App API

Per-project backend (grroxy-app). Default port: 8090.

Info

Method	Path	Auth	Description
GET	`/api/info`	No	Get version, paths, and project details

Proxy

Method	Path	Auth	Description
POST	`/api/proxy/start`	Yes	Start a proxy instance
POST	`/api/proxy/stop`	Yes	Stop a running proxy
POST	`/api/proxy/restart`	Yes	Restart a proxy
GET	`/api/proxy/list`	Yes	List all running proxy instances
POST	`/api/proxy/screenshot`	Yes	Take a browser screenshot

POST /api/proxy/start body:

{
  "http": "127.0.0.1:8080",
  "browser": "",
  "name": ""
}

POST /api/proxy/stop body:

{
  "id": "abc123"
}

Chrome Browser Control

All Chrome endpoints require { "id": "<proxy-id>" } plus any additional fields shown.

Method	Path	Description
POST	`/api/proxy/chrome/tabs`	List open Chrome tabs
POST	`/api/proxy/chrome/tab/open`	Open a tab — add `"url"`
POST	`/api/proxy/chrome/tab/navigate`	Navigate to URL — add `"url"`
POST	`/api/proxy/chrome/tab/activate`	Activate a tab — add `"tabId"`
POST	`/api/proxy/chrome/tab/close`	Close a tab — add `"tabId"`
POST	`/api/proxy/chrome/tab/reload`	Reload the active tab
POST	`/api/proxy/chrome/tab/back`	Navigate back
POST	`/api/proxy/chrome/tab/forward`	Navigate forward
POST	`/api/proxy/click`	Click element — add `"selector"`
POST	`/api/proxy/elements`	Get DOM elements — add `"selector"`

Intercept

Method	Path	Auth	Description
POST	`/api/intercept/action`	Yes	Forward or drop an intercepted request

{
  "id": "abc123",
  "action": "forward",
  "is_req_edited": false,
  "is_resp_edited": false,
  "req_edited": "",
  "resp_edited": ""
}

Requests

Method	Path	Auth	Description
POST	`/api/request/add`	No	Add a request/response pair to the database
POST	`/api/request/modify`	Yes	Apply transformations to a raw HTTP request

POST /api/request/add body:

{
  "url": "https://example.com",
  "index": 0,
  "request": "GET / HTTP/1.1
Host: example.com

",
  "response": "",
  "generated_by": "manual",
  "note": ""
}

POST /api/request/modify body:

{
  "request": "GET / HTTP/1.1
Host: example.com

",
  "url": "https://example.com",
  "tasks": [
    {
      "set": {
        "req.headers.X-Custom": "value"
      }
    }
  ]
}

Repeater

Method	Path	Auth	Description
POST	`/api/repeater/send`	Yes	Send a raw HTTP request via repeater

{
  "host": "example.com",
  "port": "443",
  "tls": true,
  "request": "GET / HTTP/1.1
Host: example.com

",
  "timeout": 10,
  "http2": false,
  "url": "https://example.com",
  "generated_by": "pg_abc123"
}

HTTP

Method	Path	Auth	Description
POST	`/api/sendrawrequest`	Yes	Send a raw HTTP/1 or HTTP/2 request
POST	`/api/http/raw`	Yes	Send via the rawhttp client

POST /api/sendrawrequest body:

{
  "host": "example.com",
  "port": "443",
  "tls": true,
  "req": "GET / HTTP/1.1
Host: example.com

",
  "timeout": 10,
  "httpversion": 1
}

POST /api/http/raw body:

{
  "host": "example.com",
  "port": "443",
  "tls": true,
  "req": "GET / HTTP/1.1
Host: example.com

",
  "timeout": 10,
  "http2": false
}

Sitemap

Method	Path	Auth	Description
POST	`/api/sitemap/new`	Yes	Add a sitemap entry for a host
POST	`/api/sitemap/fetch`	Yes	Fetch the sitemap tree

POST /api/sitemap/new body:

{
  "host": "https://example.com",
  "path": "/api/users",
  "query": "page=1",
  "fragment": "",
  "ext": "",
  "type": "folder",
  "data": ""
}

POST /api/sitemap/fetch body:

{
  "host": "https://example.com",
  "path": "",
  "depth": 1
}

Labels

Method	Path	Auth	Description
POST	`/api/label/new`	Yes	Create a new label
POST	`/api/label/delete`	Yes	Delete a label
POST	`/api/label/attach`	Yes	Attach a label to a record

POST /api/label/new body:

{
  "name": "bug",
  "color": "#ff0000",
  "type": "default"
}

POST /api/label/delete body:

{
  "id": "",
  "name": "bug"
}

POST /api/label/attach body:

{
  "id": "record123",
  "name": "bug",
  "color": "#ff0000",
  "type": "default"
}

Cook

Method	Path	Auth	Description
POST	`/api/cook/generate`	Yes	Generate strings from Cook pattern syntax
POST	`/api/cook/apply`	Yes	Apply transformation methods to strings
POST	`/api/cook/search`	Yes	Search available Cook patterns and methods

POST /api/cook/generate body:

{
  "pattern": [
    "intigriti,bugcrowd,hackerone _,- users.rar,secret.zip"
  ]
}

POST /api/cook/apply body:

{
  "strings": ["hello world"],
  "methods": ["b64e"]
}

Extract

Method	Path	Auth	Description
POST	`/api/extract`	Yes	Extract fields from intercepted records. Supports `req.`, `resp.`

{
  "host": "example.com",
  "fields": [
    "req.method",
    "req.url",
    "resp.status"
  ],
  "outputFile": "extract.jsonl"
}

Filters

Method	Path	Auth	Description
POST	`/api/filter/check`	Yes	Evaluate a DADQL filter expression

{
  "filter": "status == 200",
  "columns": {
    "status": 200,
    "method": "GET"
  }
}

CWD / File Watcher

Method	Path	Auth	Description
GET	`/api/cwd`	No	List files and directories in the project directory
POST	`/api/filewatcher`	No	Watch a file/directory for changes via SSE

POST /api/filewatcher body:

{
  "filePath": "/path/to/watch"
}

Terminal

Method	Path	Auth	Description
POST	`/api/xterm/start`	No	Start a new terminal session
GET	`/api/xterm/sessions`	No	List all active terminal sessions
DELETE	`/api/xterm/sessions/:id`	No	Close a terminal session
GET	`/api/xterm/ws/:id`	No	WebSocket endpoint for terminal I/O

POST /api/xterm/start body:

{
  "shell": "bash",
  "workdir": "/home/user",
  "env": {}
}

MCP Server

Method	Path	Auth	Description
POST	`/mcp/start`	No	Start the MCP server
POST	`/mcp/stop`	No	Stop the MCP server
GET	`/mcp/health`	No	Get MCP server health and registered tools
GET	`/mcp/listtools`	No	List all registered MCP tools
GET	`/mcp/sse`	No	SSE endpoint for MCP client-server communication
POST	`/mcp/message`	No	Send JSON-RPC messages to the MCP server
POST	`/mcp/setup/claude`	No	Configure Claude Code integration

POST /mcp/setup/claude body:

{
  "claude_md": "You are operating inside Grroxy..."
}