Register the destination
A destination is an HTTPS-only allowlist entry. In the dashboard, add a destination under Settings → Destinations.
add validates the URL structurally — HTTPS, a public hostname, no IP-literal host, an allowed port — and the authoritative private-range/SSRF guard runs again at delivery time.Subscribe a source endpoint to it
A subscription is the routing rule: captured events from the source endpoint auto-deliver to the destination. The zero-config default routes everything; narrow it with
--provider, --event-type patterns (exact, charge.*, or *), and --require-verified to route only events whose source was authenticated (the verified and authenticated states — excluding unattempted and failed).Ordering, enabling, disabling
By default each delivery retries independently (best-effort). Turn on strict FIFO — deliver in order, where a stuck delivery head-of-line-blocks newer ones until it succeeds or dead-letters — with the requiredon/off mode:
wbhk replay-destinations remove <id> — it can no longer be a delivery target, and is easily re-added. If a destination auto-disabled after repeated failures, re-enable it — see handle delivery failures.
Destinations and subscriptions are deliberately not exposed over MCP — only over the CLI, API,
and dashboard. This is a security property, not a gap: an AI agent must never be able to
reconfigure where an org’s event stream is sent, or it could steer your data to a destination of
its choosing. Egress routing is a human-only control.