Every app on your phone is an API. Most of them have no public SDK, no developer portal, and no API documentation. Mimic, an open-source Python tool that hit over 1,160 GitHub stars in its first week, just made every one of those hidden APIs available as a Python library. Created July 13, 2026 by littledivy, the developer behind Deno/std and the tantivy Rust search library, mimic automates what developers have been doing manually for years: reverse-engineering network traffic to figure out how an app's API works. The difference is that mimic generates a complete, typed Python client from a single traffic capture session. No proxy setup. No packet inspection. No manual endpoint discovery.

The premise is simple but the implementation is deceptively deep. You run an app normally while mimic captures its traffic through mitmproxy. Once the session is recorded, mimic extracts authentication tokens, session IDs, device identifiers, and cookies, then feeds the captured endpoint structure into an AI model that generates a full Python client with named methods, typed parameters, and automatic token refresh. The result is a plain Python file you can import, edit, and version control like any other dependency.

How Mimic Reverse-Engineers an App in Four Commands

The workflow is designed for a single evening of hacking. Install mimic with a single shell command, then run mimic doctor to confirm that the proxy and AI client are ready. The mimic record command starts mitmproxy and prints the exact steps to route your iPhone's traffic through your Mac. You configure the Wi-Fi proxy, install the mitmproxy certificate, and enable full trust in Certificate Trust Settings. The step that trips everyone up is the last one: Apple hides certificate trust for locally installed profiles behind an explicit toggle in Settings, and without it the proxy sees nothing.

Once the app is running through the proxy, mimic hosts lists every API host the app has contacted. Pick the one you want, run mimic learn to see every endpoint mimic captured, then mimic gen to generate the client. The entire flow from zero to a working Python client takes about as long as it takes to install the proxy certificate. For web apps, the process is even simpler: open Chrome DevTools, copy a request as cURL, and pass it to Session.from_curl(). For browser-based apps, you can also export a HAR file from the Network tab and point mimic at it directly with the --har flag.

Why Autogenerated Clients Beat Manual Reverse-Engineering

Every developer who has built a scraper or automation knows the pain. You open Chrome DevTools, find the network request, copy the headers, figure out the payload format, handle authentication, test it, and eventually hardcode a script that works until the next API update. The script is fragile, untyped, and the next person who touches it has to repeat the entire discovery process. Mimic changes the economics of that workflow by making the discovery automatic and the output maintainable.

The generated client is plain Python built on top of mimic.App. It gives you named methods built from captured endpoints, body templates populated from real request payloads, and chaining support for the multi-step dance that mobile APIs tend to require. The authentication layer is handled automatically: session tokens, cookies, and device IDs are extracted from the captured traffic and wired into every request. If a token rotates, a 401 response on an idempotent request triggers a transparent re-pull from the mitmproxy session and a retry. Non-idempotent requests get a refresh=True parameter if you want the same behavior.

Mimic also supports three capture backends: mitmproxy for iOS apps (the default, zero-install via uvx), cURL paste for web apps with Chrome DevTools, and HAR files for any browser. The HAR file approach is particularly useful for SaaS tools and web platforms where you already have the traffic in your browser's network tab. No proxy, no certificate installation needed.

What You Can Actually Build With Mimic

The obvious use case is automation. If you use a SaaS tool that has no public API, mimic gives you one. If a mobile app has features that are not available in the web version, mimic exposes them. If you want to batch-process data that is only accessible through an app interface, mimic makes it scriptable. The example that the project leads with is Hinge: capture a dating app session, get a hinge_client.py, and then call acc.get_recommendations() from Python.

But the real power is for developers building integrations between tools that don't talk to each other. If you have a custom workflow that touches a dozen SaaS products, and two of them have no API or a broken one, mimic fills the gap. For data pipelines that need to pull from a data source that only publishes through a mobile app, mimic turns that app into a data source. The generated client is editable. It generates named methods and body templates, but you own the file and can add error handling, rate limiting, or logging on top.

Limitations That Actually Matter

Two authentication schemes break mimic's core model. Certificate pinning, used by banking apps and apps like Instagram, causes the app to reject the mitmproxy certificate entirely. The proxy sees no traffic, and nothing shows up in mimic hosts. Mimic includes a Frida-based workaround (mimic unpin) for these cases, but it requires a jailbroken device or a sideloaded IPA. The second blocker is DPoP (Demonstration of Proof-of-Possession) tokens, which carry a fresh cryptographic proof signed by a key on the device for every request. Captured requests don't replay because the proof is single-use. There is no clean workaround for DPoP, and the README is honest about it.

The ethical constraint is also worth stating explicitly: mimic replays your session. It is not a tool for accessing anyone else's data or accounts. The MIT license carries the same expectation. For the apps it works with, the generated client is effectively a personal integration tool, not a production SDK.

Who This Is For

Mimic is for solo founders building automations between tools that don't have APIs. It is for developers who need to pull data from a mobile-only platform into their data pipeline. It is for anyone who has ever looked at an app and thought, "I wish there was a Python library for this." The tool is MIT licensed, the generated clients are yours to edit and keep, and the workflow from capture to codegen is fast enough that you can build an integration in an afternoon. If you have ever reverse-engineered an API by hand, mimic will feel like cheating.