Secrets and Redaction
Local Secret Providers
dotenv .env
$ API_TOKEN = secret.env("HEN_API_TOKEN")
$ CLIENT_ID = secret.file("./secrets/client_id.txt")
secret.env("NAME")reads one process-environment value at run time and falls back to loaded dotenv values when the process environment does not define that key.secret.file("PATH")reads one UTF-8 text file relative to the collection working directory and strips one trailing line ending.- Repeated secret references are cached once per run after the first lookup.
hen verifyvalidates the syntax without reading the secret values or dotenv files.
For non-secret values such as origins, hostnames, or other public configuration, use env("NAME")
instead. It uses the same process-env plus dotenv lookup order but does not mark the value
sensitive.
Hen supports env and file secret providers.
Top-level dotenv ... directives apply to every run, and the selected named environment may add
more dotenv directives inside its env ... block. Dotenv files do not create Hen variables on
their own. Use env(...) for ordinary values and secret.env(...) for secret values.
Where Secret Providers Are Valid
Secret references are valid anywhere Hen accepts scalar assignments, including:
- collection variables
- request variables
- environment overrides
Interpolation inside secret.env(...) or secret.file(...) is intentionally rejected.
Redaction Rules
redact_header = X-Session-Token
redact_capture = SESSION_ID
redact_body = body.session.accessToken
redact_body = json(body.payload).token
- Redaction rules are valid only in the collection preamble.
redact_headeradds an exact header name to the masked set.redact_capturetreats the named export as sensitive for downstream reuse.redact_bodymasks a selected response-body value even when it is not exported.
redact_body accepts the same body-path syntax used by captures, but it must resolve from the
current response body. Valid forms start from body... or json(body...). ....
Built-In Masking
Hen already masks:
AuthorizationProxy-AuthorizationCookieSet-Cookie- API-key style headers
- values loaded through
secret.env(...)andsecret.file(...), includingsecret.env(...)values sourced from dotenv files
Use redaction rules to broaden that policy, not replace it.
Dotenv files are not inherently secret. A dotenv value is masked automatically only when it is
consumed through secret.env(...).
hen verify validates redaction syntax and body-path shape without resolving any live values.