Cloud

http

Available in: Cloud, Self-Managed

Performs a HTTP request using a message batch as the request body, and replaces the original message parts with the body of the response.

  • Common

  • Advanced

processors:
  label: ""
  http:
    url: "" # No default (required)
    verb: POST
    headers: {}
    rate_limit: "" # No default (optional)
    timeout: 5s
    parallel: false
processors:
  label: ""
  http:
    url: "" # No default (required)
    verb: POST
    headers: {}
    metadata:
      include_prefixes: []
      include_patterns: []
    dump_request_log_level: ""
    oauth:
      enabled: false
      consumer_key: ""
      consumer_secret: ""
      access_token: ""
      access_token_secret: ""
    oauth2:
      enabled: false
      client_key: ""
      client_secret: ""
      token_url: ""
      scopes: []
      endpoint_params: {}
    basic_auth:
      enabled: false
      username: ""
      password: ""
    jwt:
      enabled: false
      private_key_file: ""
      signing_method: ""
      claims: {}
      headers: {}
    tls:
      enabled: false
      skip_cert_verify: false
      enable_renegotiation: false
      root_cas: ""
      root_cas_file: ""
      client_certs: []
    extract_headers:
      include_prefixes: []
      include_patterns: []
    rate_limit: "" # No default (optional)
    timeout: 5s
    retry_period: 1s
    max_retry_backoff: 300s
    retries: 3
    follow_redirects: true
    backoff_on:
      - 429
    drop_on: []
    successful_on: []
    proxy_url: "" # No default (optional)
    disable_http2: false
    batch_as_multipart: false
    parallel: false

Rate limit requests

You can use the rate_limit field to specify a rate limit resource, which restricts the number of requests processed service-wide, regardless of how many components you run in parallel.

Dynamic URL and header settings

You can set the url and headers values dynamically using function interpolations.

Map payloads with the branch processor

You can use the branch processor to transform or encode the payload into a specific request body format, and map the response back into the original payload instead of replacing it entirely.

This example uses a branch processor to strip the request message into an empty body (request_map: 'root = ""'), grab an HTTP payload, and place the result back into the original message at the path repo.status:

pipeline:
  processors:
    - branch:
        request_map: 'root = ""'
        processors:
          - http:
              url: https://hub.docker.com/v2/repositories/jeffail/benthos
              verb: GET
              headers:
                Content-Type: application/json
        result_map: 'root.repo.status = this'

Response codes

HTTP response codes in the 200-299 range indicate a successful response. You can use the successful_on field to add more success status codes.

HTTP status codes in the 300-399 range are redirects. The follow_redirects field determines how these responses are handled.

If a request returns a response code that matches an entry in:

Add metadata to errors

If a request returns an error response code, this processor sets a http_status_code metadata field in the resulting message.

You can use the extract_headers field to define rules for copying headers into messages generated from the response.

Error handling

When all retry attempts for a message are exhausted, this processor cancels the attempt. By default, the failed message continues through the pipeline unchanged unless you configure other error-handling. For example, you might want to drop failed messages or route them to a dead letter queue. For more information, see Error Handling.

Fields

backoff_on[]

A list of status codes that indicate a request failure, and trigger retries with an increasing backoff period between attempts.

Type: int

Default:

- 429

basic_auth

Allows you to specify basic authentication.

Type: object

basic_auth.enabled

Whether to use basic authentication in requests.

Type: bool

Default: false

basic_auth.password

A password to authenticate with.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

basic_auth.username

A username to authenticate as.

Type: string

Default: ""

batch_as_multipart

When set to true, sends all message in a batch as a single request using RFC1341.

When set to false, sends messages in a batch as individual requests.

Type: bool

Default: false

disable_http2

Whether to disable HTTP/2. By default, HTTP/2 is enabled.

Type: bool

Default: false

drop_on[]

A list of status codes that indicate a request failure, where the input should not attempt retries. This helps avoid unnecessary retries for requests that are unlikely to succeed.

In these cases, the request is dropped, but the message that triggered the request is retained.

Type: int

Default: []

dump_request_log_level

EXPERIMENTAL: Set the logging level for the request and response payloads of each HTTP request.

Type: string

Default: ""

Options: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, ``

extract_headers

Specify which response headers to add to the resulting messages as metadata. Header keys are automatically converted to lowercase before matching, so make sure that your patterns target the lowercase versions of the expected header keys.

Type: object

extract_headers.include_patterns[]

Provide a list of explicit metadata key regular expression (re2) patterns to match against.

Type: array

Default: []

# Examples:
include_patterns:
  - .*

# ---

include_patterns:
  - _timestamp_unix$

extract_headers.include_prefixes[]

Provide a list of explicit metadata key prefixes to match against.

Type: array

Default: []

# Examples:
include_prefixes:
  - foo_
  - bar_

# ---

include_prefixes:
  - kafka_

# ---

include_prefixes:
  - content-

follow_redirects

Whether to follow redirects, including all responses with HTTP status codes in the 300-399 range. If set to false, the response message includes only the body, status, and headers from the redirect response, and this processor does not make a request to the URL specified in the Location header.

Type: bool

Default: true

headers

A map of headers to add to the request. This field supports interpolation functions.

Type: string

Default: {}

# Examples:
headers:
  Content-Type: application/octet-stream
  traceparent: ${! tracing_span().traceparent }

jwt

Beta

Configure JSON Web Token (JWT) authentication. This feature is in beta and may change in future releases. JWT tokens provide secure, stateless authentication between services.

Type: object

jwt.claims

A value used to identify the claims that issued the JWT.

Type: object

Default: {}

jwt.enabled

Whether to use JWT authentication in requests.

Type: bool

Default: false

jwt.headers

Additional key-value pairs to include in the JWT header (optional). These headers provide extra metadata for JWT processing.

Type: object

Default: {}

jwt.private_key_file

Path to a file containing the PEM-encoded private key using PKCS#1 or PKCS#8 format. The private key must be compatible with the algorithm specified in the signing_method field.

Type: string

Default: ""

jwt.signing_method

The cryptographic algorithm used to sign the JWT token. Supported algorithms include RS256, RS384, RS512, and EdDSA. This algorithm must be compatible with the private key specified in the private_key_file field.

Type: string

Default: ""

max_retry_backoff

The maximum period to wait between failed requests.

Type: string

Default: 300s

metadata

Specify matching rules that determine which metadata keys should be added to the HTTP request as headers.

Type: object

metadata.include_patterns[]

Provide a list of explicit metadata key regular expression (re2) patterns to match against.

Type: array

Default: []

# Examples:
include_patterns:
  - .*

# ---

include_patterns:
  - _timestamp_unix$

metadata.include_prefixes[]

Provide a list of explicit metadata key prefixes to match against.

Type: array

Default: []

# Examples:
include_prefixes:
  - foo_
  - bar_

# ---

include_prefixes:
  - kafka_

# ---

include_prefixes:
  - content-

oauth

Configure OAuth version 1.0 authentication for secure API access.

Type: object

oauth.access_token

The value used to gain access to the protected resources on behalf of the user.

Type: string

Default: ""

oauth.access_token_secret

The secret that establishes ownership of the oauth.access_token in OAuth 1.0 authentication.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

oauth.consumer_key

A value used to identify the client to the service provider.

Type: string

Default: ""

oauth.consumer_secret

A secret used to establish ownership of the consumer key.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

oauth.enabled

Whether to use OAuth version 1 in requests.

Type: bool

Default: false

oauth2

Allows you to specify open authentication using OAuth version 2 and the client credentials token flow.

Type: object

oauth2.client_key

A value used to identify the client to the token provider.

Type: string

Default: ""

oauth2.client_secret

The secret used to establish ownership of the client key.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

oauth2.enabled

Whether to use OAuth version 2 in requests.

Type: bool

Default: false

oauth2.endpoint_params

A list of endpoint parameters specified as arrays of strings (optional).

Type: object

Default: {}

# Examples:
endpoint_params:
  bar:
    - woof
  foo:
    - meow
    - quack

oauth2.scopes[]

A list of requested permissions (optional).

Type: array

Default: []

oauth2.token_url

The URL of the token provider.

Type: string

Default: ""

parallel

When processing batched messages, this field determines whether messages in the batch are sent in parallel. If set to false, messages are sent serially.

Type: bool

Default: false

proxy_url

A HTTP proxy URL (optional).

Type: string

rate_limit

A rate limit to throttle requests by (optional).

Type: string

retries

The maximum number of retry attempts to make.

Type: int

Default: 3

retry_period

The initial period to wait between failed requests before retrying.

Type: string

Default: 1s

successful_on[]

A list of HTTP status codes that should be considered as successful, even if they are not 2XX codes. This is useful for handling cases where non-2XX codes indicate that the request was processed successfully, such as 303 See Other or 409 Conflict.

By default, all 2XX codes are considered successful unless they are specified in backoff_on or drop_on fields.

Type: int

Default: []

timeout

A static timeout to apply to requests.

Type: string

Default: 5s

tls

Configure Transport Layer Security (TLS) settings to secure network connections. This includes options for standard TLS as well as mutual TLS (mTLS) authentication where both client and server authenticate each other using certificates. Key configuration options include enabled to enable TLS, client_certs for mTLS authentication, root_cas/root_cas_file for custom certificate authorities, and skip_cert_verify for development environments.

Type: object

tls.client_certs[]

A list of client certificates for mutual TLS (mTLS) authentication. Configure this field to enable mTLS, authenticating the client to the server with these certificates.

You must set tls.enabled: true for the client certificates to take effect.

Certificate pairing rules: For each certificate item, provide either:

  • Inline PEM data using both cert and key or

  • File paths using both cert_file and key_file.

Mixing inline and file-based values within the same item is not supported.

Type: object

Default: []

# Examples:
client_certs:
  - cert: foo
    key: bar


# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

tls.client_certs[].key

A plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}

tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Type: bool

Default: false

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.root_cas

Specify a root certificate authority to use (optional). This is a string that represents a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for inline certificate data or root_cas_file for file-based certificate loading.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Manage Secrets before adding it to your configuration.

Type: string

Default: ""

# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

tls.root_cas_file

Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for file-based certificate loading or root_cas for inline certificate data.

Type: string

Default: ""

# Examples:
root_cas_file: ./root_cas.pem

tls.skip_cert_verify

Whether to skip server-side certificate verification. Set to true only for testing environments as this reduces security by disabling certificate validation. When using self-signed certificates or in development, this may be necessary, but should never be used in production. Consider using root_cas or root_cas_file to specify trusted certificates instead of disabling verification entirely.

Type: bool

Default: false

url

The URL to connect to. This field supports interpolation functions.

Type: string

verb

A verb to connect with.

Type: string

Default: POST

# Examples:
verb: POST

# ---

verb: GET

# ---

verb: DELETE