# Missive — API testing without the App API testing as plain Markdown: a folder of *.api.md collections + a local secret vault + your coding agent as the execution engine. Collections you can read, diff, and commit — with an append-only Notebook per endpoint that records what actually happened. No Electron, no cloud account, no proprietary format. ## Use - Contract (read first): https://missive.daystra.com/MISSIVE.md - Start a collection: https://missive.daystra.com/MISSIVE-TEMPLATE.md - Recipes (shapes × auth): https://missive.daystra.com/MISSIVE-PATTERNS.md - Install into a project: curl -fsSL https://missive.daystra.com/install.sh | sh - Manifest: https://missive.daystra.com/.well-known/missive.json ## The law The Markdown holds {{vault:NAME}} references, NEVER secret values. Secrets are injected at fire-time in a subprocess (scripts/vault.sh exec — inject-and-fire) or by the deterministic runner (scripts/missive-run.sh); they never land in a file, a diff, or a transcript. ## Examples — all at /examples/ httpbin.api.md Basic auth + action POST (fired live, leak-safe) spotify.api.md OAuth2 client-credentials → Capture → cached token (fired live; real 403 caveat in the Notebook) github.api.md GraphQL shape missive-releases.api.md this site testing itself (unauthenticated) ## For agents Fetch MISSIVE.md and follow it. One file = one collection; each ## heading = one endpoint with Request / Checks / Mock / Notebook. Advanced auth (OAuth2 pre-request + Capture, HMAC, AWS SigV4, mTLS) is runner-only: scripts/missive-run.sh "" --env . Never render a {{vault:}} value; never put references in Checks/Mock/Notebook; the Notebook is append-only.