Skip to main content
Webhooktrap is a developer debugging tool, not production infrastructure. It’s designed for inspecting webhook payloads during development and sharing individual events with teammates in a controlled way. The security model reflects that purpose: every ingest URL is served over HTTPS, sensitive credential headers are automatically stripped before storage, dashboard access requires authentication, and sharing is scoped to individual read-only events. The sections below explain each property in detail.

HTTPS Ingest

Every ingest URL (https://webhooktrap.dev/i/:inboxId) is served over TLS. Payloads are encrypted in transit between your provider and the Webhooktrap inbox — no unencrypted HTTP ingest path exists. This means the event data your provider sends cannot be read by a network observer between the provider and Webhooktrap’s servers.

Header Redaction

The authorization and cookie headers are stripped from every incoming request before the payload is written to storage. They are never persisted. Signature headers used for HMAC verification — Stripe-Signature, X-Hub-Signature-256, and X-Shopify-Hmac-Sha256 — are preserved exactly as sent, so you can test your signature validation logic against real provider values.

Auth-Gated Dashboard

Saved inboxes, captured events, and replay history are accessible only to authenticated users. You can sign in with GitHub OAuth, Google OAuth, or email and password. Anonymous inboxes have no owner and expire after 48 hours — they are not linked to any account and are not accessible from the authenticated dashboard.

Read-Only Share Links

You can share an individual captured event with a teammate by generating a read-only link. The recipient can inspect headers and the request body but cannot replay the event, delete it, or access any other inbox or event. No Webhooktrap account is required to view a shared link. Access is scoped strictly to the one event you chose to share.

Anonymous inbox data minimization

Anonymous inboxes (created without an account) expire automatically after 48 hours. This limits how long captured payload data is retained for unauthenticated usage. If you need events to persist, create a free account and use a saved inbox — you control the retention by choosing when to delete the inbox.
Webhooktrap is a developer debugger. Do not route webhook payloads that contain personally identifiable information or other sensitive data through Webhooktrap if your security policy requires that data to remain on-premise or within a controlled environment. Use Webhooktrap with test-mode events and development credentials wherever possible.