---
sidebar_position: 2
title: Secrets and Redaction
description: Use local secret providers and additive masking rules safely.
---
## Local Secret Providers
```hen
$ API_TOKEN = secret.env("HEN_API_TOKEN")
$ CLIENT_ID = secret.file("./secrets/client_id.txt")
```
- `secret.env("NAME")` reads one environment variable at run time.
- `secret.file("PATH")` reads one UTF-8 text file relative to the collection working directory and
strips one trailing line ending.
- Repeated secret references are cached once per run after the first lookup.
- `hen verify` validates the syntax without reading the secret values.
Hen supports `env` and `file` secret providers.
## Where Secret Providers Are Valid
Secret references are valid anywhere Hen accepts scalar assignments, including:
- collection variables
- request variables
- environment overrides
Interpolation inside `secret.env(...)` or `secret.file(...)` is intentionally rejected.
## Redaction Rules
```hen
redact_header = X-Session-Token
redact_capture = SESSION_ID
redact_body = body.session.accessToken
redact_body = json(body.payload).token
```
- Redaction rules are valid only in the collection preamble.
- `redact_header` adds an exact header name to the masked set.
- `redact_capture` treats the named export as sensitive for downstream reuse.
- `redact_body` masks a selected response-body value even when it is not exported.
`redact_body` accepts the same body-path syntax used by captures, but it must resolve from the
current response body. Valid forms start from `body...` or `json(body...). ...`.
## Built-In Masking
Hen already masks:
- `Authorization`
- `Proxy-Authorization`
- `Cookie`
- `Set-Cookie`
- API-key style headers
- values loaded through `secret.env(...)` and `secret.file(...)`
Use redaction rules to broaden that policy, not replace it.
`hen verify` validates redaction syntax and body-path shape without resolving any live values.