Skip to main content
Every wbhk command accepts the global flags: --output (text or json), --api-url, --color / --no-color, and --profile. Add --output json to any read command for a machine-readable view. Run wbhk <command> --help for the live surface.

Auth and session

CommandKey flagsDescription
wbhk login--device, --api-key, --stdin, --insecure-storageAuthenticate and store a credential. Browser OAuth by default; --device for headless, --api-key/--stdin for an existing key.
wbhk logoutClear the stored credential; revoke the OAuth token server-side if there is one.
wbhk whoamiShow the authenticated org, scopes, and redacted key handle.
wbhk profile use <name>Switch the active profile.
wbhk profile currentShow the active profile and where it’s set.
wbhk profile listList configured profiles; the active one is marked.
wbhk profile remove <name>Delete a profile and its stored credential.
wbhk doctorLocal diagnostics: auth, config, connectivity, clock.

Endpoints

An endpoint is a webhook.co URL that captures inbound requests. create and rotate reveal the ingest URL; it’s shown then and stays viewable in your dashboard and via endpoints reveal.
CommandKey flagsDescription
wbhk endpoints list--name, --limit, --cursor, --allList your endpoints. --name filters by case-insensitive substring.
wbhk endpoints get <endpointId>Show a single endpoint.
wbhk endpoints create <name>--dedup-mode, --dedup-window, --dedup-field, --dedup-excludeCreate an endpoint and reveal its ingest URL.
wbhk endpoints update <endpointId>dedup flags, --dedup-resetUpdate an endpoint’s deduplication config; --dedup-reset clears it.
wbhk endpoints delete <endpointId>--yesDelete an endpoint. Its ingest URL stops accepting events; captured events are kept.
wbhk endpoints rotate <endpointId>--yesRevoke the current ingest URL and reveal a new one.
wbhk endpoints reveal <endpointId>Re-display the current ingest URL. Doesn’t rotate; audited server-side.
wbhk endpoints add-provider-secret <endpointId>--provider (required), --label, --kindRegister a provider secret for inbound verification. Read via prompt or stdin — never an argument.
wbhk endpoints list-provider-secrets <endpointId>List an endpoint’s provider secrets (metadata only).
wbhk endpoints revoke-provider-secret <endpointId> <secretId>--yesRevoke a provider secret; verification stops honoring it immediately.
delete, rotate, and revoke-provider-secret prompt for confirmation in an interactive terminal, or take --yes; non-interactively without --yes they refuse. --kind is signing_secret (default) or verify_token (a Meta hub.verify_token handshake token). Dedup modes are validated at the CLI before the request.

Events

CommandKey flagsDescription
wbhk events list <endpointId>--provider, --status, --after, --before, --search, --limit, --cursor, --allList captured events for an endpoint.
wbhk events get <eventId>Show a single event in full.
wbhk events payload <eventId>Print the event’s raw body. --output json emits a lossless base64 envelope (the safe view for binary).
List filters:
FlagDescription
--provider <p>Filter by provider. Repeatable or comma-separated for multi-select.
--status <state>Filter by verification state: verified, authenticated, failed, or unattempted. Repeatable / comma-separated.
--after <ts>Events received at or after this time (ISO-8601 / RFC3339).
--before <ts>Events received strictly before this time.
--search <term>Substring search over event/provider/external ids and request header names/values.
--limit <n>Max results per page (1–200).
--cursor <token>Resume from a nextCursor (advanced).
--allFollow the cursor to the end and return every page.

Deliveries

Outbound deliveries — auto-deliveries to subscribed destinations, plus manual replay attempts.
CommandKey flagsDescription
wbhk deliveries list--status, --destination, --subscription, --limit, --cursor, --allList outbound deliveries.
wbhk deliveries get <deliveryId>Show a single delivery in full.
--status filters by queued, pending, delivered, failed, dead, blocked, or forwarded (repeatable / comma-separated). --destination and --subscription filter to one id.

Listen

Stream an endpoint’s events live over a signed tunnel, or forward each one to localhost. In an interactive terminal this opens a browsable replay TUI; piped, it’s a plain line tail (--output json gives NDJSON). See replay to localhost.
FlagDescription
--forward <url>Re-deliver each event to a loopback URL (signature-preserving), cursor-gated so each event is recorded only after a local 2xx.
--since <where>Where to start on the first connect: now (default), beginning, from-last-ack, or an explicit <cursor>.
--resumeResume from the last cursor this (profile, endpoint) acked, and keep saving it.
--resetForget the saved resume cursor before starting.
--max-backlog <n>Refuse to replay if more than N events are behind — avoids firing a large backlog at --forward.
--tunnel-url <wss>Override the tunnel URL.

Replay

Re-deliver a captured event, either to your machine or to a registered destination.
FlagDescription
--forward <url>The CLI delivers the event (exact bytes + original headers) to your loopback URL, then records the attempt on a local 2xx.
--destination <id>The server delivers the stored bytes to a registered destination and records the real outcome. Mutually exclusive with --forward.
--editOpen the payload in $EDITOR before forwarding (--forward only). The original signature won’t re-verify the edited body — you’ll be warned.

Replay destinations

The org’s allowlist of remote HTTPS URLs a server-side replay may deliver to. Referencing a destination by id — never a free-form URL — is a deliberate safety control. See send to a destination.
CommandKey flagsDescription
wbhk replay-destinations add <url>--labelAllow an HTTPS URL as a replay destination. Reveals a signing secret once.
wbhk replay-destinations listList the org’s allowed destinations.
wbhk replay-destinations remove <destinationId>Remove a destination from the allowlist.
wbhk replay-destinations enable <destinationId>Re-enable a destination that auto-disabled on persistent failure.
wbhk replay-destinations set-ordered <destinationId> <mode>Set strict-FIFO (on) vs best-effort (off) delivery.
wbhk replay-destinations rotate-secret <destinationId>Mint a fresh signing secret (shown once); the prior key overlaps briefly.
wbhk replay-destinations list-secrets <destinationId>List a destination’s signing-secret metadata (never the value).

Subscriptions

Routing rules that auto-deliver a source endpoint’s captured events to a destination.
CommandKey flagsDescription
wbhk subscriptions add <sourceEndpointId> <destinationId>--provider, --event-type, --require-verifiedAuto-deliver the endpoint’s events to the destination.
wbhk subscriptions list--endpointList the org’s subscriptions; --endpoint filters to one source.
wbhk subscriptions remove <subscriptionId>Remove a subscription.
--provider limits routing to one provider (default: any). --event-type selects event-type patterns — exact, charge.*, or * — repeatable or comma-separated (default *). --require-verified routes only events whose source was authenticated — the verified and authenticated states — excluding unattempted and failed.

Triggers

Webhook-to-agent trigger subscriptions: register to be woken when an endpoint captures an event, then consume those events. A trigger creates no outbound delivery — it only lets you consume events you can already read.
CommandKey flagsDescription
wbhk triggers add <endpointId>--nameSubscribe to an endpoint to receive triggers.
wbhk triggers list--endpointList the org’s active triggers.
wbhk triggers wait <triggerId>--cursor, --limit, --no-body, --max-body-bytesConsume the next events for a trigger (short-poll — returns what’s past the cursor; call again to continue).
wbhk triggers revoke <triggerId>Revoke a trigger.
For wait: --cursor resumes from a prior call’s nextCursor; --limit caps events (1–200); --no-body skips the inline body for a cheaper poll; --max-body-bytes caps each inline body (1–65536).

Usage, audit, maintenance

CommandKey flagsDescription
wbhk usageShow the org’s metering usage for the current period.
wbhk audit verifyWalk the org’s tamper-evident audit chain and report the first break. A detected break exits non-zero, so a cron/CI run alerts.
wbhk upgrade--checkUpdate wbhk to the latest release (checksum + provenance verified); package installs defer to their own updater.
wbhk telemetry on/off/statusManage anonymous, opt-out usage telemetry.
wbhk completion bash/zsh/fishPrint a sourceable shell tab-completion script.