Overview
Hookbase is a webhook capture, inspection, and replay platform. Point any external service at your unique source URL and every request gets stored, making it instantly inspectable and re-fireable from your dashboard.
Capture
Receive any HTTP request and store it with full headers and body.
Inspect
Search and filter every captured request in real time.
Replay
Re-fire any stored request to any URL with one click.
Core Concepts
Quickstart
Get your first webhook captured in under 2 minutes.
Create a Workspace
Create a Project
Create a Source
https://hookbase.dev/hook/hk_a8f29xq7
Point an external service at it
Inspect your requests
curl -X POST https://yourdomain.com/hook/<your-token> -H "Content-Type: application/json" -d '{"event":"test"}'Sources
A source is a public webhook URL that accepts any HTTP request, including GETPOSTPUTDELETEPATCH and records it.
Source URL format
https://hookbase.dev/hook/{token}The {token} is a randomly generated public webhook token that is hard to guess and safe to share with external services.
Source states
403 to all incoming requests. No data is stored while paused.Requests
Every HTTP request received by a source is stored as an immutable Request record containing:
- Method— GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD, etc.
- Headers— All request headers including Content-Type, Authorization, X-Signature, etc.
- Raw body— The full unmodified request body as text
- Path— Full request path including query string
- Status— HTTP response status code returned to the sender
- Duration— Time in milliseconds to process and respond
- IP address— Source IP (respects X-Forwarded-For and Cloudflare CF-Connecting-IP headers)
- User agent— The sending application identifier
- Timestamp— Exact time the request was received (UTC)
Example captured request
A typical captured request includes the provider event type and the original JSON body exactly as it arrived. For example, a Stripe checkout webhook might look like this when viewed in Hookbase.
{
"id": "evt_1TC9aIQSDFag5pz3YkqiPvar",
"object": "event",
"type": "checkout.session.completed",
"created": 1773799905,
"data": {
"object": {
"id": "cs_test_a1dWK6Mxx1rBnOAwubUKrrsW2L3TrPU40bQfllknsHzF61GRUUof8rPFeT",
"object": "checkout.session",
"customer": "cus_Sc8w7AuxaTS3kd",
"currency": "gbp",
"amount_total": 2900,
"payment_status": "paid",
"status": "complete",
"mode": "subscription",
"subscription": "sub_1TC9aGQSDFag5pz3TH9zLstW",
"metadata": {
"referenceId": "f138789f-4773-4f90-a15b-921cad28f92d",
"userId": "f138789f-4773-4f90-a15b-921cad28f92d"
}
}
}
}Filtering & search
The Requests page supports powerful server-side filtering — all filters are applied in the database, not the browser:
MethodFilter to a specific HTTP verb — GET, POST, PUT, etc.Status class2xx · 3xx · 4xx · 5xx — broad range filterStatus rangeExact min/max status codes for precise filteringIP addressPartial or exact match against source IPPath containsSubstring match against the request pathFull-textSearches across path, body, and headers simultaneouslyDate rangefrom / to — filter by receivedAt timestampDuration rangemin / max milliseconds — find slow or fast requestsHas errorShow only requests that resulted in a non-2xx responseSortasc or desc by receivedAtPinning
Pin any request to keep it visible above unflagged requests and prevent it from being purged by retention policies. Pinned requests survive even when the workspace plan downgrades.
Sharing
Generate a time-limited shareable link for any request. The link contains a signed token that lets anyone view the full request details without needing a Hookbase account — useful for sharing a bug with an external team.
Payload compare
Open any request and switch to the Compare tab to perform a field-level diff against any other request in the same view. Changed fields are highlighted in amber, additions in emerald, and removals in rose. The diff operates on parsed JSON — nested keys are flattened to dot-notation so every changed path is independently visible.
Analytics
The analytics view aggregates request data over time — request volume, error rates, latency percentiles (p50 / p95 / p99), and status class breakdown. Switch between per-source and project-wide views. Data is sampled and cached to keep dashboards fast even at high request volumes.
Replay
Replay takes a captured request and re-fires it as a real HTTP call to any destination URL. The original method, headers, and body are preserved exactly. Replays are asynchronous — the job is queued immediately and executed in the background with automatic retries.
How a replay works
Job statuses
Common use cases:
- Test a new version of your API against real production traffic
- Debug a failed webhook without waiting for the external service to re-send
- Replay to a local dev server during development
- Load test with real payload shapes from production
Destinations
A destination is a saved URL with optional custom headers that you can select when replaying requests instead of typing a URL each time.
Example destinations
https://api.myapp.com/webhooks/stripe
http://localhost:4000/webhook
https://staging.myapp.com/hooks/payments
Destinations belong to a Project. You can only replay a request to a destination in the same project, which helps prevent routing production data to an unrelated project.
Destinations can carry extra headers that get merged on top of the original request headers. This is useful for adding authentication to your destination, for example X-Internal-Secret: ....
Routing
Routing rules let you automatically forward or drop incoming webhooks based on conditions evaluated at capture time. Rules are evaluated in priority order (lowest number first) so you have full control over the pipeline.
Evaluation pipeline
Match conditions
Matches every request. Use to unconditionally forward or drop all traffic on the source.
Matches when a specific HTTP header has an exact value. Useful for routing by event source, API version, or custom flags.
matchConfig: { "header": "x-event-type", "value": "payment" }Parses the request body as JSON and checks a field at a dot-path. Ideal for routing Stripe, GitHub, or any typed webhook events.
matchConfig: { "path": "$.type", "value": "payment_intent.succeeded" }Combines multiple HEADER_EQUALS and JSON_PATH_EQUALS sub-conditions with an AND (all must match) or OR (any must match) operator. Build compound rules visually using the condition builder in the dialog.
matchConfig: { "operator": "AND", "conditions": [
{ "type": "HEADER_EQUALS", "config": { "header": "x-source", "value": "stripe" } },
{ "type": "JSON_PATH_EQUALS", "config": { "path": "$.type", "value": "charge.succeeded" } }
]}Actions
Re-fires the original request (same method, headers, and body) to the configured destination URL. Executed asynchronously with up to 3 retry attempts (exponential backoff). Failures surface in Failed Deliveries.
Delivers one inbound event to multiple destinations in parallel. Each target gets its own async job with independent retry tracking. Combined with Payload Transforms you can send a different shaped body to each target.
actionConfig: { "targetIds": ["<target-a>", "<target-b>"] }Stops the pipeline immediately. No further rules are evaluated and the request is not forwarded anywhere. The request is still stored in Hookbase for inspection.
Payload Transforms
Any FORWARD_TO_TARGET or FAN_OUT rule can optionally include a transformConfig to reshape the JSON body before it is forwarded. The original stored payload is never modified.
Renames a top-level field.
{ "op": "rename", "from": "customerId", "to": "uid" }Removes a top-level field entirely. Useful for stripping PII before forwarding.
{ "op": "drop", "field": "customer.email" }Adds or overwrites a top-level field with a static string value.
{ "op": "set", "field": "env", "value": "production" }Priority & ordering
Every rule has a numeric priority (default 100). Rules with a lower number run first. If a DROP rule matches, the pipeline stops — no later rules are evaluated. Multiple FORWARD and FAN_OUT rules can all fire for the same request.
Source scope
A rule can be scoped to a specific source or to the entire project (leave Source blank). Project-wide rules are evaluated alongside source-specific rules, all sorted by priority together.
Example — simple forward
{
"name": "Route Stripe payments to staging",
"priority": 10,
"matchType": "JSON_PATH_EQUALS",
"matchConfig": { "path": "$.type", "value": "payment_intent.succeeded" },
"actionType": "FORWARD_TO_TARGET",
"actionConfig": { "targetId": "<replay-target-id>" }
}Example — compound match + fan-out
{
"name": "Stripe charge events from production",
"priority": 20,
"matchType": "COMPOUND",
"matchConfig": {
"operator": "AND",
"conditions": [
{ "type": "HEADER_EQUALS", "config": { "header": "x-source", "value": "stripe" } },
{ "type": "JSON_PATH_EQUALS", "config": { "path": "$.type", "value": "charge.succeeded" } }
]
},
"actionType": "FAN_OUT",
"actionConfig": { "targetIds": ["<target-a>", "<target-b>"] }
}Example — payload transform
{
"name": "Strip PII before forwarding",
"priority": 30,
"matchType": "ALL",
"actionType": "FORWARD_TO_TARGET",
"actionConfig": { "targetId": "<replay-target-id>" },
"transformConfig": {
"rules": [
{ "op": "drop", "field": "customer.email" },
{ "op": "rename", "from": "customerId", "to": "uid" },
{ "op": "set", "field": "env", "value": "production" }
]
}
}Alerts
Alerts let you get notified when something goes wrong with your webhooks. You configure channels (where to send) and rules (when to fire). Every alert dispatch is recorded as an AlertExecution for full audit history.
How to set up alerts
Channel types
Send an email to one or more addresses when an alert fires.
{ "to": ["[email protected]", "[email protected]"] }POST a JSON payload to any URL — pipe into Slack, PagerDuty, or your own handler.
{ "url": "https://hooks.example.com/alert", "headers": { "Authorization": "Bearer <token>" } }Trigger a PagerDuty incident via the Events API v2. Configurable severity (critical, error, warning, info).
{ "integrationKey": "<routing-key>", "severity": "error" }Post a message directly to a Slack channel via an incoming webhook URL.
{ "url": "https://hooks.slack.com/services/T00/B00/xxxx" }Post a message to a Discord channel via a Discord webhook URL.
{ "url": "https://discord.com/api/webhooks/123/xxxx" }Rule types
NON_SUCCESS_STATUSFires when a captured request has a response status outside the 2xx/3xx range. Use this to get notified immediately when your downstream service starts returning errors.
params
{ "endpointId": "<source-id>", "minStatus": 400 }NO_REQUESTS_IN_WINDOWFires when no requests have arrived at an endpoint within the configured time window. Acts as a heartbeat monitor — perfect for detecting silent failures from upstream systems.
params
{ "endpointId": "<source-id>", "windowMinutes": 15 }DELIVERY_FAILEDFires when a forwarded webhook exhausts all retry attempts and moves to the dead-letter queue. Optional targetUrl prefix filter narrows the rule to a specific downstream target.
params
{ "targetUrl": "https://api.example.com" }TARGET_DOWNFires when N consecutive deliveries to a destination fail within a 1-hour window. A 30-minute per-rule cooldown prevents alert storms. Configurable consecutive failure threshold.
params
{ "targetId": "<target-id>", "consecutiveFailures": 3 }Example rule
{
"name": "Payment source errors",
"type": "NON_SUCCESS_STATUS",
"params": {
"endpointId": "<your-source-id>",
"minStatus": 400
},
"channelId": "<your-channel-id>"
}endpointId to monitor all sources.Failed Deliveries
The Failed Deliveries page (/dashboard/jobs) collects Replay Jobs and Forward Logs that have exhausted all automatic retry attempts. It gives you a single place to triage, retry, or permanently discard delivery failures.
What ends up here
Failed Replays
Replay Jobs that exhausted all 3 delivery attempts. Each row shows the original request, target URL, last error, and attempt count.
Failed Forwards
Forward Logs from routing rules that could not be delivered after 3 attempts. Each row shows the target URL, HTTP status (if any), and last error.
Actions
Retry
Re-enqueues the item with a fresh attempt counter. The job re-enters the normal delivery queue with the same payload.
Discard
Permanently marks the item as CANCELED. It disappears from the Failed Deliveries list and will not be retried.
Retry policy
Workspaces & Teams
Workspaces let you collaborate. Every workspace has members with one of three roles:
| Role | How assigned | Permissions |
|---|---|---|
| OWNER | Created the workspace | Full access, manage billing, manage all members |
| ADMIN | Invited as Admin | Manage projects, sources, invite members |
| MEMBER | Invited as Member | View requests, use sources, run replays |
To invite someone, go to Workspaces → Manage → Invite member. An invitation email is sent with a link that expires in 7 days.
Owners can grant individual MEMBER-role users additional permissions beyond read-only access. Expand a member row in the Members tab to toggle permissions:
| Permission | What it allows |
|---|---|
| CAN_REPLAY | Re-fire captured requests to any destination |
| CAN_MANAGE_ALERTS | Create, update, and delete alert rules and channels |
| CAN_MANAGE_ROUTES | Create, update, and delete routing flows |
| CAN_EXPORT | Download audit logs and request exports as CSV |
Security
API key authentication
Generate named API keys from the API Keys page. Keys are prefixed hb_ and hashed with SHA-256 before storage. The raw value is shown only once at creation. Use the key via the x-api-key header or as a Bearer token in the Authorization header. Keys support optional expiry dates and show last-used timestamps.
Token-based source security
Every source URL contains a random public webhook token. Without the exact token, it is extremely difficult to discover or brute-force a valid source URL.
Token rotation
If a token is compromised, rotate it instantly from the Sources page. The old URL is invalidated immediately with no grace period.
Source pausing
Pause a source to block all incoming requests without deleting it. Useful for temporary maintenance or incident response.
IP allow-listing
Each source has an optional IP allowlist. When one or more IPs are configured, any request arriving from an unlisted IP is rejected with 403 and nothing is stored.
Role-based access
Workspace members can only access data within their workspace. Owners and Admins control who can manage sources and invite new members.
Data isolation
Requests, projects, and sources are scoped to workspaces. No data is shared across workspaces.
Activity log
Every create, update, delete, role change, and status change is recorded in the workspace activity log with actor identity, action, entity type, and metadata. Admins and Owners can export up to 10,000 rows as CSV from Activity > Export.
PII redaction
Workspaces can enable automatic PII detection and redaction. When active, incoming payloads are scanned for email addresses, credit card numbers, SSNs, phone numbers, IBANs, and custom regex patterns before being written to the database. Original data is never stored.
Encryption at rest
Signing secrets, destination headers, and alert channel configs are encrypted with AES-256-GCM envelope encryption keyed by the server-side SECRET_MASTER_KEY environment variable. The raw values are never stored or returned in API responses.
HMAC Signing Secrets
Each source can optionally require senders to sign their requests with an HMAC-SHA256 signature. When a secret is configured, unsigned or incorrectly signed requests are rejected with 401 Unauthorized before any data is stored. Sources without a secret continue to accept all requests, so the feature is opt-in per source.
Setting a secret
Go to Sources > Manage > Secret. Use the Generate button to create a cryptographically random 64-character hex secret, copy it, then click Save Secret. The value is encrypted at rest with AES-256-GCM and is never returned in API responses.
How senders must sign requests
Compute HMAC-SHA256 of the raw request body using the secret, then send the hex digest in any one of these headers:
- - x-hub-signature-256: GitHub-style, value
sha256=<hex> - - x-webhook-signature: bare hex digest
- - x-signature: bare hex digest
Node.js example
import crypto from 'node:crypto'
const secret = process.env.WEBHOOK_SECRET
const body = JSON.stringify(payload)
const sig = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex')
await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'x-hub-signature-256': sig,
},
body,
})Python example
import hmac, hashlib, requests
secret = os.environ['WEBHOOK_SECRET'].encode()
body = json.dumps(payload).encode()
sig = 'sha256=' + hmac.new(secret, body, hashlib.sha256).hexdigest()
requests.post(webhook_url, data=body, headers={
'Content-Type': 'application/json',
'x-hub-signature-256': sig,
})Always sign the exact raw bytes you send. Re-serializing the body on the sender side can produce a different signature and cause a 401.
Signing Secret Rotation
Rotate a signing secret without breaking live integrations. Go to Sources > Manage > Secret > Rotate Secret and choose a grace period:
During the grace period both the old and new secrets are accepted. After the grace period expires, the old secret is automatically retired on the first incoming request. A pending rotation is displayed on the source secret panel with the option to cancel. All rotation events are written to the activity log.
Enterprise (SSO & SCIM)
Enterprise workspaces can authenticate users through a corporate identity provider via Single Sign-On (SSO) and automate user lifecycle management through SCIM provisioning. Both are configured per-workspace from Workspaces → Manage → Enterprise.
Single Sign-On
Hookbase supports both OIDC (OpenID Connect) and SAML 2.0 identity providers — Okta, Azure AD, Google Workspace, Auth0, and any other standards-compliant IdP.
OIDC
- Client ID and Client Secret
- Issuer URL (e.g. https://accounts.google.com)
- Email domain to scope sign-in (e.g. company.com)
- Optional: discovery endpoint if non-standard
SAML 2.0
- IdP Entry Point URL (SSO URL)
- IdP Certificate (PEM format)
- Issuer / Entity ID
- Email domain to scope sign-in
How SSO sign-in works
SP metadata for SAML
When configuring your IdP, use the following callback URL as the ACS (Assertion Consumer Service) URL:
https://<your-domain>/api/auth/sso/saml2/callback/ws-<workspace-id>
SCIM Provisioning
SCIM 2.0 lets your directory provider (Okta, Azure AD, JumpCloud, etc.) automatically create, update, and deactivate Hookbase accounts as people join or leave your organisation.
| Setting | Value |
|---|---|
| SCIM Base URL | https://<your-domain>/api/auth/scim/v2 |
| Authentication | Bearer token (generated in Enterprise tab) |
| Supported operations | Create user, update user, deactivate user |
Token security
The SCIM bearer token is shown only once at generation time. Store it immediately in your IdP configuration — it cannot be retrieved again. If lost, generate a new token (this invalidates the previous one) and update your IdP.
Schema Detection & Contracts
Hookbase automatically infers the JSON schema of every captured webhook payload. As your upstream service evolves its payload structure, Hookbase stores each new schema as a versioned snapshot — so you always have a complete history of how your webhook shape has changed over time.
How auto-detection works
Receive a webhook
string, number, boolean, object, array, null), and nullability.Deduplicate by hash
First version becomes the contract
Viewing schema history
Every schema version is visible in the dashboard under Schemas, or per-source via the Schema button in the Sources table. Each row shows the version number, a short hash, the capture date, and the contract badge.
Schema Tree
Visual typed tree of every field in the payload, including nested objects and arrays.
Visual Diff
Select any two versions to see exactly which fields were added, removed, or changed.
Contract Pin
Mark any version as the stable contract to generate mocks and run CI assertions against.
Diffing versions
The diff view highlights exactly what changed between any two schema versions — colour-coded green for added fields, red for removed, and yellow for type changes.
Hookbase schema diff <endpoint-id> --from 1 --to 3 # Output: # + body.amount (number) — added # ~ body.currency type changed: null → string # - metadata.legacy removed
Pinning a contract
The contract is the schema version you consider stable. Only one version per source can be the contract at any time. Pinning a new version automatically unpins the previous one.
# Pin version 2 as the stable contract Hookbase schema set-contract <endpoint-id> 2
Mock payload generation
Hookbase can generate a realistic mock JSON payload that matches the pinned contract schema and POST it to any URL. This is useful for:
- Testing your webhook handler locally without a real upstream service.
- Running integration tests in CI pipelines.
- Smoke-testing new deployments against the expected payload shape.
# Generate a mock payload and POST it to your local handler Hookbase mock <endpoint-id> --forward-to http://localhost:3000/webhook # Use in CI — exit 1 if response is not 200 Hookbase mock <endpoint-id> \ --forward-to http://localhost:3000/webhook \ --assert-status 200
"string", numbers become 0, booleans false, arrays an empty list, and nested objects are recursively populated.Command reference
Hookbase schema show <endpoint-id>Print the latest inferred schema for a source as a typed tree.Hookbase schema history <endpoint-id>List all schema versions: version number, hash, date, and whether it is the pinned contract.Hookbase schema diff <endpoint-id> --from N --to MShow field-level diff between two schema versions (added / removed / changed).Hookbase schema set-contract <endpoint-id> <v>Pin a specific schema version as the contract — used for mock generation and CI assertions.Hookbase mock <endpoint-id> --forward-to <url>Generate a realistic mock payload from the pinned contract and POST it to a local URL.Hookbase mock <endpoint-id> --forward-to <url> --assert-status <code>Same as above but exit with code 1 if the response does not match the expected HTTP status. Ideal for CI pipelines.CLI
The Hookbase CLI gives you full terminal access to your webhook platform — tunnel public URLs to localhost, inspect and replay captured requests, manage sources, run schema contract tests in CI, and configure your workspaces without touching the dashboard.
Installation
npm / bun / pnpm:
npm install -g hookbase-cli
Homebrew (macOS / Linux):
brew install Hookbase/tap/Hookbase
Direct download (Windows / Linux):
curl -sSL https://cli.hookbase.dev/install.sh | sh
Authentication
Log in via browser
Hookbase login
~/.Hookbase/credentials.Or use an API key
Hookbase requests list --api-key whk_live_xxxxxxxxxxxxxxxx
export Hookbase_API_KEY=whk_live_xxxxxxxxxxxxxxxx
Tunnel — public URL to localhost
The tunnel command is the fastest way to expose your local webhook handler to the internet. It auto-creates a temporary source, prints the public URL, streams all incoming requests to your local server, and deletes the source on exit.
# One-command public URL for your local server Hookbase tunnel --forward-to http://localhost:3000/webhooks # → Public URL: https://hooks.yourdomain.com/hook/a4992507... # Ctrl+C to stop and delete the temporary endpoint
listen instead if you want to attach to an existing source rather than creating a temporary one.Forwarding from an existing source
The listen command opens a persistent SSE connection and proxies every incoming request to your local server.
Hookbase listen <endpoint-id> \ --forward-to http://localhost:3000/webhooks
Replaying requests
Replay any captured request to a new destination — useful for local debugging after a handler failure.
Hookbase replay req_01hxyz \ --to http://localhost:3000/webhooks
Schema contracts & mock testing
Hookbase auto-detects the JSON schema from every captured payload. Use the schema and mock commands to inspect version history, diff schema changes, pin a stable contract, and drive contract tests directly from the CLI.
# In your CI pipeline: Hookbase mock <endpoint-id> \ --forward-to $WEBHOOK_HANDLER_URL \ --assert-status 200
Configuration
Use Hookbase config to inspect your current settings or point the CLI at a self-hosted instance:
# View current config Hookbase config show # Point at a self-hosted instance Hookbase config set-api-url https://api.yourdomain.com
Command reference — Auth & identity
Hookbase loginAuthenticate via browser. Session token saved to ~/.Hookbase/credentials.Hookbase logoutRemove locally stored credentials.Hookbase whoamiPrint the currently authenticated user, workspace, and project.Command reference — Sources
Hookbase endpoints listList all sources with their tokens, status, and webhook URLs.Hookbase endpoints create --project <id> --name "My Hook"Create a new source and print the webhook URL.Hookbase endpoints inspect <endpoint-id>Show full details of a single source.Hookbase endpoints pause <endpoint-id>Pause a source — returns 403 to all incoming requests.Hookbase endpoints resume <endpoint-id>Resume a paused source.Hookbase endpoints delete <endpoint-id>Permanently delete a source and all its captured data.Command reference — Requests
Hookbase requests listPrint the most recent captured requests as a table.Hookbase requests list --method POST --status 4xxFilter by HTTP method and status class (2xx, 3xx, 4xx, 5xx).Hookbase requests list --text "payment"Full-text search across path, headers, and body.Hookbase requests list --from 2026-03-01 --to 2026-03-08Filter by date range.Hookbase requests list --min-duration 500 --has-errorSlow requests that returned a non-2xx status.Hookbase requests inspect <request-id>Print full details: method, path, status, headers, and body.Hookbase requests pin <request-id>Pin a request to prevent purge by retention policies.Hookbase requests share <request-id>Generate a time-limited public share link (no account required to view).Command reference — Replay
Hookbase replay <request-id>Replay a captured request to its original source URL.Hookbase replay <request-id> --to <url>Replay to a specific URL — overrides the original destination.Command reference — Tunnel & listen
Hookbase tunnelAuto-creates a temporary source, prints the public URL, and forwards all arriving requests to --forward-to. Cleans up on Ctrl+C.Hookbase tunnel --forward-to <url>Forward live requests to a local server. Equivalent of ngrok but powered by Hookbase.Hookbase listen <endpoint-id> --forward-to <url>Forward requests from an existing source to a local URL via the live SSE stream.Command reference — Schema & mocks
Hookbase schema show <endpoint-id>Print the latest inferred schema as a typed field tree.Hookbase schema history <endpoint-id>List all schema versions with hashes, dates, and contract status.Hookbase schema diff <endpoint-id> --from <v> --to <v>Show a field-level diff between two versions (added / removed / changed).Hookbase schema set-contract <endpoint-id> <version>Pin a schema version as the stable contract for mocks and CI assertions.Hookbase mock <endpoint-id> --forward-to <url>Generate a mock payload from the pinned contract and POST it to a URL.Hookbase mock <endpoint-id> --forward-to <url> --assert-status <code>Same as above, but exit 1 if the response status does not match. Perfect for CI.Command reference — Projects & workspaces
Hookbase projects listList all projects across your workspaces.Hookbase projects create --workspace <id> --name "Prod" --slug prodCreate a new project.Hookbase projects delete <project-id>Delete a project (irreversible).Hookbase workspaces listList all workspaces you belong to.Hookbase workspaces members <workspace-id>List members and roles in a workspace.Command reference — Routing rules
Hookbase routing-rules list --project <id>List all routing rules in a project with match type, action, and priority.Hookbase routing-rules inspect <rule-id>Print full rule configuration including match and action config.Hookbase routing-rules delete <rule-id>Delete a routing rule.Command reference — Config
Hookbase config showPrint the current CLI configuration (API URL, workspace, project, login status).Hookbase config set-api-url <url>Point the CLI at a self-hosted Hookbase instance.Global flags
--workspace <id>Override the active workspace for this command.--project <id>Override the active project for this command.--output jsonOutput raw JSON instead of formatted tables.--api-key <key>Use a specific API key instead of the stored session token.--take <n>Limit the number of results returned (default: 20).Hookbase <command> --help at any time for full flag documentation.