vapi
vAPI is a self-hosted vulnerable API training application that deliberately implements OWASP API Top 10 security flaws as educational exercises. It's designed for security professionals and developers to learn API exploitation and remediation techniques in a safe, controlled environment.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | roottusk/vapi |
| Owner | roottusk |
| Primary language | HTML |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 337 |
| Open issues | 15 |
| Latest release | 1.3 (2022-11-27) |
| Last updated | 2025-01-10 |
| Source | https://github.com/roottusk/vapi |
What vapi is
A Laravel 8 + PHP 7.3+ application backed by MySQL, exposing intentional API vulnerabilities mapped to OWASP Top 10 scenarios. Deployable via Docker Compose or manual setup; supports Kubernetes via Helm charts and includes Postman collection for testing.
Get the vapi source
Clone the repository and explore it locally.
git clone https://github.com/roottusk/vapi.gitcd vapi# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Isolate vAPI on an internal network or air-gapped lab; never expose to untrusted networks. Requires firewall rules and network segmentation.
- MySQL database must be pre-configured with vapi.sql import; ensure DB credentials are securely managed (use .env, secrets management, not hardcoded).
- Docker Compose setup is simplest path; manual install requires PHP, MySQL, and Postman CLI/desktop setup. Kubernetes deployment via Helm requires secret objects and namespace management.
- Postman collection and environment files are provided; import both to enable guided requests, token generation, and test assertions out of the box.
- Latest release (1.3) is from Nov 2022; verify compatibility with your PHP/MySQL/Laravel versions and plan for potential security patch lag.
When to avoid it — and what to weigh
- Production or External-Facing Deployment — vAPI is intentionally vulnerable and must never be exposed to the public internet or used as a real backend service; it is strictly for isolated lab or internal training environments.
- Need for Active Commercial Support — No commercial support model, SLA, or professional maintenance is documented. Last release is from Nov 2022; active development exists but no guarantee of timely security patches or feature updates.
- Requirement for Modern PHP/Laravel Versions — Project targets PHP 7.3+ and Laravel 8, which are approaching end-of-life. If your infrastructure mandates PHP 8+ or Laravel 10+, significant refactoring or maintenance work may be required.
- Minimal Database or Complex Multi-Tenant Scenarios — vAPI is a single-instance, fixed-exercise training app. It does not support complex data models, multi-tenancy, or integration with enterprise identity systems without substantial customization.
License & commercial use
Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license requiring derivative works and modified distributions to remain open-source under the same license.
GPL-3.0 is a copyleft license. Internal use for training, testing, or labs is permitted without disclosure. However, commercial distribution, SaaS offerings, or vendored products incorporating vAPI must release source code under GPL-3.0. Consult legal counsel if planning monetized or proprietary derivatives. No commercial license or exemption is documented.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Moderate |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
vAPI is intentionally vulnerable—it is NOT secure and must never be used in production or exposed externally. It includes common flaws: injection, broken authentication, insecure direct object reference, CORS misconfigurations, etc. Deployment requires air-gapped or firewalled network. Database credentials must be managed securely (avoid plaintext in .env on shared systems). No security audits, penetration tests, or vulnerability disclosure policy documented. Use as educational tool only.
Alternatives to consider
OWASP Juice Shop
Similarly intentional, web app-focused vulnerable application covering OWASP Top 10. More actively maintained, broader language/framework coverage, and more extensive documentation.
HackTheBox / TryHackMe
Hosted platforms providing curated vulnerable labs and CTF challenges with guided walkthroughs. No deployment/maintenance burden; subscription model; broader scope beyond APIs.
Postman API Security Training
Official Postman training modules and collections on API security without need for self-hosted vulnerable app; tightly integrated with Postman workspace and learning paths.
Build on vapi with DEV.co software developers
Deploy vAPI in your isolated lab environment using Docker Compose, import the Postman collection, and start hands-on OWASP API Top 10 exercises. Consult our team if you need custom integration, Kubernetes deployment guidance, or security review.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
vapi FAQ
Can I run vAPI in a containerized CI/CD pipeline?
What is the minimum infrastructure required?
Does vAPI require any external API keys or third-party services?
Is vAPI suitable for teaching my team API security?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like vapi into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to Train Your Team on API Security?
Deploy vAPI in your isolated lab environment using Docker Compose, import the Postman collection, and start hands-on OWASP API Top 10 exercises. Consult our team if you need custom integration, Kubernetes deployment guidance, or security review.