Skip to main content

Secrets and Redaction

Local Secret Providers

dotenv .env

$ API_TOKEN = secret.env("HEN_API_TOKEN")
$ CLIENT_ID = secret.file("./secrets/client_id.txt")
  • secret.env("NAME") reads one process-environment value at run time and falls back to loaded dotenv values when the process environment does not define that key.
  • secret.file("PATH") reads one UTF-8 text file relative to the collection working directory and strips one trailing line ending.
  • Repeated secret references are cached once per run after the first lookup.
  • hen verify validates the syntax without reading the secret values or dotenv files.

For non-secret values such as origins, hostnames, or other public configuration, use env("NAME") instead. It uses the same process-env plus dotenv lookup order but does not mark the value sensitive.

Hen supports env and file secret providers.

Top-level dotenv ... directives apply to every run, and the selected named environment may add more dotenv directives inside its env ... block. Dotenv files do not create Hen variables on their own. Use env(...) for ordinary values and secret.env(...) for secret values.

Where Secret Providers Are Valid

Secret references are valid anywhere Hen accepts scalar assignments, including:

  • collection variables
  • request variables
  • environment overrides

Interpolation inside secret.env(...) or secret.file(...) is intentionally rejected.

Redaction Rules

redact_header = X-Session-Token
redact_capture = SESSION_ID
redact_body = body.session.accessToken
redact_body = json(body.payload).token
  • Redaction rules are valid only in the collection preamble.
  • redact_header adds an exact header name to the masked set.
  • redact_capture treats the named export as sensitive for downstream reuse.
  • redact_body masks a selected response-body value even when it is not exported.

redact_body accepts the same body-path syntax used by captures, but it must resolve from the current response body. Valid forms start from body... or json(body...). ....

Built-In Masking

Hen already masks:

  • Authorization
  • Proxy-Authorization
  • Cookie
  • Set-Cookie
  • API-key style headers
  • values loaded through secret.env(...) and secret.file(...), including secret.env(...) values sourced from dotenv files

Use redaction rules to broaden that policy, not replace it.

Dotenv files are not inherently secret. A dotenv value is masked automatically only when it is consumed through secret.env(...).

hen verify validates redaction syntax and body-path shape without resolving any live values.