
- **Security issues** — see [SECURITY.md](SECURITY.md) for responsible disclosure
## License
[GNU Affero General Public License v3.0](LICENSE) — Copyright 2024–2026 Rockxy Contributors.
## Star History
Made by Stephen. Built with Swift, SwiftNIO, SwiftUI, and AppKit.