Capture is the floor
The first thing webhook.co does with a request is store its exact bytes. Verification, deduplication, and delivery all run after that durable capture — so a malformed signature, an unknown provider, or a downstream hiccup can never cost you the event. Everything else is something you can re-run against a payload that is already safely stored.The steps
- Ingest. Requests arrive at a free, permanent, signed ingest URL on a dedicated, cookieless apex. Every HTTP verb is accepted, and provider verification handshakes are answered automatically.
- Verify. If you’ve registered a signing secret for a provider, the signature is checked against the captured bytes and the event is marked with its verification state. Verification is best-effort — it never blocks capture, and an event can be verified retroactively.
- Dedup. Deduplication collapses a sender’s retries into the single event you already captured. It’s off by default, so you see every request while you get set up.
- Store. The event — raw body, normalized headers, method, provider, and verification result — is kept so you can inspect, search, tail, and replay it at any time.
- Deliver. Forward events to a destination with at-least-once delivery, the fixed exponential retry schedule, and optional Standard Webhooks signing on the way out.