Skip to main content
wbhk is the webhook.co command-line client. It does everything the dashboard does — create endpoints, inspect events, stream deliveries to your machine, replay them to localhost, manage destinations and agent triggers — and it does it in a form you can pipe into jq and drop into a script.

Install and sign in

brew install webhook-co/tap/wbhk
# needs Node >= 22; installs the `wbhk` command
npm install -g @webhook-co/cli
# standalone binary, no Node required (macOS / Linux)
curl -fsSL https://get.webhook.co -o install-wbhk.sh
sh install-wbhk.sh
Then authenticate:
wbhk login          # opens your browser
wbhk whoami         # confirm the org, scopes, and key handle
login runs a browser OAuth flow by default, validates the minted credential, and stores a short-lived, scoped key in your OS keychain. From there the CLI refreshes the access token silently — you stay logged in without a long-lived secret sitting on disk.

Installation channels

Every channel lands the same wbhk binary or package.
ChannelHowNotes
Homebrewbrew install webhook-co/tap/wbhkmacOS and Linux. Upgrade with brew upgrade wbhk.
npmnpm install -g @webhook-co/cliNeeds Node >= 22. Or run ad-hoc with npx @webhook-co/cli --help.
Install scriptDownload get.webhook.co and run itDetects your OS/arch, downloads the matching binary, verifies its SHA-256, and installs it. Set WBHK_INSTALL_DIR to change the target, WBHK_VERSION to pin a release.
Standalone binaryDownload from GitHub releasesSigned binaries for macOS, Linux, and Windows. No runtime required.
WindowsThe wbhk-windows-x64.exe from releases, or ScoopUpgrade a Scoop install with scoop update wbhk.
Every release is built in CI with sigstore-signed build provenance, so a downloaded binary is independently verifiable — the provenance proves it was built from this repository’s GitHub Actions, not hand-uploaded. Verify a binary with gh attestation verify, or check an npm install with npm audit signatures.

Signing in

wbhk login supports three credential flows. All of them validate the credential before anything is written, so a bad key stores nothing.
FlowCommandWhen to use
Browser (default)wbhk loginInteractive. Opens a browser, captures the code on a localhost redirect.
Devicewbhk login --deviceHeadless or remote boxes — prints a code and a URL to approve elsewhere.
API keywbhk login --api-keyAuthenticate with an existing key via a hidden prompt. Pipe one in with wbhk login --stdin, or set WBHK_API_KEY for a never-persisted headless run.
The key is never taken as a command-line argument — that would leak it into your shell history and the process list. It comes from a hidden prompt or stdin. wbhk logout clears the stored credential. For an OAuth credential it also revokes the token server-side, so a logged-out session stops working everywhere — not just on this machine.
Credentials go into your OS keychain when one is available. On a box without a keychain helper, wbhk login --insecure-storage falls back to a 0600 config file. wbhk doctor tells you which backend is in use.

Global flags

Every command accepts the same four global flags.
FlagDefaultWhat it does
--output text or jsontextjson is the machine-readable view — the format to pipe into jq.
--api-url <url>hosted APIPoint the CLI at a different API base URL.
--color / --no-colorautoForce color on or off; unset auto-detects from your terminal.
--profile <name>activeRun against a named profile without switching the active one.

Profiles for multiple accounts

A profile is a named credential plus its base URL — keep a work org and a personal org side by side.
wbhk --profile work login     # create the profile by logging into it
wbhk profile use work         # make it the active profile
wbhk profile current          # show the active profile and where it's set
wbhk profile list             # list all profiles (the active one is marked)
Profile selection resolves in order: --profile beats the WBHK_PROFILE env var, which beats the persisted active profile, which falls back to default. When a command runs against a non-default profile, wbhk prints a one-line stderr banner so a run against staging or prod never surprises you.

Diagnostics, updates, telemetry

  • wbhk doctor runs local, silent checks and reports the CLI version, active credential and its source, config-file health, API reachability, and clock skew. It exits non-zero only for a must-fix local misconfiguration (a corrupt or world-readable config); transient things stay warnings.
  • wbhk upgrade updates a standalone binary in place after verifying the download’s checksum and build provenance; --check just reports whether an update is available. A package-managed install is detected and pointed at its own updater.
  • wbhk telemetry status / off manages anonymous, opt-out usage telemetry — which commands ran, the CLI version, and OS/arch, never your data or credentials. Off automatically in CI, or set WBHK_TELEMETRY=0.
  • wbhk completion bash|zsh|fish prints a shell tab-completion script to standard output; save it and source it from your shell config. Completions defer to wbhk itself, so they always reflect the live command set.

Next