APItiser Privacy Policy

Last updated: March 13, 2026

Overview

APItiser is a Chrome extension that runs entirely inside your browser. It scans repository files, detects API endpoints, generates test suites using LLM providers, and optionally validates those tests against a live API. APItiser does not operate its own backend servers.

Data Stored Locally

All data is stored in chrome.storage.local on your machine and never leaves your browser except as described below.

• Extension settings: provider, model, framework, batch size, timeout, base URL, test directories, categories, and custom prompt instructions.
• Repository access tokens: GitHub token, GitLab token, GitLab base URL.
• LLM provider API keys: OpenAI, Claude, and Gemini keys.
• Runtime validation credentials: API token, API key, CSRF token, session cookie, and setup flow step definitions.
• Per-page context state: scan results, detected endpoints, generated tests, job progress, coverage summaries, readiness assessments, batch diagnostics, and run metrics.
• Generated artifacts (ZIP files encoded as base64) for download, retained until you clear the context or remove the extension.
• Job history (up to 20 jobs per context), artifact history (up to 10 per context), and run metrics (up to 100 per context).

External Requests

APItiser sends requests to the following external services. These requests originate directly from your browser, not from any APItiser server.

• GitHub API (api.github.com) — Repository tree, blob, and contents requests to scan source files. Your GitHub token is sent as a Bearer authorization header when configured.
• GitLab API (gitlab.com/api/v4 or your configured GitLab base URL) — Repository tree and file requests. Your GitLab token is sent as a Private-Token header when configured.
• OpenAI API (api.openai.com) — Chat completion requests to generate or repair test specifications. Your OpenAI API key is sent as a Bearer authorization header.
• Anthropic API (api.anthropic.com) — Message requests to generate or repair test specifications. Your Claude API key is sent via the x-api-key header.
• Google Generative Language API (generativelanguage.googleapis.com) — Content generation requests. Your Gemini API key is sent as a query parameter.
• Your configured Base URL — When live validation is enabled, APItiser sends HTTP requests to the Base URL you configure to validate generated tests. Runtime credentials (tokens, cookies, API keys) you provide are sent as part of these requests.

What APItiser Sends to LLM Providers

When generating tests, APItiser sends the following information to your chosen LLM provider:

• API endpoint metadata: HTTP method, path, path/query parameters, request body schema, response schemas, authentication hints, and source evidence snippets.
• Repository owner and repository name (for generated file headers).
• Framework, categories, and custom prompt instructions you configure.

APItiser does not send full source file contents to LLM providers. Only structured endpoint metadata extracted during the parsing step is included in prompts.

API Keys and Tokens

• All keys and tokens are stored in chrome.storage.local under the extension context.
• Keys are never sent to any APItiser-owned server or third party other than their respective providers.
• When you export settings, all keys, tokens, runtime credentials, and setup flow definitions are automatically excluded from the export file.

Live Validation and Runtime Credentials

When live validation is enabled, APItiser makes HTTP requests directly from your browser to the Base URL you configure. Runtime credentials (bearer tokens, API keys, session cookies, CSRF tokens) are sent only to that Base URL. If you configure setup flow steps (e.g. a login request), credentials used in those steps are also sent only to the Base URL.

Context Isolation

APItiser isolates state by browser tab and page URL. Each page context has its own scan results, generated tests, job history, and artifacts. Clearing one page context does not affect other page contexts or global settings.

Retention and Deletion

• Use Clear in the extension UI to delete the current page context data (active job, history, tests, and artifacts for that page).
• Global settings (provider, keys, framework) persist across contexts until you change them.
• Removing the extension from Chrome deletes all extension-local data.
• Job history is automatically capped at 20 entries, artifacts at 10, and run metrics at 100 per context.

Content Security Policy

APItiser enforces a strict Content Security Policy on all extension pages: script-src 'self'; object-src 'self'. No inline scripts, remote scripts, or dynamic code execution (eval) is permitted.

Permissions

APItiser requests the following Chrome permissions:

• storage — Persist settings and state locally.
• tabs — Detect the active tab URL to identify the current repository.
• alarms — Keep the service worker alive during long-running scans and generation.
• downloads — Trigger artifact and export downloads.
• notifications — Notify when scans or generation complete.
• sidePanel — Display the APItiser UI as a side panel.

Contact

If you distribute this extension publicly, replace this section with your contact email or support URL.