Skip to main content
Inspecting webhooks is the whole point of webhook.co, so it’s important you know exactly how your payload data is handled — including the trade-offs.

Payloads are stored so you can inspect them

webhook.co stores request bodies and headers unredacted, because being able to inspect them is the product. Anything a provider sends — including secrets, tokens, or personal data in a payload — is stored as received. Treat your captured events as sensitive, and only send data you’re comfortable storing here.
Two things soften this:
  • Application logs are scrubbed. Our own logs redact secrets and keep only an allowlist of headers. It’s the stored events (for you to inspect) that hold the raw payload — not our logs.
  • You can delete an event. Deleting a captured event redacts its content immediately and purges the stored payload shortly after. (It doesn’t lower your usage — the event was already counted.) See events & usage.

Where your data lives

Your data is currently hosted primarily in the United States — our database and object storage default to US regions. webhook.co does not offer EU data residency. If your compliance needs a contractual data-residency commitment, we’re not the right fit for that workload yet, and we’d rather say so up front. The DPA and privacy policy are the authoritative statements.

Your privacy rights

Compliance

What we’re certified for — and honestly, what we’re not.