A lightweight PHP mock API service with encrypted storage and a modern web interface.
Perfect for frontend development, API prototyping, and testing without backend dependencies.
- Modern Web UI — Clean, responsive dashboard for managing APIs
- AES-256 Encryption — All data encrypted at rest
- Zero Database — File-based storage, no setup required
- Key Isolation — Each API key has its own encrypted storage
- Instant Setup — Just drop files and go
git clone https://github.com/vubaone/fakeapi.git
cd fakeapiRequirements: PHP 7.0+, Apache with mod_rewrite
Don't want to host it yourself? Use the live demo:
👉 https://fakeapi.vuba.one/tool.php
Just enter your API key and start creating mock APIs instantly!
- Open
tool.phpin your browser - Enter any key (e.g.,
myproject) - Create your first mock API!
# Self-hosted
curl "http://localhost/fakeapi/get.php?name=users&key=mykey"
# Live demo
curl "https://fakeapi.vuba.one/get.php?name=users&key=mykey"# Self-hosted
curl -X POST http://localhost/fakeapi/save.php \
-d "name=users&key=mykey&response={\"id\":1,\"name\":\"John\"}"
# Live demo
curl -X POST https://fakeapi.vuba.one/save.php \
-d "name=users&key=mykey&response={\"id\":1,\"name\":\"John\"}"# Self-hosted
curl "http://localhost/fakeapi/delete.php?name=users&key=mykey"
# Live demo
curl "https://fakeapi.vuba.one/delete.php?name=users&key=mykey"Create a server-only fakeapi/.env file:
FAKEAPI_SECRET_KEY=replace-with-a-random-64-character-hex-valueGenerate a suitable value with openssl rand -hex 32. The .env file is
ignored by Git and must be kept private.
You can also provide the variable through the web server environment:
export FAKEAPI_SECRET_KEY="your-secret-key"
⚠️ Important: Configure the secret before deployingprivate.php. Existing data using the former default key is migrated on first access.
This project is safe to publish publicly if you keep runtime data and local machine files out of the repository.
- Do not commit files from
fakeapi/data/ - Do not commit
.envfiles or machine-specific config - Change
FAKEAPI_SECRET_KEYbefore deploying any public instance - Review
setup_link.shbefore running it, since it deletes an existing link at the XAMPP target path
The included .gitignore already excludes local encrypted storage and macOS metadata files.
fakeapi/
├── tool.php # Web dashboard
├── get.php # GET endpoint
├── save.php # POST endpoint
├── delete.php # DELETE endpoint
├── private.php # Encryption & helpers
├── sample.php # Sample data generator
├── .htaccess # Security & routing
└── data/ # Encrypted storage (local only, ignored by git)
- AES-256-CBC encryption with derived keys
- Atomic file locking for data integrity
- XSS/Injection protection via .htaccess
- Direct file access blocked
// Success
{ "error_code": 0, "error_message": "success" }
// Error
{ "error_code": 1, "error_message": "Description" }Pull requests welcome! Feel free to open issues for bugs or feature requests.
MIT License — use it however you want!