Scripting Overview
Scripting lets you run a small JavaScript program against every request that matches a URL pattern. Use it for the things you’d otherwise edit by hand on every call: stamping a header, signing a payload, decoding a token, or asserting that a response has the shape you expect.
The engine is QuickJS, embedded in Probe’s Rust core — not Node.js, not V8. Each script runs in a fresh sandbox with a 10-second timeout, a 64 MB memory cap, and no access to the filesystem, require, process, or the DOM. The single global you talk to is pro.
Two phases
Section titled “Two phases”Each rule has two slots. You can fill in either or both.
- Request script runs before the request leaves Probe. You can mutate
pro.request.method,pro.request.url, headers, and body. Mutations are sent upstream. - Response script runs after the upstream response comes back. You can read
pro.responseand run assertions withpro.test(...)andpro.expect(...). The request object is read-only here.
Both phases share the same pro.variables, pro.crypto, pro.console, and pro.sendRequest APIs. See the API Reference for the full surface.
Matching
Section titled “Matching”Each script rule has:
- A URL glob —
https://api.example.com/*,*://*.stripe.com/v1/*, etc. - A method filter — any combination of GET, POST, PUT, PATCH, DELETE, etc.
- A request script, a response script, or both.
A request runs through every rule whose match conditions hit, in the order they appear in the list.
Create a rule
Section titled “Create a rule”- Open the Scripting window from the toolbar.
- Click + to add a rule.
- Enter a URL glob and pick the methods to match.
- Write the request and/or response script in the editor.
- Save. The rule starts firing immediately on matching traffic.
Toggle a rule off without deleting it using the checkbox in the list. The toolbar icon turns yellow when at least one rule is enabled.
A tiny example
Section titled “A tiny example”Stamp every outgoing request to your API with a fresh trace ID:
// Request script — match: https://api.example.com/*pro.request.headers.upsert({ key: 'X-Trace-Id', value: pro.crypto.sha256(Date.now() + ':' + Math.random()),});The header is set before Probe forwards the request. Open the captured request in the Detail panel to confirm X-Trace-Id is now there.
The script editor
Section titled “The script editor”Both the request and response slots open a JavaScript editor with a few helpers tuned for the Probe API:
- Syntax highlighting and line numbers for JS, themed to match the rest of the app — the editor swaps to a dark scheme automatically when the app is in dark mode and to a light scheme in light mode. Hint text and chrome match the surrounding UI rather than reading too dark or too bright against the editor background.
- Beautify — a button at the top of the editor reformats the current script with a 2-space indent and consistent spacing. Useful after pasting in a one-liner from a chat message.
- Autocomplete — type
pro.,console.,request., orresponse.and the editor opens a popup with the available members and their types (string,number,object, etc.). Standard JS keywords (function,return,if, etc.) and the JS built-ins (JSON,Math,Date) appear in the same popup. The compose script editor uses the same engine, so a script you write in one surface feels identical to writing it in the other.
Sandbox limits
Section titled “Sandbox limits”Scripts run in QuickJS, which means:
- No
require,import,fs,child_process,process,Buffer, orglobalThisshortcuts to a host. - No
fetch, noXMLHttpRequest, no DOM. For outbound HTTP from inside a script, usepro.sendRequest. - A hard 10 second wall-clock timeout per execution. An infinite loop is killed.
- A 64 MB memory ceiling and a 1 MB stack.
- A maximum of 5 sub-requests via
pro.sendRequestper script execution. - Each invocation gets a fresh runtime — variables you
varin one run do not survive to the next. Usepro.variables.set(...)for state that needs to outlive a single execution.
Legacy aliases
Section titled “Legacy aliases”gmp and pm are aliases of pro. The codebase started life as Guide MITM Proxy (gmp) and many users come from Postman (pm), so scripts written against either alias keep working:
pm.test('status is 200', function () { pm.expect(pm.response.code).to.equal(200);});Use whichever name you prefer. New scripts should use pro.
Console output
Section titled “Console output”console.log, console.warn, console.error, console.debug, console.table, console.time/timeEnd all work and feed into Probe’s scripting console at the bottom of the script editor. Output appears next to the request that triggered the script — handy for quick “what did I get back?” checks without dropping console.log everywhere.
Related
Section titled “Related”- Scripting API Reference — every method on
pro. - Scripting Recipes — copy-pasteable patterns.
- Breakpoints — for one-off manual edits instead of automatic ones.
- Composer — if you want to build a single request rather than mutate live traffic.