> ## Documentation Index
> Fetch the complete documentation index at: https://docs.webhook.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Notable user-facing changes to webhook.co — the API, CLI, SDKs, dashboard, and product, newest first.

This changelog covers notable user-facing changes to webhook.co — the API, SDKs, CLI, and product. The API is versioned in its path (`/v1`), and any breaking change ships under a new version.

<Update label="July 10, 2026" description="Agents & account controls">
  ## webhook→agent triggers, and account controls

  You can now turn an incoming webhook into an agent trigger, and you have new controls over your keys and your data.

  * **Webhook→agent triggers (MCP).** Subscribe a coding agent to one of your endpoints over MCP, then have it wait for the next matching event and receive the payload inline. Delivery is at-least-once, tracked by cursor so an agent can resume exactly where it left off. Triggers are managed from the API, CLI, MCP, and a dedicated dashboard view (create, list, revoke).
  * **Delete organization.** An owner-gated danger-zone action permanently deletes an organization and durably purges its stored payloads.
  * **Leaked API key guidance.** If one of your `whk_` API keys ever ends up in public source, a new remediation guide at docs.webhook.co/leaked-api-key walks through rotating it and re-securing your account.
</Update>

<Update label="July 7, 2026" description="Deduplication & dashboard">
  ## per-endpoint deduplication and a fuller dashboard

  Configurable deduplication landed, and the dashboard grew to cover the whole inbound-to-outbound loop.

  **Added**

  * **Per-endpoint deduplication.** Configure a dedup window and key per endpoint to collapse duplicate deliveries. Off by default; set it from the CLI (`wbhk endpoints update --dedup-*`), the API, MCP, or a new dashboard config panel.
  * **Live events in the dashboard.** A Live toggle on the events view streams new events as they arrive.
  * **Always-shown ingest URL.** An endpoint's signed ingest URL is now always visible on its detail page (and retrievable via the API), stored encrypted at rest — no more one-time reveal.
  * **Deliveries & destinations.** A deliveries view with per-destination detail, destination management, and one-click replay of a captured event to a registered destination.
  * **Provider-secret management** moved into the dashboard, with a searchable provider picker and brand logos.

  **Improved**

  * Payloads are stored content-addressed, so identical bodies are stored once.
  * The sidebar was regrouped into Inbound and Outbound, and Manage Credentials split into active and inactive tabs.

  **Changed**

  * Auto-delivery and replay only ever forward events whose signature was verified — an unverified event is never re-signed on the way out. Deliveries now show a clear signed/unsigned indicator for the source event.
</Update>

<Update label="July 4, 2026" description="Docs, OpenAPI & SDKs">
  ## documentation, an OpenAPI spec, and official SDKs

  Everything you need to build against webhook.co programmatically.

  * **docs.webhook.co** is live — full product documentation, quickstarts, and reference.
  * **OpenAPI 3.1 spec** generated directly from the API contract and published at `/openapi.json`, so it never drifts from the live API.
  * **Official SDKs** for **TypeScript**, **Python**, and **Go**, generated from that spec and published to npm, PyPI, and the Go module proxy.
</Update>

<Update label="July 1, 2026" description="Outbound delivery">
  ## outbound delivery

  Beyond capturing and replaying, webhook.co can now deliver verified events onward to your own HTTP destinations.

  * **Server-side delivery.** Register destinations and route verified events to them automatically, or replay any captured event to a destination on demand — all server-side, no local process required.
  * **Standard Webhooks signing.** Sign outbound deliveries with the Standard Webhooks scheme, re-signed at egress with your per-destination key so receivers can verify them.
  * **Automatic retries.** Failed deliveries retry on a fixed schedule with backoff; a destination that keeps failing is automatically disabled and the organization owner is emailed.
  * **Subscriptions & event types.** Per-provider event-type derivation lets you subscribe a destination to just the event types you care about.
  * **Deliveries API.** Read delivery history and status across the API, CLI, and MCP.
  * **Faster pagination.** Event and delivery lists use keyset pagination with an opaque, microsecond-exact cursor for stable, fast paging through large histories.
</Update>

<Update label="June 30, 2026" description="Signature verification">
  ## inbound signature verification, from a handful to 142 providers

  webhook.co verifies the signature on every incoming webhook so you know an event is authentic before you act on it.

  * **Verification adapters** started with a handful of providers (Stripe, GitHub, Shopify, Slack, and the Standard Webhooks scheme) and grew in waves — through a config-driven signature registry — to dozens, and then to **142 providers** across HMAC, JWT, and asymmetric (Ed25519, ECDSA, RSA) signing, including certificate- and JWKS-based schemes.
  * **Provider-secret management.** Store a provider's signing secret (encrypted at rest) per endpoint from the dashboard, API, CLI, or MCP, so inbound events are verified automatically.
  * **Verification handshakes.** Endpoints answer the one-time verification challenges that providers send on setup (for example CRC echo, `hub.challenge`, and provider-specific activation handshakes), so registering your ingest URL with a provider just works.
  * **A public providers wall** lists every supported provider with its logo.
</Update>

<Update label="June 29, 2026" description="Accounts & dashboard">
  ## sign-in and the dashboard

  Accounts at auth.webhook.co and a web dashboard at app.webhook.co.

  * **Sign in** with a social provider or a magic link (bot-protected), including a device flow so the CLI can log you in from the browser.
  * **Endpoint management.** Create, rename, rotate, and delete endpoints from the dashboard, API, CLI, and MCP.
  * **Events.** Browse events with a list and detail view, search and filter by provider, date, endpoint, and verification status, and open a payload viewer with raw-body download.
  * **API keys.** Mint and revoke API keys with a one-time secret reveal; keys are self-describing and checksummed (`whk_…`) so a malformed key is rejected at the edge.
</Update>

<Update label="June 24, 2026" description="CLI & distribution">
  ## the wbhk CLI

  A full command-line client for working with your webhooks from the terminal, plus first-class distribution.

  * **Core commands.** `wbhk login` / `whoami`, list endpoints and events, verify the audit trail, and inspect payloads.
  * **Live tail & forwarding.** `wbhk listen` streams events live over a WebSocket tunnel, with `--since` (now / beginning / a duration / a timestamp) and `--forward` to relay events to a local URL. Cross-run resume picks up from the last cursor.
  * **Replay to localhost.** `wbhk replay --forward` replays a captured event to your local server, and `replay --edit` lets you tweak the payload first.
  * **Quality of life.** Named profiles, `wbhk doctor` diagnostics, an interactive replay-browser TUI, OS-keychain credential storage, and bash/zsh/fish completions.
  * **Distribution.** Install via `curl | sh`, npm (`@webhook-co/cli`), or a Homebrew tap; cross-compiled signed binaries for every platform with build provenance; `wbhk upgrade` self-update; and anonymous, opt-out usage telemetry.
</Update>

<Update label="June 14, 2026" description="Launch">
  ## the free, permanent signed ingest URL

  webhook.co launched with the core idea: a free, permanent ingest URL you can point any webhook at.

  * **A permanent signed ingest URL** at wbhk.my that accepts any HTTP method (and answers provider setup handshakes), captures the full request, and stores it encrypted at rest — no expiry, no sign-up wall to start receiving.
  * **Inspect every request** — headers, body, and metadata — for each event.
  * **One-command replay to localhost**, so you can develop against real captured payloads without redeploying.
  * **[www.webhook.co](http://www.webhook.co)** — the marketing site and homepage, with a live inspector demo.
</Update>
