hen 0.22.0

Run protocol-aware API request collections from the command line or through MCP.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

---
sidebar_position: 2
title: Secrets and Redaction
description: Use local secret providers and additive masking rules safely.
---

## Local Secret Providers

```hen
dotenv .env

$ API_TOKEN = secret.env("HEN_API_TOKEN")
$ CLIENT_ID = secret.file("./secrets/client_id.txt")
```

- `secret.env("NAME")` reads one process-environment value at run time and falls back to loaded dotenv values when the process environment does not define that key.
- `secret.file("PATH")` reads one UTF-8 text file relative to the collection working directory and
	strips one trailing line ending.
- Repeated secret references are cached once per run after the first lookup.
- `hen verify` validates the syntax without reading the secret values or dotenv files.

For non-secret values such as origins, hostnames, or other public configuration, use `env("NAME")`
instead. It uses the same process-env plus dotenv lookup order but does not mark the value
sensitive.

Hen supports `env` and `file` secret providers.

Top-level `dotenv ...` directives apply to every run, and the selected named environment may add
more dotenv directives inside its `env ...` block. Dotenv files do not create Hen variables on
their own. Use `env(...)` for ordinary values and `secret.env(...)` for secret values.

## Where Secret Providers Are Valid

Secret references are valid anywhere Hen accepts scalar assignments, including:

- collection variables
- request variables
- environment overrides

Interpolation inside `secret.env(...)` or `secret.file(...)` is intentionally rejected.

## Redaction Rules

```hen
redact_header = X-Session-Token
redact_capture = SESSION_ID
redact_body = body.session.accessToken
redact_body = json(body.payload).token
```

- Redaction rules are valid only in the collection preamble.
- `redact_header` adds an exact header name to the masked set.
- `redact_capture` treats the named export as sensitive for downstream reuse.
- `redact_body` masks a selected response-body value even when it is not exported.

`redact_body` accepts the same body-path syntax used by captures, but it must resolve from the
current response body. Valid forms start from `body...` or `json(body...). ...`.

## Built-In Masking

Hen already masks:

- `Authorization`
- `Proxy-Authorization`
- `Cookie`
- `Set-Cookie`
- API-key style headers
- values loaded through `secret.env(...)` and `secret.file(...)`, including `secret.env(...)`
	values sourced from dotenv files

Use redaction rules to broaden that policy, not replace it.

Dotenv files are not inherently secret. A dotenv value is masked automatically only when it is
consumed through `secret.env(...)`.

`hen verify` validates redaction syntax and body-path shape without resolving any live values.