Skip to content
newThe webhook.co MCP server is live — turn any webhook into an agent event. Read the docs
security

Private by default, open at the core

Nothing you capture is listed or shared unless you make it so. Tenant isolation is enforced in the database, secrets live in a KMS, and the audit log is tamper-evident. The parts that verify and move your events are open source.

Private by default

Nothing is public, listed, or shared unless you explicitly make it so. There’s no directory of ingest URLs, no shared inbox, no default that leaks. The safe posture is the one you get without configuring anything.

Tenant isolation by row-level security

One organisation’s data is unreachable from another’s, and that boundary is enforced by Postgres row-level security — in the database, under every query — not only by application code that has to remember to filter. A missed WHEREclause can’t cross tenants.

Secrets in a KMS, encrypted in transit and at rest

Provider secrets and signing keys are wrapped with a key-management service using envelope encryption, bound to the tenant they belong to — a secret won’t unwrap for the wrong org. Nothing sensitive sits in plaintext config or source.

A tamper-evident audit log

Security-relevant actions are written to an append-only, hash-chained log, so a later edit to history is detectable rather than silent. It’s the record you want to have kept before you need it.

Your endpoints can't be turned into a probe

Replay and delivery send events to a URL youregister — which is exactly the shape of a request-forgery bug if nobody is watching. So all outbound traffic leaves through one chokepoint in the engine: every address a destination resolves to is checked before the connection is made, not just the hostname you typed, and a redirect can’t quietly move the target afterwards. If the check can’t be completed, the delivery doesn’t go — it fails closed.

Open source, so you can check

The core engine, the CLI, the MCP server, and the signing library are open source under the Apache License 2.0 at github.com/webhook-co. You can read exactly how a signature is verified and how a tenant is isolated, rather than taking our word for it.

Point a webhook at it. Watch it land.

Start free: a permanent URL, full inspection, one-command replay — and outbound delivery, because every feature is on every plan. Move up when you need more events.