Skip to content
soonThe webhook.co MCP server — turn any webhook into an agent event. See the roadmap

Acceptable Use Policy

Last updated: 11 July 2026

In short (this summary isn't the policy, but it's honest): webhook.co takes in whatever you send to a URL and can deliver it onward to a destination you choose. That is exactly what makes it useful, and exactly what would make it good attack infrastructure — so: don't use it as any. Send data you're allowed to send. Deliver only to systems you own or are authorised to hit. No spam, no open relay, no using our outbound side to flood or probe someone else. We don't monitor your payloads, but if we learn you're doing this we will act.

1. Who this applies to, and how it fits together

This Acceptable Use Policy (the “AUP”) applies to everyone who uses the hosted webhook.co service — account holders, their team members, and anyone acting through their credentials. It forms part of our Terms of Service, and the definitions there apply here. If the two ever conflict on a use question, this policy wins.

You are responsible for what happens under your account, including what your own users cause to be sent through it. Passing our rules along to the people you build for is on you.

2. Why this policy is strict

Most services only accept data from people who already have accounts. We don't: a webhook endpoint is a public URL that accepts arbitrary requests from anyone who knows it, and outbound delivery and replay will send data onward to a destination you nominate. Together that is a general-purpose relay, and a general-purpose relay in the wrong hands is a spam cannon, a scanner, or a command-and-control channel.

We'd rather say plainly what we won't host than pretend the risk isn't there.

3. What you must not do

Illegal or unauthorised data.Don't send, store, or process data that is illegal, that you have no lawful right to process, or that infringes someone else's rights. This includes child sexual abuse material, which we report to the authorities without notice to you and which results in immediate, permanent termination.

Attack infrastructure.Don't use the Service to build or operate anything that attacks other systems. Specifically, don't:

  • distribute malware, exploits, or ransomware, or run command-and-control through webhook endpoints, triggers, or delivery destinations;
  • use outbound delivery or replayto flood, stress, scan, probe, or otherwise attack any host you don't own or aren't explicitly authorised to test — the destination being “just a URL you configured” is not authorisation;
  • use the Service to reach systems you shouldn't be able to reach, or to disguise the origin of traffic;
  • conduct security testing against anyone else's systems through us. Testing your own systems is fine and is a normal use of replay.

Spam and unsolicited messaging.Don't use the Service to send unsolicited bulk messages, to operate an open relay, or to deliver anything a recipient has told you to stop sending.

Phishing and deception.Don't use the Service to impersonate anyone, to harvest credentials, or to run any scheme whose point is to deceive.

Our systems.Don't probe, disrupt, reverse-engineer, or attempt to defeat the security of the Service; don't try to reach data that isn't yours; don't deliberately overload us. If you find a vulnerability, tell us — see below.

Plan and quota evasion.Don't resell or sublicense the Service outside your account, share it beyond your organisation, or create multiple accounts to get around plan limits or the one-time free allowance.

4. Regulated data — allowed, but at your risk

The Service is not designed for, and is not certified to handle, protected health information under HIPAA, full cardholder data under PCI DSS, or similarly regulated categories. We hold no SOC 2, ISO 27001, HIPAA, or PCI certification, and we do not sign BAAs.

You may choose to send such data anyway — we won't inspect your payloads to stop you — but if you do, you do so entirely at your own risk and you are solely responsible for meeting whatever obligations apply to it. Bear in mind that the Service stores request bodies and headers as received, unredacted, because inspecting them is the product.

5. Monitoring: what we do and don't do

We do not monitor the contents of your webhooks.We don't scan your payloads for policy violations, and nothing here should be read as a promise that we will. We rely on automated abuse signals, provider reports, and complaints.

We reserve the right, but not the duty, to investigate a suspected violation and to look at the minimum data necessary to do so. That is a deliberate asymmetry: we want the ability to act on abuse without implying we are reading your data in the ordinary course. We are not.

6. What happens if you break these rules

Depending on what we find, and how bad it is, we may: ask you to fix it; disable a specific endpoint, destination, or key; suspend your account; or terminate it. We'll usually contact you first and give you a chance to put it right.

We may act immediately and without notice where the harm is serious or ongoing — an active attack, an ongoing spam run, illegal content, a threat to the Service or to other customers, or where the law requires it. In those cases we'll tell you what happened as soon as we reasonably can.

Suspension or termination for a violation of this policy is not refundable, consistent with §6 of the Terms.

7. Reporting abuse, and reporting vulnerabilities

If you believe someone is using webhook.co in breach of this policy, email sourabh@webhook.co with as much detail as you can give us — endpoint URLs, timestamps, and what you observed.

If you've found a security vulnerability in the Service, email sourabh@webhook.co. Report it to us first and give us a reasonable chance to fix it, don't access or alter data that isn't yours while investigating, and we won't pursue you for good-faith research that follows those rules.

8. Changes

This is a young service and abuse patterns change, so we may update this policy. If we make a material change we'll update the date at the top and, for anything that would meaningfully restrict how you already use the Service, give you reasonable notice by email or in the dashboard.