Capture and Inspect Inbound Webhooks

The Webhook Inspector gives you a unique URL that captures every incoming HTTP request. Use it to debug third-party webhook integrations, inspect headers, verify signatures, and replay deliveries — all without deploying a server.

What You'll Learn

  • How to send a test webhook and capture the full request
  • How to inspect headers, body, and metadata for each delivery
  • How to validate HMAC-SHA256 webhook signatures

Prerequisites

Before you start: You need an API key. Follow the Platform Quick Start to get one.

  • curl (or any HTTP client)
  • A valid API key in the X-API-KEY header

Step 1: Send a Test Webhook

Your account includes a webhook capture endpoint. Send any HTTP request to it and the service records the full delivery.

bash
# Send a test webhook payload
curl -X POST /api/webhook-inspector/hooks/test \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: your-api-key" \
  -H "X-Webhook-Signature: sha256=abc123" \
  -d '{
    "event": "order.completed",
    "orderId": "ORD-9876",
    "amount": 49.99,
    "currency": "USD"
  }'
python
import requests

resp = requests.post(
    "/api/webhook-inspector/hooks/test",
    headers={
        "X-API-KEY": "your-api-key",
        "X-Webhook-Signature": "sha256=abc123"
    },
    json={
        "event": "order.completed",
        "orderId": "ORD-9876",
        "amount": 49.99,
        "currency": "USD"
    }
)
print(resp.json())
Response — 200 OK
{
  "status": "OK",
  "data": {
    "deliveryId": "dlv_f1e2d3c4",
    "hookPath": "/hooks/test",
    "receivedAt": "2026-03-26T17:00:00Z",
    "message": "Webhook captured successfully"
  }
}

Step 2: View Captured Delivery

Retrieve the full captured request including method, headers, body, and source IP.

bash
curl -X GET "/api/webhook-inspector/deliveries/dlv_f1e2d3c4" \
  -H "X-API-KEY: your-api-key"
Response — 200 OK
{
  "status": "OK",
  "data": {
    "deliveryId": "dlv_f1e2d3c4",
    "method": "POST",
    "path": "/hooks/test",
    "headers": {
      "content-type": "application/json",
      "x-webhook-signature": "sha256=abc123",
      "user-agent": "curl/8.4.0"
    },
    "body": "{\"event\":\"order.completed\",\"orderId\":\"ORD-9876\",\"amount\":49.99,\"currency\":\"USD\"}",
    "sourceIp": "203.0.113.42",
    "receivedAt": "2026-03-26T17:00:00Z",
    "contentLength": 78
  }
}

Every header, the raw body, and the source IP are preserved. Use this to debug exactly what a third-party service is sending you.

Step 3: Signature Validation

Many webhook providers sign payloads with HMAC-SHA256. The inspector can verify signatures for you if you provide the signing secret.

bash
curl -X POST "/api/webhook-inspector/deliveries/dlv_f1e2d3c4/verify" \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: your-api-key" \
  -d '{
    "signingSecret": "whsec_your_secret_here",
    "signatureHeader": "x-webhook-signature",
    "algorithm": "HMAC_SHA256"
  }'
Response — 200 OK
{
  "status": "OK",
  "data": {
    "valid": false,
    "expectedSignature": "sha256=9f8e7d6c5b4a...",
    "receivedSignature": "sha256=abc123",
    "algorithm": "HMAC_SHA256"
  }
}

Note: Our test signature abc123 doesn't match. In production, the provider's real signature would validate against your signing secret.

Integration Tips

  • Development mode: Point third-party webhooks (Stripe, GitHub, etc.) at your inspector URL during development to see the exact payload format.
  • Replay deliveries: Use the /deliveries/{id}/replay endpoint to forward a captured webhook to your actual endpoint for testing.
  • Auto-expire: Captured deliveries are retained for 72 hours by default. Set a custom TTL per hook path.
  • Multiple paths: Use different hook paths (/hooks/stripe, /hooks/github) to organize deliveries by source.

Next Steps