Skip to main content

Secrets and Redaction

Local Secret Providers

$ API_TOKEN = secret.env("HEN_API_TOKEN")
$ CLIENT_ID = secret.file("./secrets/client_id.txt")
  • secret.env("NAME") reads one environment variable at run time.
  • secret.file("PATH") reads one UTF-8 text file relative to the collection working directory and strips one trailing line ending.
  • Repeated secret references are cached once per run after the first lookup.
  • hen verify validates the syntax without reading the secret values.

Hen supports env and file secret providers.

Where Secret Providers Are Valid

Secret references are valid anywhere Hen accepts scalar assignments, including:

  • collection variables
  • request variables
  • environment overrides

Interpolation inside secret.env(...) or secret.file(...) is intentionally rejected.

Redaction Rules

redact_header = X-Session-Token
redact_capture = SESSION_ID
redact_body = body.session.accessToken
redact_body = json(body.payload).token
  • Redaction rules are valid only in the collection preamble.
  • redact_header adds an exact header name to the masked set.
  • redact_capture treats the named export as sensitive for downstream reuse.
  • redact_body masks a selected response-body value even when it is not exported.

redact_body accepts the same body-path syntax used by captures, but it must resolve from the current response body. Valid forms start from body... or json(body...). ....

Built-In Masking

Hen already masks:

  • Authorization
  • Proxy-Authorization
  • Cookie
  • Set-Cookie
  • API-key style headers
  • values loaded through secret.env(...) and secret.file(...)

Use redaction rules to broaden that policy, not replace it.

hen verify validates redaction syntax and body-path shape without resolving any live values.