Native macOS Proxy Tool
Rockxy helps Mac developers inspect traffic, replay requests, test edge cases, and verify what their tools are actually sending. It is a native macOS proxy tool for HTTP, HTTPS, WebSocket, and GraphQL traffic from apps on your Mac, iOS devices, and iOS Simulator, with public source, local-first behavior, and the core workflow you expect from a serious Proxyman alternative or Charles Proxy alternative.
Looking for a Proxyman alternative or Charles Proxy alternative? Start with the Rockxy vs Proxyman guide.
Released 2 Jun 2026 · v0.24.0 build 37 · signed universal .dmg · release notes · SHA256 checksum · macOS 14+ · Apple Silicon + Intel
brew install --cask rockxy
Install Rockxy directly with Homebrew · or download the signed .dmg
Built for real debugging work
Native macOS proxy tool. Public source. Local-first traffic handling. Claude Desktop, Cursor, Windsurf, Zed, Continue, GitHub Copilot.
MCP, if you want it
Rockxy ships a local MCP server for cases where it actually helps: explaining a 401, diffing two failing requests, or replaying a call after you change auth. It runs over stdio on your Mac, and the source is public under AGPL-3.0.
Four tools. Claude Desktop. Cursor. Windsurf. Zed. Continue. GitHub Copilot.
Learn moreSetup that tells the truth
Developer Setup Hub gives you runtime-specific proxy snippets and a Verify step that checks whether your app, certificate trust, and port settings are actually correct. When something is off, it points to the fix instead of giving you a vague green check.
Python. Node.js. Ruby. Go. Rust. Java. Docker. cURL. Browsers.
Learn moreBoth are part of the core app. Rockxy focuses on local debugging first, then adds MCP where it is useful.
Rockxy is an open source proxy for Mac developers who need to see traffic from real apps, not just the browser. Use it to inspect API calls, pause and edit requests, replay failures, compare responses, export artifacts, and review the source before you trust the tool with sensitive traffic.
HTTP, HTTPS, WebSocket, and GraphQL-over-HTTP traffic from native Mac apps, command-line tools, services, background processes, iOS devices, and iOS Simulator.
Inspect requests and responses, set breakpoints, rewrite traffic, replay requests, compare responses, export HAR, and save sessions for later analysis.
Signed universal macOS builds are published on GitHub Releases with versioned assets, release notes, and a SHA256 checksum.
Check the source, issue tracker, release notes, privacy policy, and HTTPS interception docs before you install. Everything important is public.
brew install --cask rockxy
Built with SwiftUI, AppKit, and SwiftNIO for Mac developers who want native system integration instead of a cross-platform wrapper.
SwiftUI + AppKit with a virtual-scrolling NSTableView that handles 100k+ requests without lag. Batch updates every 100ms keep the UI responsive under heavy traffic.
SMAppService privileged helper sets the system proxy instantly. No terminal commands after initial setup. Automatic process identification with real app icons.
Per-host TLS certificates generated on-the-fly. Root CA private key stored in macOS Keychain. Every security decision is in the source — read the code, verify the claims.
Install the app, trust the local certificate, and start intercepting traffic from apps on your Mac. No account, no remote setup, no hidden service dependency.
Download and drag to Applications. The privileged helper registers automatically via SMAppService.
Rockxy generates a local root CA. One-click install to your system keychain. macOS prompts for approval.
Click the proxy toggle. System HTTP and HTTPS proxy configured automatically across all network interfaces.
Core traffic debugging for Mac and iOS work, native on macOS, with public releases and a local-first workflow.
Inspect HTTP, HTTPS, WebSocket, and GraphQL traffic from any Mac app, CLI, or iOS device. Browser DevTools end at the browser — Rockxy sees the rest of your stack.
Narrow thousands of captured requests in seconds. Combine method, host, status, header, body, and process filters — or run a full-text search across the whole session.
Let Claude Desktop or Cursor read your captured traffic through a local MCP server. Ask “why did this 500?” instead of pasting headers into chat.
Copy-paste proxy snippets for Python, Node.js, Go, Rust, cURL, Docker, and browsers, then click Run Test to confirm traffic is actually flowing.
A P-256 ECDSA root CA generated on first launch, sealed in your Keychain. Decrypt HTTPS on the first try; pinned hosts pass through automatically.
Pick which hosts get TLS decryption. Decrypted traffic shows real headers and JSON; everything else passes through encrypted. Wildcard rules let you scope by domain in one click.
Skip specific hosts so cert-pinned apps, internal services, or noisy telemetry never enter the capture. Wildcards keep the list short and your request log focused on what you actually care about.
Make any host fail. Drop ad networks, third-party trackers, or a flaky dependency to see how your app degrades when it’s gone — without changing a line of code.
Serve a saved file or a directory tree in place of a live response. Swap a JSON payload, replay a snapshot, or pin a flaky third-party API to a local copy while you debug.
Rewrite the destination of a captured request without touching app code or /etc/hosts. Point production traffic at staging, your dev server, or a colleague's machine for a reproducible bug repro.
Pause a request or response, edit method, headers, body, or status, then continue. The fastest way to test “what if the API returns 401?” without touching the backend.
Add, remove, or replace headers on any host without redeploying. Test CORS, auth, or cache changes in seconds with built-in presets.
Override headers per host with full control over both phases. Inject auth tokens on outgoing requests, strip Set-Cookie on responses, or pin a custom User-Agent — saved as named rules you can toggle anytime.
Throttle to 3G, EDGE, LTE, WiFi, or a custom delay. Your laptop is on fiber; your users aren’t — see the UX at 400 ms RTT before they do.
Rebuild any captured HTTP request — change method, URL, headers, query params, or body — and re-send without leaving Rockxy. No Postman, Insomnia, or curl copy-paste loop. Iterate on LLM prompts, fuzz auth boundaries, or reproduce a failing case for OpenAI, Anthropic, and Cohere endpoints in seconds.
Stack two captured responses side-by-side and spot every field that flipped — status, headers, JSON keys, body bytes. Catch silent API regressions, non-deterministic LLM outputs, and prompt drift without piping anything into a third-party diff tool. Side-by-side diff highlights what changed; deep JSON compare ignores key ordering.
Render request and response bodies the way you want. Pin extra tabs to the inspector for JSON, GraphQL, JWT, image, or your own format — reusable across every captured request.
Save sessions, import/export HAR for cross-tool handoff, copy any request as cURL or JSON. Redact authorization headers, cookies, and bearer tokens before sharing — hand a teammate a working bug repro without leaking secrets.
Run independent capture sessions side-by-side — one tab for staging, one for prod, one for the iOS device build. Each tab has its own filters, selection, and inspector state, so context switching costs nothing.
JS hooks on requests and responses for the cases a static rule can’t cover — redact PII, sign tokens, rewrite payloads. Errors surface inline instead of corrupting traffic.
Send a captured session to a teammate with one click. Annotate failing requests inline, see who's looking at what in real time, and pair-debug HTTPS traffic without screen-sharing.
Targeted for a future release — want to influence the scope? Join the discussion on GitHub or request it directly on Telegram.
A native macOS HTTP/HTTPS debugger with public source, public releases, and a local-first workflow.
A practical workflow for inspecting traffic, reproducing bugs, and testing fixes on your own Mac.
Capture live HTTP, HTTPS, WebSocket, and GraphQL-over-HTTP traffic from Mac apps, local services, CLI tools, iOS devices, and iOS Simulator.
Read headers, bodies, cookies, timing waterfalls, and TLS details without losing the request context that made the bug reproducible.
Apply rules, set breakpoints, or script changes when you need to reproduce auth, cache, or payload issues one variable at a time.
Replay the exact request that failed, compare the result with diff, then save or export the session for the next person on the team.
Rockxy sits between your app and the network as a local debugging proxy. The details matter because this is the part of the product that handles decrypted traffic, certificate trust, and system proxy changes on your Mac.
Connection handling
SwiftNIO's non-blocking event loop handles thousands of in-flight connections without spawning per-request threads.
TLS termination
Security.framework generates a per-host leaf certificate signed by a local root CA. The private key never leaves the macOS Keychain.
UI updates
Captured transactions are batched on a background actor and published to SwiftUI every 100 ms — keeping the main thread free under heavy load.
Privileged helper
A launchd daemon registered via SMAppService handles system proxy changes with zero password dialogs after one-time approval in System Settings.
XPC security
Every XPC call is validated by two independent checks — certificate chain comparison and bundle identity verification via SecRequirement. Both must pass.
Crash recovery
If Rockxy exits unexpectedly, the helper daemon auto-restores your original proxy settings from a backup plist. A watchdog monitors the app process every 2 seconds.
The stack is part of the product story: native frameworks for Mac UX, SwiftNIO for the proxy engine, and public source so teams can inspect the implementation.
SwiftNIO
Async networking engine. Handles thousands of concurrent connections on a non-blocking event loop — no thread-per-connection overhead.
SwiftUI + AppKit
Native Mac UI with a virtual-scrolling NSTableView — renders 100k+ rows by keeping only visible cells in memory.
Security.framework
Per-host TLS leaf certificates, signed by a local root CA. The root CA private key is stored in the macOS Keychain — never written to disk.
XPC Services
Privileged helper process isolated via XPC. Every connection validated with certificate-chain comparison before any proxy operation runs.
Implementation notes from building Rockxy.
A walkthrough of the per-host certificate chain, how the root CA private key stays in Keychain, and why your browser still shows a green padlock.
Why NSTableView with an NSViewRepresentable bridge outperforms a native SwiftUI List by 40x at 100k rows, and the batching strategy that keeps the main thread at zero.
Network.framework abstracts away the connection pipeline we need to intercept. SwiftNIO gives us channel handlers we can insert at the byte level — the only place MITM proxying works correctly.
For a proxy that can see decrypted traffic, trust should come from public code, public releases, and documentation you can verify yourself.
Audit the code, check the AGPL-3.0 license, and inspect the project structure before you install anything.
The release page shows versioned assets, release notes, build number, and publish date in public on GitHub.
Read the privacy policy, then compare it against the product architecture and the public code to see how traffic stays on-device.
Review how certificate handling works, what lives in Keychain, and how the proxy model is implemented on macOS.
Native macOS. Open source. Local-first.
Read the source, review the release trail, check the privacy model, then download the signed build. Rockxy is an open source proxy for Mac teams comparing Proxyman and Charles Proxy alternatives.
Source, issues, releases, and changelog are all public. If Rockxy is useful for your work, you can help by filing bugs, reviewing code, contributing patches, or sponsoring development time.
Star on GitHub
A star helps other developers find Rockxy in search results.
Report bugs
File an issue. Detailed bug reports directly improve the next release.
Contribute code
PRs welcome. Check the issue tracker for good first issues.
Sponsor
Fund development time. Every contribution accelerates the roadmap.
Questions, bugs, and team evaluations all go through the same public channels. Reach out if you want to try Rockxy in a real workflow.