HTTPS Ingest
Every ingest URL (
https://webhooktrap.dev/i/:inboxId) is served over TLS. Payloads are encrypted in transit between your provider and the Webhooktrap inbox — no unencrypted HTTP ingest path exists. This means the event data your provider sends cannot be read by a network observer between the provider and Webhooktrap’s servers.Header Redaction
The
authorization and cookie headers are stripped from every incoming request before the payload is written to storage. They are never persisted. Signature headers used for HMAC verification — Stripe-Signature, X-Hub-Signature-256, and X-Shopify-Hmac-Sha256 — are preserved exactly as sent, so you can test your signature validation logic against real provider values.Auth-Gated Dashboard
Saved inboxes, captured events, and replay history are accessible only to authenticated users. You can sign in with GitHub OAuth, Google OAuth, or email and password. Anonymous inboxes have no owner and expire after 48 hours — they are not linked to any account and are not accessible from the authenticated dashboard.
Read-Only Share Links
You can share an individual captured event with a teammate by generating a read-only link. The recipient can inspect headers and the request body but cannot replay the event, delete it, or access any other inbox or event. No Webhooktrap account is required to view a shared link. Access is scoped strictly to the one event you chose to share.
