Skip to content
lube

API Explorer

OpenAPIValidateSecretsMCPSSRF-safe

Verify the contract, not just the code.

Import or sync OpenAPI documents, watch your API surface change over time, and run real requests with per-environment secrets, all through a proxy hardened against SSRF.

openapi.yaml · endpoints

  • GET21
  • POST11
  • PATCH6
  • DELETE4
42 endpoints18 secured3 deprecated
Your API surface, tracked

Its place in the loop

API Explorer lives in Engineering, beside the build.

One connected loop, held on the stage this capability serves. The other stages stay as context so you can see what feeds in and what comes next.

BD
Discovery
Feedback
Product
Engineering
Release
Reliability
Evidence

Stage inventory

Engineering

Build and verify the change.

VCS insights

Inspect delivery workflow activity in the connected release workspace.

Available now

Test intelligence

Investigate test outcomes and flakiness evidence across runs.

Available now

API Explorer

Keep supported API contracts inspectable alongside release evidence.

Available now

Compute pricing

Compare public cloud compute pricing as planning evidence.

Available now

Coming later reflects product vision, not a delivery commitment.

From a spec to a request you trust

A workbench, not a viewer.

Import and track

Bring the spec in, watch it change.

Import from a URL, an upload, or a connected GitHub repo; git specs auto-sync and every change becomes a numbered, immutable revision.

url · upload · gitvalidatedrevision history
  1. 01

    Source

    url · upload · git

  2. 02

    Validate

    parse and check the contract

  3. 03

    Revision

    rev 14 · 42 endpoints

  4. 04

    Drift

    git specs polled for changes

Import, validate, revision

Environments and secrets

The same variable, resolved per environment.

Named environments scope to org, team, or a single spec, with typed string, url, and secret variables that are encrypted at rest.

org · team · spectyped variablessecrets encrypted
  • BASE_URLurl
  • API_TOKENsecret
  • TENANTstring
Per-environment variables

Execute safely

Run requests through a hardened proxy.

The server-side proxy blocks internal targets, checks the resolved IP against DNS rebinding, and is permission-gated and audited.

ssrf-guardedhard timeoutaudited
  1. 01

    Build request

    method, headers, template

  2. 02

    SSRF guard

    resolve and check the target IP

  3. 03

    Execute

    manual redirects, hard timeout

  4. 04

    Response

    status, headers, duration

Request through the safety proxy

MCP Explorer

Let a teammate ask the API, without asking a developer.

Someone in customer success needs to know if there’s an endpoint for bulk refunds. Today that means pinging an engineer, who then digs up the docs, or worse, turns on a tool and walks them through it. The answer exists. Getting to it costs two people an afternoon.

MCP Explorer exposes your tracked specs as a Model Context Protocol server, so a teammate’s AI assistant can search the surface, read the schema, and draft the call. Share a spec with a link and they can explore it directly. Every request still runs through the same permissioned, SSRF-hardened proxy, so self-serve never means unsafe.

Old way · waits on a dev

“Which call handles refunds? Can you enable the docs for me?”

With lube · self-serve

Asks the MCP Explorer, finds the endpoint, runs it in the sandbox.

MCP Explorer
Customer success
Support
Partner engineer
AI assistant
One spec, many self-serve consumers
  • Search the surface

    Ask in plain language; the MCP server returns matching endpoints and schemas.

  • Share a spec link

    Hand a colleague a link instead of a screenshot of the docs.

  • Run it safely

    Calls still pass permissions and the SSRF-safe proxy, and land in the audit log.

What the workbench tracks

The details that make it trustworthy.

Import sources, sync triggers, variable types, and per-revision stats are all first-class, so the contract stays honest over time.

Spec sources

Three ways in.

urluploadgit (GitHub)

Sync triggers

How a re-check fires.

createmanualscheduledwebhookupload

Variable types

With scopes.

stringurlsecretorgteamspec

Methods tracked

Counted per revision.

GETPOSTPUTPATCHDELETEHEADOPTIONS

Spec stats

Health over time.

endpoint countdeprecatedsecuredmodelstags

Proxy limits

Safety by default.

256KB bodymanual redirecthard timeoutbounded uploads

Honest scope

API Explorer is an OpenAPI and REST workbench. Git-sourced specs are GitHub-only, there is no GraphQL or gRPC model, and execute is a single request and response, so there are no multi-step runners or pre-request scripting.

Connected context

See what the contract implements.

Keep your API contracts inspectable and runnable.

Start free

Bring supported OpenAPI documents into the loop.