OutworxOutworx Docs
Webhooks playground · Standalone

Capture, sign, and replay. No tunnel required.

Every account gets unique inbox URLs that capture incoming webhooks in real-time over Supabase Realtime. Send-test fires signed payloads at any handler, replay re-sends any capture to a new URL with a fresh timestamp, and the HMAC verifier covers Stripe, GitHub, Shopify, Square, Linear, HubSpot, Zoom, Zendesk, Slack, plus raw HMAC variants.

Free plan: 5 inboxes · 500 / 7dReplaces: RequestBin · Webhook.site · ngrok inspect
Get an inbox URLRead the deep dive
docs.outworx.io/webhooks

Webhooks

3 inboxes · 1,284 captures / 7d

New inbox

stripe-prod

live

Linked: Acme Payments

docs.outworx.io/i/whk_8f3a4c2…
812 captures
POST/payment_intent.succeeded
last just now

github-staging

live

Linked: Acme API

docs.outworx.io/i/whk_1c0d2b9…
134 captures
POST/pull_request.opened
last 14m ago

shopify-test

◼ Paused
docs.outworx.io/i/whk_3a7e9f1…
0 capturesno captures yet

Standalone-first

No project required. Sign in, get a URL, point a provider.

The webhooks workspace lives at /webhooks as a top-level surface — independent of any docs project. Most webhook capture tools either assume you're tunneling to localhost (ngrok) or that you're deep inside a docs platform. Outworx splits the difference.

Standalone workspace

No project link required. Free plan ships 5 inboxes and 500 captures over a 7-day window. You can ship debugging in 30 seconds.

Optional project link

If you DO link to a project that has an OpenAPI 3.1 spec declaring webhooks, the inbox surfaces the event catalog under the Events tab. Browse expected schemas without leaving the capture.

Tamper-proof ledger

Plan limits are enforced via an append-only ingest ledger. Once a row is in, the count can't be reset by deleting the capture — fairness by construction.

Replays that work

Replays re-sign. Old timestamps get fresh ones.

The point of replay is debugging — take an event your handler choked on, point at a fresh URL, run it again. The catch is signature verification: replay raw, the receiving handler rejects you because the timestamp is stale. Outworx solves this by recomputing the signature on replay, using the inbox's stored scheme.

Captured event

POST

timestamp: t = 1714159200

stripe-signature: t=1714159200,v1=ab12cd…

body: forwarded verbatim

Replay event

POST

timestamp: t = 1714162800 (now)

stripe-signature: t=1714162800,v1=9f0e4d…

body: forwarded verbatim

What changes on replay: the timestamp updates to now, then the signature is recomputed from the inbox's stored secret using the configured scheme. Body, headers (other than the signature), and method are forwarded verbatim. Receivers validate the signature exactly as they would for a real-time event — no special replay handling needed on their end.

Lockdown

Three layers, all enforced before any payload is persisted.

When you're ready for production traffic, flip the Security toggle on the inbox. HMAC, HTTP Basic, and IP allowlist run as a pipeline — failure at any stage drops the request before it ever lands in the capture log.

01

HMAC verification

8 branded schemes (Stripe, GitHub, Shopify, Square, Linear, HubSpot, Zoom, Zendesk, Slack) plus a Custom HMAC mode with configurable header, algorithm, encoding, and prefix. Configurable timestamp tolerance (default 300s) for replay protection.

  • sha256 + sha1
  • hex + base64 + base64url
  • v1=… style + raw header
02

HTTP Basic auth

Layered on top of HMAC if you want belt-and-braces. Stored bcrypt-hashed; secrets never leave the server, never re-display in the dashboard.

  • Secrets bcrypt-hashed
  • 401 on mismatch
03

Source-IP allowlist

IPv4 and IPv6 CIDR blocks. Cloudflare-friendly — the request's true client IP is resolved from the X-Forwarded-For chain before matching.

  • IPv4 + IPv6
  • CIDR ranges
  • X-Forwarded-For aware
HMAC verifier · stripe
✓ match

signing secret

whsec_***************************

signature header

t=1714159200,v1=ab12cd34ef56…

raw body

{"id":"evt_3a","type":"payment_intent.succeeded",…}

Result

expectedv1=ab12cd34ef56…gotv1=ab12cd34ef56…

Browser-only HMAC verifier

Catches the SDK-version-mismatch class in seconds.

Paste the secret, paste the signature header, paste the raw body. The verifier computes the expected signature for 10+ providers and compares it to what the receiving handler is seeing. The secret never leaves the browser.

  • Secrets stay client-side. WebCrypto API does the HMAC; the secret + body never leave the page.
  • 10+ providers. Pre-canned schemes plus a Custom HMAC mode for anything in-house.
  • Diff-style mismatch. Expected vs got, byte-for-byte. Catches off-by-one base64 encodings the moment they appear.

Plan tiers

Free for debugging. Paid for production.

Free

5 inboxes · 500 / 7d

  • Capture, replay, send-test, HMAC verifier
  • All 8 branded schemes + Custom HMAC
  • Send-test fires signed payloads
  • Standalone — no project required
Most popular

Pro

25 inboxes · 10k / 30d

  • 5× the inboxes
  • 20× the capture window
  • 30-day capture retention
  • Lockdown: HMAC + Basic + IP allowlist
  • Project link with event catalog

Business

Unlimited · 90d

  • Unlimited inboxes
  • Unlimited captures
  • 90-day retention
  • Custom domain on the docs
  • Priority support

Pairs well with

Uptime monitoring

Wire monitor alerts to a webhook inbox and replay any incident notification through your Slack handler with re-signed timestamps.

Mock Server

Stub providers' webhook endpoints with the mock URL while you build your handler against the captured payload shape.

Docs page builder

If your project's spec declares webhooks (OpenAPI 3.1), the linked inbox surfaces them under the Events tab automatically.

The webhooks debugger that ships replays.

Free plan ships 5 inboxes and 500 captures over a 7-day window. Lockdown unlocks on Pro at $9/month.

Start freeCompare plans