The downstream HTTP settings control how outbound HTTP requests are constructed, secured, and logged. Proper configuration ensures reliable communication with external services while maintaining security and performance.

The following table lists the properties available under runtime.http and their purpose:
Property Purpose
base_url Provides a fallback base URL when the operation URL is not absolute.
default_headers Specifies non-secret headers applied to every outbound HTTP call.
accept_encoding Indicates compression or logging hints for downstream requests.
response_guard.* Defines response size and array limits. See the guard section for details.
tls.* Configures downstream trust and optional client certificate identity.
debug_raw Enables development logging by emitting sanitized raw HTTP request and response lines.

Raw HTTP debug logging

The debug_raw property provides enhanced visibility into HTTP requests and responses for troubleshooting purposes. This feature is available globally for outbound calls and specifically for token exchange operations. The following table lists raw HTTP debug logging details:
Location Key path Scope What is logged Header handling
Global outbound runtime.http.debug_raw All downstream calls Method, URL, status, timing, selected headers, truncated body preview Sensitive headers partially masked. Tokens and prefixes are truncated. Secrets are not fully printed.
Token exchange security.authentication. user_auth.token_exchange. debug_raw Token exchange POST and response only Exchange request and response, status, JSON path extraction details Authorization and exchange headers masked except for prefix. Body fields logged only when small.
Follow these guidelines when enabling raw HTTP debug logging:
  • Use this feature only in development or during short diagnostic windows.
  • Disable it in production to reduce log noise and prevent accidental exposure of secrets.
  • Bodies larger than approximately 4 KB are logged as a size summary instead of full content.
  • Binary or non-UTF payloads are summarized by size in hexadecimal format.
  • Masking strategy ensures that authorization-like headers show only the prefix and a few characters. Full token values are never printed.
  • Custom headers containing token, secret, key, or auth are abbreviated.
  • Token exchange failures redact sensitive response fields and log only structural error information.
The following example shows how to enable raw HTTP debug logging in the configuration:
"runtime": { "http": { "debug_raw": true } }
"security": { "authentication": { "user_auth": { "token_exchange": { "debug_raw": true } } } }

To disable debug logging, remove these flags or set them to false after diagnosing the issue.

The debug logging feature provides sufficient correlation and payload insight to troubleshoot authentication, routing, and token exchange issues without exposing full secrets in logs. This approach preserves auditability while limiting credential exposure.