API Stress Lab is an open-source, AI-powered tool and dashboard for load testing APIs using OpenAPI specifications. Upload your spec, configure your test parameters, and get actionable, real-time performance insights with AI-driven analysis.
It is designed to be easily run locally using Docker Compose or deployed to free-tier cloud platforms.
- 📄 OpenAPI Integration - Upload OpenAPI 3.x specs (JSON/YAML) and auto-generate test scenarios using AI.
- 📊 Rich Reports & Metrics - Real-time metrics including latency percentiles (p50/p95/p99), RPS curves, and error breakdowns.
- 🔧 Chaos Testing - Inject latency, simulate failures, and test burst traffic to evaluate API resilience.
- 🎯 Bottleneck Detection - AI-powered analysis to identify performance bottlenecks and suggest actionable fixes.
- 🔒 Secure by Default - Built-in SSRF protection, encrypted credential storage, and user data isolation.
- ⚡ Fast Setup - Run the entire stack locally with a single Docker Compose command.
- Frontend: Next.js 14 (App Router) + Tailwind CSS
- Backend API: FastAPI (Python)
- Worker/Queue: Celery + Redis
- Database: PostgreSQL
- Object Storage: MinIO (S3-compatible) or Cloudflare R2
- Load Runner: k6
- Charts: Recharts
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Next.js │────▶│ FastAPI │────▶│ PostgreSQL │
│ Frontend │ │ Backend │ │ Database │
└─────────────┘ └──────┬──────┘ └─────────────┘
│
▼
┌─────────────┐
│ Redis │
│ Queue │
└──────┬──────┘
│
▼
┌─────────────┐
│ Celery │────▶│ k6 │
│ Worker │ │ Load Runner │
└──────┬──────┘ └─────────────┘
│
▼
┌─────────────┐
│ MinIO/R2 │
│ Storage │
└─────────────┘
- Docker and Docker Compose
- Git
# Clone the repository
git clone https://github.com/YOUR_USERNAME/api_stress_lab.git
cd api_stress_lab
# Copy environment file template
cp env.example.txt .envTo start the entire stack locally:
docker-compose up --buildOnce loaded, the services will be available at:
- Frontend Web UI: http://localhost:3000
- FastAPI Backend: http://localhost:8000
- MinIO Object Console: http://localhost:9001
- Open http://localhost:3000 in your browser.
- Click Get Started or navigate to
/signup. - Create an account with an email and password.
- Click New Project on the dashboard, enter a name (e.g., "User Service API"), and click Create Project.
- Set the Base URL (e.g.,
https://jsonplaceholder.typicode.com) and optional authorization credentials, then save the configuration.
- Click Upload Spec and choose a sample file (e.g.,
samples/jsonplaceholder.jsonfrom this repository).
- Click Generate Scenario next to the uploaded spec to auto-generate endpoint test scenarios with default weights.
- Click Run Test on the generated scenario.
- Configure parameters such as Load Profile (e.g., Smoke, Load, Stress), Duration, and Virtual Users (VUs).
- Optional: Enable chaos options (inject latency or error rates).
- Click 🚀 Start Load Test.
- Monitor the test run progress.
- Once completed, analyze the generated reports including latency over time, request breakdown, and AI-powered bottleneck hints.
Two sample specs are included in the /samples directory for testing:
- jsonplaceholder.json - JSONPlaceholder API (public, no authentication required).
- petstore.yaml - Pet Store API (public, no authentication required).
POST /auth/signup- Register a new accountPOST /auth/login- Authenticate and retrieve tokenGET /auth/me- Retrieve current user profile
GET /projects- List all projectsPOST /projects- Create a new projectGET /projects/{id}- Retrieve project configurationPATCH /projects/{id}- Update project parametersPOST /projects/{id}/auth- Set authentication credentialsPOST /projects/{id}/spec- Upload OpenAPI specificationPOST /projects/{id}/scenario/generate- Generate load test scenario
POST /runs- Trigger a load test runGET /runs/{id}- Retrieve run statusGET /runs/{id}/report- Retrieve detailed performance report
- Out-of-the-box protection blocks private IP ranges (
10.x,172.16.x,192.168.x), localhost, and loopback/link-local addresses to prevent Server-Side Request Forgery. - Blocks access to cloud metadata endpoints (
169.254.169.254). - Strictly permits HTTP and HTTPS protocols.
- User-supplied API keys and credentials are encrypted at rest using Fernet (AES-128) encryption.
- Encryption key is configured via the
ENCRYPTION_KEYenvironment variable.
- Secure data isolation by user account.
- JWT-based authentication for API endpoints.
| Variable | Description | Default / Example |
|---|---|---|
DATABASE_URL |
PostgreSQL Connection URI | postgresql://apistress:apistress123@localhost:5432/apistresslab |
REDIS_URL |
Redis connection URI | redis://localhost:6379/0 |
S3_ENDPOINT |
S3/Object Storage Endpoint | Local MinIO or Cloudflare R2 |
S3_ACCESS_KEY |
Access Key ID | Storage service access key |
S3_SECRET_KEY |
Secret Access Key | Storage service secret key |
JWT_SECRET |
JWT signing secret | (Change to a secure random key in production) |
ENCRYPTION_KEY |
Fernet credentials encryption key | (Change to a 32-byte key in production) |
cd backend
pip install -r requirements.txt
alembic upgrade head
uvicorn app.main:app --reloadcd frontend
npm install
npm run devcd backend
celery -A app.worker.celery_app worker --loglevel=infoFor a detailed walkthrough on deploying API Stress Lab on free-tier services (Vercel, Render, Supabase, Upstash, Cloudflare R2, and Railway), check the Deployment Guide.
This project is licensed under the MIT License - see the LICENSE file for details.