Environment Files & Secret Redaction
Load variables from .env files with automatic secret protection in CLI output.
Overview
curl-runner automatically loads variables from .env files and redacts sensitive values in output. This keeps secrets safe when sharing logs or terminal output.
.env Support
Auto-load variables from .env files
Secret Redaction
Automatically mask sensitive values
Pattern Detection
Auto-detect common API key formats
Basic Usage
Create a .env file in your project root. Variables are automatically loaded and available via ${VAR_NAME} syntax.
# .env
API_URL=https://api.example.com
API_VERSION=v1
# Secrets (automatically redacted in output)
SECRET_API_KEY=sk_live_abc123def456
SECRET_TOKEN=ghp_xxxxxxxxxxxx# api.yaml
request:
url: ${API_URL}/users
method: GET
headers:
Authorization: Bearer ${SECRET_API_KEY}
X-Api-Version: ${API_VERSION}Environment Overrides
Use environment-specific files to override values for different deployments.
# .env (base defaults)
API_URL=https://api.example.com
DEBUG=false
# .env.local (local overrides, gitignored)
DEBUG=true
# .env.staging (environment-specific)
API_URL=https://staging.api.example.com
# .env.staging.local (local staging overrides)
API_URL=https://my-staging.api.example.comPriority Chain
Files are loaded in order, with later files overriding earlier values.
# Priority (lowest to highest):
# 1. .env - Base defaults
# 2. .env.local - Local overrides (gitignored)
# 3. .env.{env} - Environment-specific
# 4. .env.{env}.local - Local environment overrides
# Example: with --env staging
# Loads: .env -> .env.local -> .env.staging -> .env.staging.localCLI Options
Use the --env flag to select an environment.
-e--env <name>Select environment (loads .env.{name} files)
--no-redactDisable secret redaction in output (not recommended)
# Use staging environment
curl-runner api.yaml --env staging
curl-runner api.yaml -e staging
# Use production environment
curl-runner api.yaml --env production
# Disable secret redaction (not recommended)
curl-runner api.yaml --no-redactConfiguration
Set defaults in curl-runner.yaml.
# curl-runner.yaml
global:
env:
environment: staging # Default environment
redactSecrets: true # Enable redaction (default)
variables:
# These override .env values
CUSTOM_VAR: "from-config"Secret Redaction
Secrets are automatically redacted in URLs and curl command output.
SECRET_ Prefix
Variables starting with SECRET_ are always redacted.
# Variables starting with SECRET_ are automatically redacted
SECRET_API_KEY=sk_live_abc123
SECRET_DATABASE_URL=postgres://user:pass@host/db
SECRET_JWT_TOKEN=eyJhbGciOiJIUzI1NiIs...
# Regular variables are NOT redacted
API_KEY=public_key_123
DATABASE_HOST=localhostPattern Detection
Common API key patterns are automatically detected and redacted, even without the SECRET_ prefix.
# These patterns are automatically detected and redacted:
# Stripe keys
sk_live_... / sk_test_... / pk_live_... / rk_live_...
# AWS credentials
AKIA... (AWS Access Key IDs)
# GitHub tokens
ghp_... / gho_... / ghu_... / ghs_... / ghr_...
# NPM tokens
npm_...
# Slack tokens
xoxb-... / xoxp-...
# Paddle keys
pdl_...
# OpenAI keys
sk-...
# Anthropic keys
sk-ant-api03-...
# Bearer tokens
Bearer <40+ char token>Redaction in Output
Secrets appear as [REDACTED] in output.
# Without redaction (--no-redact)
$ curl-runner api.yaml --dry-run --no-redact
curl -H 'Authorization: Bearer sk_live_abc123def456' ...
# With redaction (default)
$ curl-runner api.yaml --dry-run
curl -H 'Authorization: Bearer [REDACTED]' ...Git Ignore
Always gitignore local and production env files to prevent accidental commits.
# .gitignore
.env.local
.env.*.local
.env.productionBest Practices
Recommended
SECRET_.env.local for personal overrides.env in git with safe defaultsAvoid
--no-redact in shared terminals