HAR to OpenAPI Generator

Upload a captured HAR file and get a starting OpenAPI 3.0 spec — paths, parameters, and request/response schemas inferred from real traffic.

Drop a .har file here, or click to browseExport from Chrome/Firefox DevTools → Network tab → right-click → "Save all as HAR"

An OpenAPI spec is easiest to write when the API already exists and you can watch it in action. This tool takes a HAR file — the standard network-capture format every browser's DevTools can export — and turns real requests and responses into a starting OpenAPI 3.0 document, instead of you transcribing every endpoint by hand.

  • Upload a .har file exported from any browser's Network tab
  • Repeated requests to /users/123, /users/456… collapse into one templated path
  • Query parameters and JSON request/response bodies inferred automatically
  • Every captured status code becomes its own documented response
  • 100% private — parsing happens entirely in your browser

Capturing a HAR File

  1. Open your browser's DevTools (F12) and switch to the Network tab.
  2. Use the app normally so the requests you want documented actually fire — browse the flows that matter.
  3. Right-click anywhere in the request list and choose "Save all as HAR with content" (Chrome/Edge) or "Save All As HAR" (Firefox) — the "with content" option matters, since it's what includes response bodies.
  4. Drop the downloaded .har file into this tool.

How Path Templating Works

A real capture session usually hits the same endpoint with different ids — GET /users/8f2a, GET /users/91cd — which would otherwise produce a separate, useless OpenAPI operation per request. This tool detects path segments that look like variable identifiers (purely numeric, a UUID, a 24-character Mongo ObjectId, or a long mixed alphanumeric token) and replaces them with a named parameter, so every request to the same logical endpoint collapses into one operation:

text
GET /users/8f2a91  ┐
GET /users/91cd44  ├─► GET /users/{param1}
GET /users/2b7e19  ┘

What Gets Generated, and What Doesn't

Paths, HTTP methods, path/query parameters, and JSON request/response body schemas (typed from the captured example values) are all generated automatically. What isn't: authentication schemes, detailed field descriptions, examples beyond the inferred type, and non-JSON bodies (form-encoded, multipart, XML) are skipped since there's no reliable way to infer a JSON Schema from them. Treat the output as a working first draft — review it, then refine field descriptions and add security schemes by hand, ideally in JSON Formatter or your usual OpenAPI editor.

Common Uses

  • Documenting an undocumented APIReverse-engineer a starting spec for a third-party or internal API that has no published documentation, by capturing how the existing frontend actually uses it.
  • Onboarding onto an unfamiliar serviceGet a structured overview of an internal microservice's endpoints without reading its source code or asking another team.
  • Kickstarting API client generationProduce a first-draft OpenAPI spec you can refine, then feed into a client generator instead of hand-writing request functions.
  • Auditing what a frontend actually callsCapture a full user session and see every endpoint, method, and parameter combination a page genuinely exercises — useful before a backend refactor.

Frequently Asked Questions

Path segments that look like variable identifiers — a numeric id, a UUID, a 24-character Mongo ObjectId, or a long token — are replaced with a named path parameter, so repeated requests to logically the same endpoint (just with different ids) collapse into a single OpenAPI operation instead of one per request.

It's a heuristic and can occasionally over-template a segment that happens to look like an id (e.g. a purely numeric API version like /v2). Review the generated paths and manually revert any incorrectly templated segment.

No — headers (including auth tokens) are intentionally not read or included in the output, both to avoid leaking credentials into a spec you might share, and because header-based auth belongs in an OpenAPI securitySchemes block you add deliberately, not one inferred from a single capture.

Only responses with a JSON content type (as recorded in the HAR's response.content.mimeType) get a schema — HTML, images, and other non-JSON responses are recorded as a status code with no body schema.

Yes — grouping and schema inference both run in a single pass over the entries. Very large HAR files (many thousands of requests with large bodies) may take a moment to parse since it all happens in your browser's memory.

No — the HAR file is parsed and converted entirely in your browser using JavaScript. Nothing is sent to a server, which matters since a HAR file with content can contain real request/response bodies.

A proxy-based capture sits between the app and the network and can see traffic from any client, including mobile apps and CLIs, but requires installing and configuring a proxy. HAR capture only needs your browser's built-in DevTools — no extra install — which covers the common case of documenting a web app's own API calls.

The schema is inferred from whatever example values were captured, so if you only captured requests where a field was always present, an occasionally-null or occasionally-missing case won't be reflected. Capture a session that exercises the different states of the data, or manually loosen the field's type afterward.

Related Tools