---
collection: httpbin-patterns
protocol: rest
vault: keychain
env:
  prod: https://httpbin.org
vars:
  user: missive
---

# httpbin — pattern proofs
> Proves the catalog recipes fire end-to-end: Basic auth (non-Bearer) and an action POST (non-REST shape).

## GET /basic-auth — Basic auth (non-Bearer)

**Request**
```http
GET {{env}}/basic-auth/{{var:user}}/{{vault:HTTPBIN_PASS}}
```
> **Auth: Basic** (see `MISSIVE-PATTERNS.md` → Basic, *Recommended* form). The `Authorization`
> header is **computed at fire-time** — `Authorization: Basic base64({{var:user}}:$HTTPBIN_PASS)` —
> inside the `exec` subprocess; it is deliberately NOT shown as a static header (a literal
> `Basic {{vault:HTTPBIN_PASS}}` would send the *raw* password, which is invalid Basic auth).
> httpbin's `/basic-auth/{user}/{passwd}` also expects the password in the URL path — a quirk of
> this test endpoint; a real Basic API needs the secret only in the header. `{{vault:HTTPBIN_PASS}}`
> is referenced in both places and resolved at fire-time, never written as a value.

**Checks**
- `status` == 200
- `.authenticated` == true
- `.user` == "missive"

**Mock**
```json
{ "authenticated": true, "user": "missive" }
```

**Notebook**
- 📋 state 2026-06-30 — GET /basic-auth → 200; `.authenticated` true, `.user` == missive.
- ✅ outcome 2026-06-30 — Basic-auth recipe (password vaulted, base64'd in-subprocess) fires green; response carries only `{authenticated, user}` — no password echoed, no leak.
- ⚠️ caveat 2026-06-30 — httpbin's `/basic-auth` puts the expected password in the URL path (test-endpoint quirk; it would land in server access logs) — use a throwaway credential only. A real Basic API needs the secret only in the header.

## POST /post — action/webhook shape (non-REST)

**Request**
```http
POST {{env}}/post
Content-Type: application/json

{ "event": "ping", "id": "{{var:user}}" }
```
> An action/webhook-style POST. httpbin's `/post` echoes the JSON body under `.json`. No secret in
> this request — Checks assert only the echoed body, never request headers.

**Checks**
- `status` == 200
- `.json.event` == "ping"

**Mock**
```json
{ "json": { "event": "ping", "id": "missive" } }
```

**Notebook**
- 📋 state 2026-06-30 — POST /post → 200; `.json.event` == ping (body echoed).
- ✅ outcome 2026-06-30 — action/webhook POST shape verified; Checks assert the echoed body only, never request headers.
