What Webhooktrap captures
Every captured event includes the following fields:HTTP method
The request method used by the provider —
POST, GET, PUT, PATCH, or DELETE. Most webhook providers use POST, but Webhooktrap accepts any method.Request headers
All headers sent with the request, preserving original casing and order. Security-sensitive headers are redacted (see below).
URL and query string
The full path and any query parameters appended to the ingest URL, useful when providers embed identifiers or event types in the URL.
Raw request body
The unmodified request body as a string. JSON bodies are not parsed or pretty-printed; form-encoded and binary bodies are stored as-is.
Why full fidelity matters
Many webhook providers sign their payloads using an HMAC digest computed over the exact raw bytes of the body and specific headers. Any transformation — trimming whitespace, re-serializing JSON, or lowercasing header names — will change the digest and cause your signature verification to fail. Because Webhooktrap stores the raw, untouched payload, you can replay a captured event to your handler and run the same signature check your production code runs, with confidence that the bytes match what the provider originally sent.Example captured event
The API returns captured events in the following shape:stripe-signature is preserved exactly as sent. Your verification logic can read it directly from the captured event without any transformation.
Provider signature headers are preserved
Provider-specific signature headers — such asStripe-Signature, X-Hub-Signature-256 (GitHub), X-Shopify-Hmac-Sha256, and others — are ordinary headers from Webhooktrap’s perspective. They are stored faithfully alongside the rest of the request, so you can verify the signature locally or in your staging environment when you replay the event.