Back to Products

/// MAC · API AUDIT

Sonar

See every API call your apps make — without your code ever leaving your Mac.

Get Sonar — $29Available now

/// Screenshots

  • Sonar screenshot: 01 overview
  • Sonar screenshot: 02 services
  • Sonar screenshot: 03 apps
  • Sonar screenshot: 04 app detail
  • Sonar screenshot: 05 flagged

A local-only Mac app that statically scans your own iOS and web projects and shows you every external API call they make — endpoints, SDKs, and hardcoded secrets — without a single line of your code ever leaving your machine.

Every app you ship quietly talks to the outside world: a Supabase table here, a Stripe charge there, an analytics SDK you forgot you added, a raw URL pasted into a fetch call at 2am. Over a portfolio of projects, nobody actually knows the full list anymore. Sonar gives it back to you in seconds.

What it does

Point Sonar at the folders that hold your projects. It statically reads the source — it never runs your code — and builds a per-app dashboard of everything that reaches out:

  • Endpoints. Every raw HTTP/HTTPS URL written into your client, with the method and the exact file and line.
  • SDKs. The third-party services each project pulls in — Supabase, Stripe, Firebase, Anthropic, OpenAI, Replicate, ElevenLabs, Resend, DocuSign, Google, and more.
  • Secrets. Strings that look like API keys or tokens hardcoded in client source, flagged so you can rotate or move them before they reach production. Snippets are masked the moment they're stored.
  • A services matrix. One grid showing which app talks to which service across your whole portfolio.

Private by design

This is the whole point: Sonar runs 100% on your Mac. Your source code is never uploaded, never sent to a server, never shared. There's no account, no login, no telemetry, and no analytics. The only time Sonar ever touches the network is to verify your license key once — and even then, nothing but the key is sent.

It's also strictly read-only. Sonar analyzes your files and never modifies, moves, or deletes a single one.

Built to fit your stack

Detection is driven by editable JSON rule packs. The popular services are recognized out of the box, and you can add your own rule in a few lines to detect any internal API, vendor, or pattern your team cares about — no rebuild required. Rescans are incremental, so keeping the inventory current is fast even on large codebases. Sonar parses Swift and JavaScript/TypeScript today, with more languages on the way.

Who it's for

Indie developers who want to know exactly what their apps phone home to. Studios standardizing security and dependency reviews across a portfolio. Security-conscious engineers auditing client-side surface area. Agencies reviewing the apps they build for clients.

The visibility of a manual security audit, with the speed of a static analyzer — privately, on your own Mac.

Free 14-day trial, then $29 one-time. macOS 13 (Ventura) or later, Apple Silicon or Intel.

© 2026 NYRAI LLC

© 2026 NYRAI LLC