/v1), and any breaking change ships under a new version.
webhook→agent triggers, and account controls
You can now turn an incoming webhook into an agent trigger, and you have new controls over your keys and your data.- Webhook→agent triggers (MCP). Subscribe a coding agent to one of your endpoints over MCP, then have it wait for the next matching event and receive the payload inline. Delivery is at-least-once, tracked by cursor so an agent can resume exactly where it left off. Triggers are managed from the API, CLI, MCP, and a dedicated dashboard view (create, list, revoke).
- Delete organization. An owner-gated danger-zone action permanently deletes an organization and durably purges its stored payloads.
- Leaked API key guidance. If one of your
whk_API keys ever ends up in public source, a new remediation guide at docs.webhook.co/leaked-api-key walks through rotating it and re-securing your account.
per-endpoint deduplication and a fuller dashboard
Configurable deduplication landed, and the dashboard grew to cover the whole inbound-to-outbound loop.Added- Per-endpoint deduplication. Configure a dedup window and key per endpoint to collapse duplicate deliveries. Off by default; set it from the CLI (
wbhk endpoints update --dedup-*), the API, MCP, or a new dashboard config panel. - Live events in the dashboard. A Live toggle on the events view streams new events as they arrive.
- Always-shown ingest URL. An endpoint’s signed ingest URL is now always visible on its detail page (and retrievable via the API), stored encrypted at rest — no more one-time reveal.
- Deliveries & destinations. A deliveries view with per-destination detail, destination management, and one-click replay of a captured event to a registered destination.
- Provider-secret management moved into the dashboard, with a searchable provider picker and brand logos.
- Payloads are stored content-addressed, so identical bodies are stored once.
- The sidebar was regrouped into Inbound and Outbound, and Manage Credentials split into active and inactive tabs.
- Auto-delivery and replay only ever forward events whose signature was verified — an unverified event is never re-signed on the way out. Deliveries now show a clear signed/unsigned indicator for the source event.
documentation, an OpenAPI spec, and official SDKs
Everything you need to build against webhook.co programmatically.- docs.webhook.co is live — full product documentation, quickstarts, and reference.
- OpenAPI 3.1 spec generated directly from the API contract and published at
/openapi.json, so it never drifts from the live API. - Official SDKs for TypeScript, Python, and Go, generated from that spec and published to npm, PyPI, and the Go module proxy.
outbound delivery
Beyond capturing and replaying, webhook.co can now deliver verified events onward to your own HTTP destinations.- Server-side delivery. Register destinations and route verified events to them automatically, or replay any captured event to a destination on demand — all server-side, no local process required.
- Standard Webhooks signing. Sign outbound deliveries with the Standard Webhooks scheme, re-signed at egress with your per-destination key so receivers can verify them.
- Automatic retries. Failed deliveries retry on a fixed schedule with backoff; a destination that keeps failing is automatically disabled and the organization owner is emailed.
- Subscriptions & event types. Per-provider event-type derivation lets you subscribe a destination to just the event types you care about.
- Deliveries API. Read delivery history and status across the API, CLI, and MCP.
- Faster pagination. Event and delivery lists use keyset pagination with an opaque, microsecond-exact cursor for stable, fast paging through large histories.
inbound signature verification, from a handful to 142 providers
webhook.co verifies the signature on every incoming webhook so you know an event is authentic before you act on it.- Verification adapters started with a handful of providers (Stripe, GitHub, Shopify, Slack, and the Standard Webhooks scheme) and grew in waves — through a config-driven signature registry — to dozens, and then to 142 providers across HMAC, JWT, and asymmetric (Ed25519, ECDSA, RSA) signing, including certificate- and JWKS-based schemes.
- Provider-secret management. Store a provider’s signing secret (encrypted at rest) per endpoint from the dashboard, API, CLI, or MCP, so inbound events are verified automatically.
- Verification handshakes. Endpoints answer the one-time verification challenges that providers send on setup (for example CRC echo,
hub.challenge, and provider-specific activation handshakes), so registering your ingest URL with a provider just works. - A public providers wall lists every supported provider with its logo.
sign-in and the dashboard
Accounts at auth.webhook.co and a web dashboard at app.webhook.co.- Sign in with a social provider or a magic link (bot-protected), including a device flow so the CLI can log you in from the browser.
- Endpoint management. Create, rename, rotate, and delete endpoints from the dashboard, API, CLI, and MCP.
- Events. Browse events with a list and detail view, search and filter by provider, date, endpoint, and verification status, and open a payload viewer with raw-body download.
- API keys. Mint and revoke API keys with a one-time secret reveal; keys are self-describing and checksummed (
whk_…) so a malformed key is rejected at the edge.
the wbhk CLI
A full command-line client for working with your webhooks from the terminal, plus first-class distribution.- Core commands.
wbhk login/whoami, list endpoints and events, verify the audit trail, and inspect payloads. - Live tail & forwarding.
wbhk listenstreams events live over a WebSocket tunnel, with--since(now / beginning / a duration / a timestamp) and--forwardto relay events to a local URL. Cross-run resume picks up from the last cursor. - Replay to localhost.
wbhk replay --forwardreplays a captured event to your local server, andreplay --editlets you tweak the payload first. - Quality of life. Named profiles,
wbhk doctordiagnostics, an interactive replay-browser TUI, OS-keychain credential storage, and bash/zsh/fish completions. - Distribution. Install via
curl | sh, npm (@webhook-co/cli), or a Homebrew tap; cross-compiled signed binaries for every platform with build provenance;wbhk upgradeself-update; and anonymous, opt-out usage telemetry.
the free, permanent signed ingest URL
webhook.co launched with the core idea: a free, permanent ingest URL you can point any webhook at.- A permanent signed ingest URL at wbhk.my that accepts any HTTP method (and answers provider setup handshakes), captures the full request, and stores it encrypted at rest — no expiry, no sign-up wall to start receiving.
- Inspect every request — headers, body, and metadata — for each event.
- One-command replay to localhost, so you can develop against real captured payloads without redeploying.
- www.webhook.co — the marketing site and homepage, with a live inspector demo.