API finder is a tool for passive recon: it listens to HTTP(S) traffic the browser already makes, summarizes endpoints, and (optionally) exports that picture. It also includes a local request tester in the Finder Console for authorized, user-initiated testing of captured endpoints.
What leaves your machine
Nothing is sent to a server run by the extension author. There is no analytics hook, no cloud sync, and no “phone home” for the capture you see in the panel. If you export OpenAPI, Postman, or JSON, that file goes where you save it same as downloading anything else from the browser.
What stays in Chrome
Summaries of requests you’ve observed (URLs, methods, status, resource type, Content-Type when the response exposes it, plus the small hint fields the extension adds for review) are kept in chrome.storage.local. That survives restarts until you clear the list, reset storage, or uninstall. Your normal browsing cookies and site data are untouched; this is separate storage for the extension only.
If the browser actually sends them on a captured request, the extension records masked fingerprints for Authorization: Bearer tokens, API-key style headers, and query parameters whose names often carry secrets. Additionally, the full token may be stored locally to pre-fill headers/query values in the in-tool request tester for user-initiated requests. Full tokens stay in-tool only and are not included in exported OpenAPI, Postman, or JSON files (exports include masked fingerprints only). Treat exports and the in-tool data as sensitive engagement evidence.
Permissions, and why they’re there
- webRequest - so completed requests can be summarized into the endpoint list (including request headers needed for masked auth fingerprints). Used for observation only; the extension does not inject traffic on sites. When you click Send in the in-tool request tester, it performs user-initiated HTTP requests.
- storage - theme, capture scope, filters, and the captured endpoint map you’re working with.
- sidePanel - shows the dock UI next to the page.
- Broad host access (<all_urls>) - so when you choose “all traffic” or hit cross-origin APIs, the map still matches what the app really calls. Passive only: the extension is not granted permission to run arbitrary code on sites; it observes request metadata the browser already exposes to extensions with this pattern.
Chrome Web Store
Google asks for a public policy URL in the Developer Dashboard. This file ships with the extension as privacy.html; mirror the same wording somewhere on https:// you control and paste that link into the listing when you publish.