CLI workflow

Debug an HTTP API with a CLI

Reproduce one request with explicit method, headers, body, timeout, and saved response before changing the server or client.

HTTP and webhooksLocal write

Prepare tools, authentication, and evidence first

Install the recommended tools, confirm minimum permissions, and keep compatibility separate from real execution records.

curlverified
Call HTTP APIs with explicit methods, headers, authentication, retries, and failure handling.

Recommended install

$ shell
brew install curl
Authentication
none, basic, bearer token, client certificate, netrc
Tested agents
No agent-specific execution record
Evidence status
verified · Documentation checked 2026-07-10
Independent CLI execution
8.7.1 · 4 checks
httpdocs-verified
Send readable HTTP requests with JSON-aware input and output for local or CI workflows.

Recommended install

$ shell
pipx install httpie
Authentication
none, basic, bearer token, auth plugins, sessions
Tested agents
No agent-specific execution record
Evidence status
docs-verified · Documentation checked 2026-07-10
Independent CLI execution
No independently executed version recorded
jqverified
Parse, filter, validate, and transform JSON locally with deterministic output.

Recommended install

$ shell
brew install jq
Authentication
No authentication for the base operation
Tested agents
No agent-specific execution record
Evidence status
verified · Documentation checked 2026-07-10
Independent CLI execution
jq-1.7.1-apple · 4 checks

Copy or download this workflow Skill

The Skill includes input and output contracts, recommended tools, approval points, rollback, and evidence boundaries. Review it against the active environment before saving.

debug-http-api-SKILL.md
---
name: debug-http-api-workflow
description: "Reproduce one request with explicit method, headers, body, timeout, and saved response before changing the server or client."
---

# Debug an HTTP API

## Intended outcome

Identify whether a failure comes from transport, authentication, request shape, server behavior, or response parsing.

## Evidence boundary

- Tool status distinguishes `docs-verified` material from independent execution; the two are not interchangeable.
- The current registry does not attribute a tool execution to a particular agent, so compatible agents cannot be called tested agents.
- Reconfirm the target account, environment, version, and official documentation before execution.
- Never auto-execute an R2, R3, or confirmation-marked step; obtain explicit approval immediately before it runs.

## Recommended tools, installation, and authentication

- **curl** (evidence: `verified`, docs checked: `2026-07-10`, independently tested version 8.7.1 recorded)
  - Install: `brew install curl`
  - Authentication: none, basic, bearer token, client certificate, netrc
  - Minimum permissions: Pass scoped tokens through environment-backed headers and never print request secrets.
- **HTTPie** (evidence: `docs-verified`, docs checked: `2026-07-10`, no independently executed version recorded)
  - Install: `pipx install httpie`
  - Authentication: none, basic, bearer token, auth plugins, sessions
  - Minimum permissions: Use environment-backed headers and store sessions outside the repository.
- **jq** (evidence: `verified`, docs checked: `2026-07-10`, independently tested version jq-1.7.1-apple recorded)
  - Install: `brew install jq`
  - Authentication: not required for the base operation
  - Minimum permissions: No service credential is required; restrict filesystem and network access to the task.

## Input contract

- Endpoint and method
- redacted request headers
- request body
- expected status and response shape

## Output contract

- Reproducible command
- status and headers
- saved response body
- fault hypothesis

## Safe workflow

1. **Build a safe reproduction** — Use a non-secret environment variable for authentication and an explicit timeout.
   - Input: Endpoint, method, headers, and body
   - Output: Reviewable request command
   - Risk: `read-only`
   - Command: `curl --fail-with-body --max-time 20 -D headers.txt -o response.json "$API_URL"`
2. **Capture the response** — Save headers and body separately, then validate JSON without dumping credentials.
   - Input: HTTP response
   - Output: Status, headers, parsed body, and exit code
   - Risk: `local-write`
   - Command: `jq . response.json`
3. **Compare and isolate** — Change one input at a time and distinguish client errors from server errors and network failures.
   - Input: Baseline request and expected contract
   - Output: Smallest failing case and likely fault layer
   - Risk: `read-only`

## Ask before proceeding

- Calling endpoints that create, update, delete, charge, send, or deploy
- Using production credentials or customer data
- Retrying a non-idempotent request

## Rollback

- Use a read-only endpoint for the baseline
- Delete local response files containing sensitive data
- For approved writes, capture the resource ID and documented reversal path first

## Official sources

- [curl manual](https://curl.se/docs/manpage.html) — Official HTTP options, output handling, retries, and failure semantics.
- [HTTPie CLI documentation](https://httpie.io/docs/cli) — Official request syntax, sessions, authentication, and output documentation.
- [jq manual](https://jqlang.github.io/jq/manual/) — Official filters, input modes, exit status, and JSON transformation reference.

Outcome, inputs, and outputs

Define the result and evidence before the agent selects a command.

Goal

Identify whether a failure comes from transport, authentication, request shape, server behavior, or response parsing.

Required inputs

  • Endpoint and method
  • redacted request headers
  • request body
  • expected status and response shape

Expected outputs

  • Reproducible command
  • status and headers
  • saved response body
  • fault hypothesis

Debug an HTTP API with a CLI: safe workflow

Run each step inside its stated boundary and verify the output before continuing.

Step 1Read only

Build a safe reproduction

Use a non-secret environment variable for authentication and an explicit timeout.
Input
Endpoint, method, headers, and body
Output
Reviewable request command
$ Build a safe reproduction
curl --fail-with-body --max-time 20 -D headers.txt -o response.json "$API_URL"
Step 2Local write

Capture the response

Save headers and body separately, then validate JSON without dumping credentials.
Input
HTTP response
Output
Status, headers, parsed body, and exit code
$ Capture the response
jq . response.json
Step 3Read only

Compare and isolate

Change one input at a time and distinguish client errors from server errors and network failures.
Input
Baseline request and expected contract
Output
Smallest failing case and likely fault layer

Approval points and rollback

Pause at the listed decision points and keep recovery instructions beside the action.

Ask before these actions

  • Calling endpoints that create, update, delete, charge, send, or deploy
  • Using production credentials or customer data
  • Retrying a non-idempotent request

Recovery plan

  • Use a read-only endpoint for the baseline
  • Delete local response files containing sensitive data
  • For approved writes, capture the resource ID and documented reversal path first

CLI, MCP, or API?

Choose the interface by execution location, identity, output contract, and permission boundary.

CLI

Best for a transparent reproduction that can be shared in CI or an incident report.

MCP

Useful when the API should be exposed as narrow typed operations instead of arbitrary requests.

API

The API is the target; use an SDK only after the raw HTTP contract is understood.

Recommended approach

Start with curl for exact behavior; use HTTPie when readability improves interactive diagnosis.

Official evidence and references

Use these primary or upstream sources to verify current command behavior before acting.

curl manual

Official HTTP options, output handling, retries, and failure semantics.

HTTPie CLI documentation

Official request syntax, sessions, authentication, and output documentation.

jq manual

Official filters, input modes, exit status, and JSON transformation reference.

Questions before you run it

Should an agent use verbose output?

Only when needed, and redact Authorization, cookies, and sensitive query values before sharing it.

When is retry safe?

Retry reads and documented idempotent operations; do not automatically retry a write without an idempotency guarantee.

Related tools and guides

Browse sibling guides and choose the next page that best matches the active task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Inspect installation, authentication, structured output, command risk, and official evidence.