Skip to content

HTTP/API

Use xh for one-off requests and hurl for request files that should be rerun, reviewed, or checked into a project.

Tools

hurl is managed by mise in the workstation tool inventory. The repo also renders secret-free templates under:

text
~/.config/hurl/templates/

Available templates:

text
healthcheck.hurl
json.hurl
auth-bearer.hurl

Helpers

Create a request from a managed template:

bash
hurl-new healthcheck api-health.hurl

Run one file:

bash
hurl-run api-health.hurl

Run every .hurl file under the current directory:

bash
hurl-run

Pass secrets at runtime rather than writing them into request files:

bash
hurl-run --variable token="$API_TOKEN" auth-bearer.hurl

Secret Policy

Do not commit bearer tokens, API keys, cookies, session headers, or local credential files. Use runtime variables, environment variables, direnv-managed local files, or an external secret store.

The managed auth-bearer.hurl template intentionally contains only the variable placeholder.

For project-local API work, keep repeatable defaults in .envrc and machine or secret values in .env.local:

bash
# .envrc
dotenv_if_exists .env.local
export API_BASE_URL=http://127.0.0.1:3000
bash
# .env.local, untracked
API_TOKEN=local-development-token

Then pass the value at runtime:

bash
hurl-run --variable token="$API_TOKEN" auth-bearer.hurl