HTTP Toolkit Intercept
Use this skill when you need authoritative evidence of what your program sent to a remote API and what it received back while verifying a code change. Works across any runtime — Node.js, Bun, Deno, Python, Go, Ruby, Java/JVM, .NET, PHP, Rust, shell scripts, etc. — as long as the process respects a proxy.
The reliable pattern is:
- Start HTTP Toolkit correctly.
- Run the program through the proxy in a mode that produces a machine-readable log (e.g. , debug logging, or structured stdout).
- Export outbound HTTP requests from HTTP Toolkit.
- Pair the outbound HTTP export with the inbound program session log.
Do not rely on TUI screenshots alone when the question is about request payloads, auth headers, or wire-level behavior.
Prerequisites / Known-Good Launch
Start HTTP Toolkit
On Linux/headless environments, plain
often fails due to sandbox/X11 issues. Prefer:
bash
xvfb-run --auto-servernum httptoolkit --no-sandbox
If a stale server is already running on ports
, stop it first:
bash
pkill -f "HTTP Toolkit Server|httptoolkit|xvfb-run --auto-servernum httptoolkit" || true
Verify the proxy is reachable
bash
# HTTP Toolkit's admin API lives on port 45456/45457 by default.
# Treat 200/401/403 as "reachable"; only connection failure means the server is dead.
curl -s -o /dev/null -w "%{http_code}\n" http://127.0.0.1:45456/config
Quick Start
1. Launch your program with the proxy env vars set
The canonical env vars most runtimes honor:
bash
HTTP_PROXY="http://127.0.0.1:8000" \
HTTPS_PROXY="http://127.0.0.1:8000" \
ALL_PROXY="http://127.0.0.1:8000" \
NO_PROXY="" \
<your-program> <args>
Some runtimes require an extra env var or flag — see the "Runtime proxy matrix" below.
If the HTTP Toolkit CA is not trusted by your runtime, TLS verification will fail. See "TLS Safety" below. Disabling TLS verification is appropriate only for controlled local debugging.
2. Capture the inbound session log
If your program supports a machine-readable output mode (e.g.
--output-format stream-json
,
,
, structured stdout, or writing to a file), pipe it to a file:
bash
<your-program> exec --output-format stream-json "your input" \
> /tmp/session-stdout.log 2> /tmp/session-stderr.log
3. Export outbound HTTP from HTTP Toolkit
Either:
- Use the HTTP Toolkit GUI export (File → Export → JSON / HAR), or
- Hit the admin API directly. The exact endpoint depends on your HTTP Toolkit version; inspect DevTools in the HTTP Toolkit UI to see the requests it makes.
4. Cross-reference the two streams
- Outbound HTTP (from HTTP Toolkit): authoritative for request bodies, headers, auth tokens, retry timing.
- Inbound session log (from the program): authoritative for how your code reacted to the responses.
Together they answer: "what did we send?" and "what did we do with the response?"
What finally worked for payload verification
The critical correct pathways that proved reliable were:
-
Use a non-interactive / exec mode, not the TUI, when verifying payloads
- Interactive TUIs are slower and much harder to analyze.
- Use whatever your program has for scripting (, , , ).
-
Treat outbound and inbound as separate evidence sources
- HTTP Toolkit gives outbound HTTP requests.
- The program's session log gives inbound assistant/tool/application behavior.
- You need both to answer: "what did the remote return?" and "what did the program actually do with it?"
-
Set the proxy env vars your specific runtime honors
- / cover most runtimes, but some (e.g. Bun, Java) require extra vars or flags.
- See the "Runtime proxy matrix" below.
-
Disable TLS verification only for controlled local debugging when needed
- If the HTTP Toolkit CA is not trusted locally, use the runtime-specific escape hatch to skip verification.
- Prefer trusting the CA in your OS / language trust store instead.
- Never disable TLS in production repros.
-
Keep runs bounded
- Long network-heavy sessions can take time.
- If you only need to prove request shape, export after the relevant request is observed — you do not always need to wait for full completion.
Key Facts
- Proxy env vars are runtime-specific — know which ones your runtime honors
- HTTP Toolkit admin API is request-oriented — outbound HTTP comes from HTTP Toolkit, inbound behavior comes from the program log
- TLS is verified by default — runtime-specific skip flags are local-dev escape hatches only
Runtime proxy matrix
| Runtime | Proxy env vars / flags | TLS bypass (local dev only) |
|---|
| Node.js | , , (most libraries); some HTTP clients need flags or explicit option | NODE_TLS_REJECT_UNAUTHORIZED=0
NODE_EXTRA_CA_CERTS=/path/to/ca.pem
|
| Bun | (mandatory — plain / are silently ignored for Bun's own fetch) | NODE_TLS_REJECT_UNAUTHORIZED=0
|
| Deno | , | --unsafely-ignore-certificate-errors
|
| Python (, ) | , , | / pointing at the HTTP Toolkit CA, or in code |
| Python () | Same env vars | or disable context verification |
| Go () | , , (honored via http.ProxyFromEnvironment
| or in the transport |
| Ruby | , | , or OpenSSL::SSL::VERIFY_NONE
|
| Java / JVM | -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8000 -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=8000
| Import CA into a truststore and pass -Djavax.net.ssl.trustStore=...
|
| .NET / C# | , , (on recent runtimes) or configure explicitly | Trust CA in OS store, or HttpClientHandler.ServerCertificateCustomValidationCallback
|
| PHP (curl / cli) | , (or per-call ) | CURLOPT_SSL_VERIFYPEER => false
|
| Rust () | , | danger_accept_invalid_certs(true)
|
| curl / shell | , env vars or / flag | / |
| Docker containers | Pass env vars through with ; use (Mac/Win) or (Linux) so the container can reach the proxy | Mount the CA into the image and install it, or use runtime-specific bypass flags |
Prefer trusting the HTTP Toolkit CA in your runtime/OS trust store over disabling verification. Bypass flags should be local-dev only.
TLS Safety Guardrails
- Keep TLS verification enabled whenever possible.
- Prefer trusting the HTTP Toolkit CA in your local trust store instead of disabling verification.
- Use runtime-specific TLS-bypass flags only for controlled local debugging in development.
- Never disable TLS when intercepting production traffic.
Inspecting Captured Logs
Filter to relevant events only
If your program emits newline-delimited JSON, use
:
bash
jq -c 'select(.type == "tool_call" or .type == "message")' /tmp/session-stdout.log
Adjust the filter to match your program's event schema. For plain-text logs, use
/
patterns.
Match outbound HTTP to inbound events
Sort both streams by timestamp, then interleave them. The sequence usually looks like:
outbound POST /api/endpoint (from HTTP Toolkit)
inbound event received (from program log)
inbound follow-up action (from program log)
outbound POST /api/endpoint (next request)
If a program log shows an outbound request that HTTP Toolkit didn't capture, that's a proxy-config bug.
Troubleshooting
| Problem | Cause | Fix |
|---|
| Program hangs, no events after startup | Proxy env vars not reaching the process, or TLS verification blocking | Re-run with the right env vars for your runtime (see matrix); if necessary, enable the runtime's TLS bypass in dev |
| / on every request | Runtime-specific proxy env var missing (e.g. for Bun, JVM flags for Java) | Use the correct runtime-specific proxy config |
| TLS cert errors via proxy | MITM CA not trusted by this runtime | Trust HTTP Toolkit CA in the runtime / OS store, or enable the runtime's TLS bypass in dev only |
| HTTP Toolkit API 403s on | Auth-gated config endpoint | Treat 200/401/403 as reachable; only connection failure means the server is dead |
| Export has outbound data but no matching inbound events | Didn't capture the program log | Add redirection to the launch |
| HTTP Toolkit misses the first request | Started capturing after the process launched | Start HTTP Toolkit first, THEN launch the program |
| Container / VM can't reach | Loopback is container-local | Use (Docker Desktop) or (Linux) |
| Program ignores env vars entirely | Runtime doesn't honor env vars (e.g. JVM) | Use runtime-specific flags ( for JVM, etc.) |