Skip to main content
This changelog covers notable user-facing changes to webhook.co — the API, SDKs, CLI, and product. The API is versioned in its path (/v1), and any breaking change ships under a new version.
July 10, 2026
MCPAPIDashboardSecurity
Agents & account controls

webhook→agent triggers, and account controls

You can now turn an incoming webhook into an agent trigger, and you have new controls over your keys and your data.
  • Webhook→agent triggers (MCP). Subscribe a coding agent to one of your endpoints over MCP, then have it wait for the next matching event and receive the payload inline. Delivery is at-least-once, tracked by cursor so an agent can resume exactly where it left off. Triggers are managed from the API, CLI, MCP, and a dedicated dashboard view (create, list, revoke).
  • Delete organization. An owner-gated danger-zone action permanently deletes an organization and durably purges its stored payloads.
  • Leaked API key guidance. If one of your whk_ API keys ever ends up in public source, a new remediation guide at docs.webhook.co/leaked-api-key walks through rotating it and re-securing your account.
July 7, 2026
DashboardAPICLI
Deduplication & dashboard

per-endpoint deduplication and a fuller dashboard

Configurable deduplication landed, and the dashboard grew to cover the whole inbound-to-outbound loop.Added
  • Per-endpoint deduplication. Configure a dedup window and key per endpoint to collapse duplicate deliveries. Off by default; set it from the CLI (wbhk endpoints update --dedup-*), the API, MCP, or a new dashboard config panel.
  • Live events in the dashboard. A Live toggle on the events view streams new events as they arrive.
  • Always-shown ingest URL. An endpoint’s signed ingest URL is now always visible on its detail page (and retrievable via the API), stored encrypted at rest — no more one-time reveal.
  • Deliveries & destinations. A deliveries view with per-destination detail, destination management, and one-click replay of a captured event to a registered destination.
  • Provider-secret management moved into the dashboard, with a searchable provider picker and brand logos.
Improved
  • Payloads are stored content-addressed, so identical bodies are stored once.
  • The sidebar was regrouped into Inbound and Outbound, and Manage Credentials split into active and inactive tabs.
Changed
  • Auto-delivery and replay only ever forward events whose signature was verified — an unverified event is never re-signed on the way out. Deliveries now show a clear signed/unsigned indicator for the source event.
July 4, 2026
DocsSDKAPI
Docs, OpenAPI & SDKs

documentation, an OpenAPI spec, and official SDKs

Everything you need to build against webhook.co programmatically.
  • docs.webhook.co is live — full product documentation, quickstarts, and reference.
  • OpenAPI 3.1 spec generated directly from the API contract and published at /openapi.json, so it never drifts from the live API.
  • Official SDKs for TypeScript, Python, and Go, generated from that spec and published to npm, PyPI, and the Go module proxy.
July 1, 2026
APICLIMCP
Outbound delivery

outbound delivery

Beyond capturing and replaying, webhook.co can now deliver verified events onward to your own HTTP destinations.
  • Server-side delivery. Register destinations and route verified events to them automatically, or replay any captured event to a destination on demand — all server-side, no local process required.
  • Standard Webhooks signing. Sign outbound deliveries with the Standard Webhooks scheme, re-signed at egress with your per-destination key so receivers can verify them.
  • Automatic retries. Failed deliveries retry on a fixed schedule with backoff; a destination that keeps failing is automatically disabled and the organization owner is emailed.
  • Subscriptions & event types. Per-provider event-type derivation lets you subscribe a destination to just the event types you care about.
  • Deliveries API. Read delivery history and status across the API, CLI, and MCP.
  • Faster pagination. Event and delivery lists use keyset pagination with an opaque, microsecond-exact cursor for stable, fast paging through large histories.
June 30, 2026
ProvidersSecurityAPI
Signature verification

inbound signature verification, from a handful to 142 providers

webhook.co verifies the signature on every incoming webhook so you know an event is authentic before you act on it.
  • Verification adapters started with a handful of providers (Stripe, GitHub, Shopify, Slack, and the Standard Webhooks scheme) and grew in waves — through a config-driven signature registry — to dozens, and then to 142 providers across HMAC, JWT, and asymmetric (Ed25519, ECDSA, RSA) signing, including certificate- and JWKS-based schemes.
  • Provider-secret management. Store a provider’s signing secret (encrypted at rest) per endpoint from the dashboard, API, CLI, or MCP, so inbound events are verified automatically.
  • Verification handshakes. Endpoints answer the one-time verification challenges that providers send on setup (for example CRC echo, hub.challenge, and provider-specific activation handshakes), so registering your ingest URL with a provider just works.
  • A public providers wall lists every supported provider with its logo.
June 29, 2026
DashboardAPISecurity
Accounts & dashboard

sign-in and the dashboard

Accounts at auth.webhook.co and a web dashboard at app.webhook.co.
  • Sign in with a social provider or a magic link (bot-protected), including a device flow so the CLI can log you in from the browser.
  • Endpoint management. Create, rename, rotate, and delete endpoints from the dashboard, API, CLI, and MCP.
  • Events. Browse events with a list and detail view, search and filter by provider, date, endpoint, and verification status, and open a payload viewer with raw-body download.
  • API keys. Mint and revoke API keys with a one-time secret reveal; keys are self-describing and checksummed (whk_…) so a malformed key is rejected at the edge.
June 24, 2026
CLI
CLI & distribution

the wbhk CLI

A full command-line client for working with your webhooks from the terminal, plus first-class distribution.
  • Core commands. wbhk login / whoami, list endpoints and events, verify the audit trail, and inspect payloads.
  • Live tail & forwarding. wbhk listen streams events live over a WebSocket tunnel, with --since (now / beginning / a duration / a timestamp) and --forward to relay events to a local URL. Cross-run resume picks up from the last cursor.
  • Replay to localhost. wbhk replay --forward replays a captured event to your local server, and replay --edit lets you tweak the payload first.
  • Quality of life. Named profiles, wbhk doctor diagnostics, an interactive replay-browser TUI, OS-keychain credential storage, and bash/zsh/fish completions.
  • Distribution. Install via curl | sh, npm (@webhook-co/cli), or a Homebrew tap; cross-compiled signed binaries for every platform with build provenance; wbhk upgrade self-update; and anonymous, opt-out usage telemetry.
June 14, 2026
API
Launch

the free, permanent signed ingest URL

webhook.co launched with the core idea: a free, permanent ingest URL you can point any webhook at.
  • A permanent signed ingest URL at wbhk.my that accepts any HTTP method (and answers provider setup handshakes), captures the full request, and stores it encrypted at rest — no expiry, no sign-up wall to start receiving.
  • Inspect every request — headers, body, and metadata — for each event.
  • One-command replay to localhost, so you can develop against real captured payloads without redeploying.
  • www.webhook.co — the marketing site and homepage, with a live inspector demo.