Kampala – Reverse-Engineer Apps into APIs

TL;DR

TL;DR: Kampala lets you reverse-engineer any mobile or web app into a REST or GraphQL API — no code required, just point and click.

Source and Accuracy Notes

• Official site: zatanna.ai
• Launch thread: Show HN: Kampala (YC W26)

What Is Kampala?

Kampala is a YC W26-backed tool from Zatanna that intercepts and reverse-engineers the network traffic of any mobile or web application. Instead of scraping HTML or building fragile browser automations, Kampala captures the actual API calls an app makes to its backend — then exposes those as clean, structured REST or GraphQL endpoints you control.

The core workflow is simple: run Kampala’s proxy, use the target app normally, and Kampala maps out every API request and response. From that, you get a documented API spec and live endpoints you can call from your own code.

This is especially useful for:

• Pulling data from apps that have no public API
• Building integrations with legacy or internal tools
• Generating structured datasets for AI training pipelines
• Rapid prototyping when you need backend data but cannot get API access

Setup Workflow

Step 1: Sign Up and Install

Visit zatanna.ai and create a free account. The web dashboard is the primary interface, with a lightweight proxy agent you run locally to capture traffic.

Step 2: Configure the Proxy

Point Kampala’s local proxy at the app you want to reverse-engineer. For web apps, this is a browser proxy. For mobile apps, Kampala supports HTTP/HTTPS interception at the network level.

# Start the local proxy (example)
zatanna proxy start --port 8080

Step 3: Use the Target App

Run the target app through the proxy. Kampala passively records all API calls — no code injection or app modification required.

Step 4: Review and Export the API Spec

Open the dashboard to see every captured endpoint, parameter, and response shape. You can edit, rename, and document fields before exporting.

Step 5: Use Your New API

Export as OpenAPI (Swagger) or GraphQL schema, then use the live proxy endpoints in your own code.

# Example: export OpenAPI spec
zatanna export openapi --out ./my-api-spec.yaml

Deeper Analysis

Strengths:

• No code required on the target app side
• Captures actual backend API calls, not parsed HTML
• Supports both REST and GraphQL output formats
• Useful for AI data pipelines and structured data extraction

Limitations:

• Relies on network-level interception — apps with certificate pinning require additional setup
• Captured endpoints are app-specific; changes in the target app can break the integration
• Free tier likely has rate limits or capture caps

Pricing: Freemium model. Check zatanna.ai/pricing for current tiers.

Practical Evaluation Checklist

• Proxy setup completes without errors on macOS
• Captures at least 5 distinct API endpoints from a test web app
• OpenAPI export is valid and parses correctly
• GraphQL schema export is valid
• Dashboard correctly displays request/response bodies
• No sensitive data logged beyond target app traffic

Security Notes

• All traffic interception happens locally — data does not leave your machine unless you explicitly push to Kampala’s cloud
• Review Zatanna’s data handling policy before processing sensitive applications
• Use in a sandboxed environment when working with untrusted targets

FAQ

Q: Does this work on mobile apps? A: Yes, Kampala supports HTTP/HTTPS interception for mobile apps at the network level. Apps with certificate pinning may require additional configuration.

Q: Is this legal to use? A: Kampala is a development tool. Only use it on applications you have permission to analyze — your own apps, open-source projects, or with explicit authorization.

Q: How is this different from browser automation tools like Playwright? A: Browser automation tools simulate user interactions and parse the resulting DOM. Kampala captures the actual API calls the app makes, giving you clean structured data without HTML parsing.

Q: Can I use this to access apps that have blocked API access? A: Kampala captures the same API calls the app itself makes. If an app restricts certain data, Kampala will reflect those restrictions.

Conclusion

Kampala fills a real gap for developers who need structured data from apps that offer no public API. The network-interception approach is more reliable than scraping or DOM parsing, and the REST/GraphQL export makes the captured data immediately usable. Worth trying if you regularly build integrations with third-party apps or need to extract structured data for AI pipelines.