Environment Variables (env vars)

Once you have already register an user for the Snippets API, you can test and document the /login request.

It is not secure to explicitly write your API’s username and password in a plain text. For this reason, let’s use environment variables.

Setting Env Vars

Let’s set your env vars:

$ export USER=<your_snippets_api_username_here>
$ export PASSWORD=<your_snippets_api_password_here>

The username and the password should be the ones you registered in the API Sign Up page. Example:

$ export USER=my_user

Your environment variables will be available in this terminal section. You can check them by running:

$ echo $USER
$ echo $PASSWORD

Note, if you close this terminal section, you will need to export the variables again. To make this job a bit less manual, let’s create a file to store these values. Create an .env file in root with the following content:

export USER=my_user

The folder structure should look like this now:

- scanapi (root directory)
|── .env
|── scanapi-report.html
|___  scanapi.yaml

Every time you need to load your env vars again, you can just run:

$ source .env

Do not commit your .env file, it should not be added to the version control. To avoid any future mistakes, make sure to add .env to .gitignore so no-one accidentally pushes the .env containing secrets to the repository.

Using Env Vars

It is time to use the exported env vars in the ScanAPI specification in order to access /login. In the scanapi.yaml file, add the get_token request:

  - name: snippets-api
    path: http://demo.scanapi.dev/api/v1/
      Content-Type: application/json
      - name: health
        method: get
        path: /health/
          - name: status_code_is_200
            assert: ${{ response.status_code == 200 }}
          - name: body_equals_ok
            assert: ${{ response.json() == "OK!" }}
      - name: get_token # this is new
        path: /rest-auth/login/ # this is new
        method: post # this is new
        body: # this is new
          username: ${USER} # this is new
          password: ${PASSWORD} # this is new

Using the env var notation, ScanAPI will be able to access the exported values of each variable. Let’s run ScanAPI again and reload the report:

$ scanapi run

The result seems fine, the status code of the response is 200 and the login was complete successfully.

Report overview

But, if we look closer, the report is showing your secret information:

Exposed Credentials

Besides, the response content also contains sensitive information that is being exposed:

Exposed Key

Let’s see how we can hide these values.