Skip to main content
Here’s how webhook.co protects your data day to day. For the engineering detail behind each point, see security & architecture.

Encrypted in transit and at rest

Everything travels over TLS, and your data is encrypted where it’s stored. The API and SDKs are HTTPS-only — the one exception is loopback, for local development.

Secrets are sealed

Your provider signing secrets, outbound signing keys, and ingest tokens are sealed with a key management service and only unsealed by the engine that needs them — never sitting in plaintext.

One organization can't see another

Tenant isolation is enforced by the database itself (row-level security), not by application code remembering to filter. A query is constrained to its organization at the lowest level.

Delivery can't be turned on your network

Outbound delivery only targets destinations you’ve allowlisted, re-validates every URL, and refuses private or internal addresses — so a misconfigured destination can’t be used to reach inside a network.

Private by default

Nothing you create is public, listed, or shared with anyone until you deliberately make it so. There’s no accidental public view of your endpoints or events.

The audit log

Verify the record of what happened.

Security & architecture

The full engineering detail.