Hookbase – API Monitor & Debugger

Overview

Hookbase is a webhook capture, inspection, and replay platform. Point any external service at your unique endpoint URL and every request gets stored, making it instantly inspectable and re-fireable from your dashboard.

Capture

Receive any HTTP request and store it with full headers and body.

Inspect

Search and filter every captured request in real time.

Replay

Re-fire any stored request to any URL with one click.

Core Concepts

Workspace — The top-level container for your team. All projects, endpoints, and data belong to a workspace. You can invite team members and assign them roles.

Project — A logical grouping inside a workspace — e.g. "Production", "Staging", "My App". Projects hold endpoints and replay targets.

Endpoint — A unique webhook URL. Each endpoint gets a UUID token that forms its public URL. Share this URL with any external service. Endpoints can be ACTIVE or PAUSED.

Request — A single captured HTTP call — stored with method, path, headers, raw body, status, duration, IP, and user agent. Requests are immutable once saved and can be pinned or shared.

Replay Job — An execution record created when you re-fire a captured request. Stores the destination URL, response status, body, and duration.

Replay Target — A saved destination URL (with optional extra headers) you can replay requests to without typing a URL each time. Targets belong to a project.

Routing Rule — An automated rule evaluated at capture time that forwards or drops requests based on conditions (header match, JSON path match). Rules are evaluated in priority order.

Alert Channel — A delivery destination for notifications — Email, Webhook, Slack, or Discord. Channels are shared across rules within a workspace.

Alert Rule — A condition that triggers a notification when met — e.g. non-2xx responses or silence (no requests in a time window). Each rule is linked to a channel.

Forward Log — A record of an automated forward triggered by a routing rule. Stores the destination URL, HTTP status, duration, attempt count, and any error. Failed forwards are retried up to 3 times before being moved to the Dead Letter Queue.

Dead Letter Queue — Collects Replay Jobs and Forward Logs that have exhausted all retry attempts. Accessible at Dashboard → Dead Letters. You can re-enqueue individual items for another attempt or permanently discard them.

Quickstart

Get your first webhook captured in under 2 minutes.

Create a Workspace

Go to Workspaces in the sidebar and click New Workspace. Give it a name like "My Team".

Create a Project

Open Projects and click + New Project. Select your workspace and give the project a name.

Create an Endpoint

Open Endpoints and click + New Endpoint. Select your project. You'll be given a webhook URL:

https://yourdomain.com/hook/a4992507-a40f-4c0d-a96f-45cb08ee2dee

Point an external service at it

Paste the URL into any service that sends webhooks — Stripe, GitHub, Shopify, Twilio, etc. Every request it sends will be captured instantly.

Inspect your requests

Open Requests in the sidebar. Every captured webhook appears here with its full headers, body, and metadata.

✓

You can also send a test request manually with curl:
curl -X POST https://yourdomain.com/hook/<your-token> -H "Content-Type: application/json" -d '{"event":"test"}'

Endpoints

An endpoint is a public URL that accepts any HTTP request — GETPOSTPUTDELETEPATCH — and records it.

Endpoint URL format

https://yourdomain.com/hook/{token}

The {token} is a randomly generated UUID — cryptographically unique and unguessable.

Endpoint states

ACTIVEAccepting and storing requests normally.

PAUSEDReturns 403 to all incoming requests. No data is stored while paused.

⚠

Token rotation — if you suspect your endpoint URL has been leaked, rotate the token from the Endpoints page. The old URL stops working immediately and a new unique URL is generated.

Requests

Every HTTP request received by an endpoint is stored as an immutable Request record containing:

Method— GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD, etc.
Headers— All request headers including Content-Type, Authorization, X-Signature, etc.
Raw body— The full unmodified request body as text
Path— Full request path including query string
Status— HTTP response status code returned to the sender
Duration— Time in milliseconds to process and respond
IP address— Source IP (respects X-Forwarded-For and Cloudflare CF-Connecting-IP headers)
User agent— The sending application identifier
Timestamp— Exact time the request was received (UTC)

●

Requests are immutable — they are never modified after being captured. What you see is exactly what was received.

Filtering & search

The Requests page supports powerful server-side filtering — all filters are applied in the database, not the browser:

MethodFilter to a specific HTTP verb — GET, POST, PUT, etc.

Status class2xx · 3xx · 4xx · 5xx — broad range filter

Status rangeExact min/max status codes for precise filtering

IP addressPartial or exact match against source IP

Path containsSubstring match against the request path

Full-textSearches across path, body, and headers simultaneously

Date rangefrom / to — filter by receivedAt timestamp

Duration rangemin / max milliseconds — find slow or fast requests

Has errorShow only requests that resulted in a non-2xx response

Sortasc or desc by receivedAt

Pinning

Pin any request to keep it visible above unflagged requests and prevent it from being purged by retention policies. Pinned requests survive even when the workspace plan downgrades.

Sharing

Generate a time-limited shareable link for any request. The link contains a signed token that lets anyone view the full request details without needing a Hookbase account — useful for sharing a bug with an external team.

Payload compare

Open any request and switch to the Compare tab to perform a field-level diff against any other request in the same view. Changed fields are highlighted in amber, additions in emerald, and removals in rose. The diff operates on parsed JSON — nested keys are flattened to dot-notation so every changed path is independently visible.

Analytics

The analytics view aggregates request data over time — request volume, error rates, latency percentiles (p50 / p95 / p99), and status class breakdown. Switch between per-endpoint and project-wide views. Data is sampled and cached to keep dashboards fast even at high request volumes.

Replay

Replay takes a captured request and re-fires it as a real HTTP call to any destination URL. The original method, headers, and body are preserved exactly. Replays are asynchronous — the job is queued immediately and executed in the background with automatic retries.

How a replay works

Job enqueuedA ReplayJob row is created in PENDING state and added to the replay queue

Worker picks upBackground worker fetches the request — original method, headers, and body preserved

Retries on failUp to 3 attempts with exponential backoff (2 s → 4 s → 8 s) on network errors or non-2xx

Result storedStatus code, body, headers, and duration saved; job moves to SUCCESS or FAILED

Job statuses

PENDINGQueued, waiting for a worker

RUNNINGWorker is executing the HTTP call

SUCCESSCompleted — response stored

FAILEDAll retry attempts exhausted — job moves to Dead Letters

CANCELEDManually discarded from the Dead Letters page

Common use cases:

Test a new version of your API against real production traffic
Debug a failed webhook without waiting for the external service to re-send
Replay to a local dev server during development
Load test with real payload shapes from production

✓

Replay history and live job status are visible on the Replay page. Jobs that fail all retries appear on the Dead Letters page where you can retry or discard them.

Replay Targets

A Replay Target is a saved destination — a URL with optional custom headers — that you can select when replaying requests instead of typing a URL each time.

Example targets

https://api.myapp.com/webhooks/stripe

http://localhost:4000/webhook

https://staging.myapp.com/hooks/payments

Targets belong to a Project. You can only replay a request to a target in the same project — this prevents accidentally routing production data to an unrelated project.

Targets can carry extra headers that get merged on top of the original request headers. Useful for adding authentication to your replay target (e.g. X-Internal-Secret: ...).

Routing Rules

Routing rules let you automatically forward or drop incoming webhooks based on conditions evaluated at capture time. Rules are evaluated in priority order (lowest number first) so you have full control over the pipeline.

Evaluation pipeline

Request arrivesPOST /hook/<token> → stored in DB

Rules loadedActive rules for this endpoint (+ project-wide rules) sorted by priority asc

Evaluate each ruleMatch condition checked against live headers / body

Transforms appliedIf a transformConfig is set, fields are renamed / dropped / set on the body copy

Action firesDROP stops the pipeline · FORWARD / FAN_OUT sends to target URL(s)

Response returned{"received":true} sent back to the webhook sender immediately

Match conditions

ALL

Matches every request. Use to unconditionally forward or drop all traffic on the endpoint.

HEADER_EQUALS

Matches when a specific HTTP header has an exact value. Useful for routing by event source, API version, or custom flags.

matchConfig: { "header": "x-event-type", "value": "payment" }

JSON_PATH_EQUALS

Parses the request body as JSON and checks a field at a dot-path. Ideal for routing Stripe, GitHub, or any typed webhook events.

matchConfig: { "path": "$.type", "value": "payment_intent.succeeded" }

COMPOUNDAND / OR condition groups

Combines multiple HEADER_EQUALS and JSON_PATH_EQUALS sub-conditions with an AND (all must match) or OR (any must match) operator. Build compound rules visually using the condition builder in the dialog.

matchConfig: { "operator": "AND", "conditions": [
  { "type": "HEADER_EQUALS",    "config": { "header": "x-source", "value": "stripe" } },
  { "type": "JSON_PATH_EQUALS", "config": { "path": "$.type",   "value": "charge.succeeded" } }
]}

Actions

Forward to Replay TargetFORWARD_TO_TARGET

Re-fires the original request (same method, headers, and body) to the configured Replay Target URL. Executed asynchronously with up to 3 retry attempts (exponential backoff). Failures surface in Dead Letters.

Fan-outFAN_OUT

Delivers one inbound event to multiple Replay Targets in parallel. Each target gets its own async job with independent retry tracking. Combined with Payload Transforms you can send a different shaped body to each target.

actionConfig: { "targetIds": ["<target-a>", "<target-b>"] }

DropDROP

Stops the pipeline immediately. No further rules are evaluated and the request is not forwarded anywhere. The request is still stored in Hookbase for inspection.

Payload Transforms

Any FORWARD_TO_TARGET or FAN_OUT rule can optionally include a transformConfig to reshape the JSON body before it is forwarded. The original stored payload is never modified.

rename

Renames a top-level field.

{ "op": "rename", "from": "customerId", "to": "uid" }

drop

Removes a top-level field entirely. Useful for stripping PII before forwarding.

{ "op": "drop", "field": "customer.email" }

set

Adds or overwrites a top-level field with a static string value.

{ "op": "set", "field": "env", "value": "production" }

●

Transforms are applied in order. Non-JSON bodies (e.g. form-encoded) are forwarded unchanged.

Priority & ordering

Every rule has a numeric priority (default 100). Rules with a lower number run first. If a DROP rule matches, the pipeline stops — no later rules are evaluated. Multiple FORWARD and FAN_OUT rules can all fire for the same request.

priority 1priority 10priority 100(evaluated in this order)

Endpoint scope

A rule can be scoped to a specific endpoint or to the entire project (leave Endpoint blank). Project-wide rules are evaluated alongside endpoint-specific rules, all sorted by priority together.

Example — simple forward

{
  "name": "Route Stripe payments to staging",
  "priority": 10,
  "matchType": "JSON_PATH_EQUALS",
  "matchConfig": { "path": "$.type", "value": "payment_intent.succeeded" },
  "actionType": "FORWARD_TO_TARGET",
  "actionConfig": { "targetId": "<replay-target-id>" }
}

Example — compound match + fan-out

{
  "name": "Stripe charge events from production",
  "priority": 20,
  "matchType": "COMPOUND",
  "matchConfig": {
    "operator": "AND",
    "conditions": [
      { "type": "HEADER_EQUALS", "config": { "header": "x-source", "value": "stripe" } },
      { "type": "JSON_PATH_EQUALS", "config": { "path": "$.type", "value": "charge.succeeded" } }
    ]
  },
  "actionType": "FAN_OUT",
  "actionConfig": { "targetIds": ["<target-a>", "<target-b>"] }
}

Example — payload transform

{
  "name": "Strip PII before forwarding",
  "priority": 30,
  "matchType": "ALL",
  "actionType": "FORWARD_TO_TARGET",
  "actionConfig": { "targetId": "<replay-target-id>" },
  "transformConfig": {
    "rules": [
      { "op": "drop",   "field": "customer.email" },
      { "op": "rename", "from": "customerId", "to": "uid" },
      { "op": "set",    "field": "env", "value": "production" }
    ]
  }
}

✓

Use the ↑ / ↓ arrows on the Routing Rules page to reorder rules visually — this swaps their priority values automatically.

Alerts

Alerts let you get notified when something goes wrong with your webhooks. You configure channels (where to send) and rules (when to fire). Every alert dispatch is recorded as an AlertExecution for full audit history.

How to set up alerts

Create a channel — Go to Alerts → Channels → New Channel. Choose the type and fill in the config (email address, webhook URL, etc.)

Create a rule — Go to Alerts → Rules → New Rule. Select the rule type, the target endpoint, and link it to a channel.

Rule fires — When the condition is met, the alert engine dispatches a notification to the linked channel and records an AlertExecution for audit.

Review history — Every alert dispatch is logged in Alert Executions with status, message, and error details.

Channel types

Send an email to one or more addresses when an alert fires.

{ "to": ["ops@example.com", "dev@example.com"] }

Webhook

POST a JSON payload to any URL — pipe into Slack, PagerDuty, or your own handler.

{ "url": "https://hooks.example.com/alert", "headers": { "Authorization": "Bearer <token>" } }

PagerDuty

Trigger a PagerDuty incident via the Events API v2. Configurable severity (critical, error, warning, info).

{ "integrationKey": "<routing-key>", "severity": "error" }

Slack

Post a message directly to a Slack channel via an incoming webhook URL.

{ "url": "https://hooks.slack.com/services/T00/B00/xxxx" }

Discord

Post a message to a Discord channel via a Discord webhook URL.

{ "url": "https://discord.com/api/webhooks/123/xxxx" }

Rule types

Non-success statusNON_SUCCESS_STATUS

Fires when a captured request has a response status outside the 2xx/3xx range. Use this to get notified immediately when your downstream service starts returning errors.

params

{ "endpointId": "<endpoint-id>", "minStatus": 400 }

No requests in windowNO_REQUESTS_IN_WINDOW

Fires when no requests have arrived at an endpoint within the configured time window. Acts as a heartbeat monitor — perfect for detecting silent failures from upstream systems.

params

{ "endpointId": "<endpoint-id>", "windowMinutes": 15 }

Delivery failedDELIVERY_FAILED

Fires when a forwarded webhook exhausts all retry attempts and moves to the dead-letter queue. Optional targetUrl prefix filter narrows the rule to a specific downstream target.

params

{ "targetUrl": "https://api.example.com" }

Target downTARGET_DOWN

Fires when N consecutive deliveries to a replay target fail within a 1-hour window. A 30-minute per-rule cooldown prevents alert storms. Configurable consecutive failure threshold.

params

{ "targetId": "<target-id>", "consecutiveFailures": 3 }

Example rule

{
  "name": "Payment endpoint errors",
  "type": "NON_SUCCESS_STATUS",
  "params": {
    "endpointId": "<your-endpoint-id>",
    "minStatus": 400
  },
  "channelId": "<your-channel-id>"
}

●

Alert rules are project-scoped. A single channel can be shared by multiple rules across the same project. Each rule can target any endpoint in the project, or omit endpointId to monitor all endpoints.

Dead Letters

The Dead Letters page (/dashboard/jobs) collects Replay Jobs and Forward Logs that have exhausted all automatic retry attempts. It gives you a single place to triage, retry, or permanently discard delivery failures.

What ends up here

Failed Replays

Replay Jobs that exhausted all 3 delivery attempts. Each row shows the original request, target URL, last error, and attempt count.

Dead Forwards

Forward Logs from routing rules that could not be delivered after 3 attempts. Each row shows the target URL, HTTP status (if any), and last error.

Actions

Retry

Re-enqueues the item with a fresh attempt counter. The job re-enters the normal delivery queue with the same payload.

Discard

Permanently marks the item as CANCELED. It disappears from the Dead Letters list and will not be retried.

Retry policy

Attempts: 3 total (initial + 2 retries)

Backoff: Exponential — 2 s → 4 s → 8 s

Scope: Applies to both Replay Jobs and Forward Logs

On exhaustion: Status set to FAILED / DEAD; item surfaces in Dead Letters

●

Items are scoped to the selected workspace. Use the workspace selector at the top of the Dead Letters page to switch between workspaces.

Workspaces & Teams

Workspaces let you collaborate. Every workspace has members with one of three roles:

Role	How assigned	Permissions
OWNER	Created the workspace	Full access, manage billing, manage all members
ADMIN	Invited as Admin	Manage projects, endpoints, invite members
MEMBER	Invited as Member	View requests, use endpoints, run replays

To invite someone, go to Workspaces → Manage → Invite member. An invitation email is sent with a link that expires in 7 days.

●

The invitee does not need an existing account. If they are new to Hookbase, clicking the invite link will ask them to sign up first, then automatically accept the invitation.

Owners can grant individual MEMBER-role users additional permissions beyond read-only access. Expand a member row in the Members tab to toggle permissions:

Permission	What it allows
CAN_REPLAY	Re-fire captured requests to any replay target
CAN_MANAGE_ALERTS	Create, update, and delete alert rules and channels
CAN_MANAGE_ROUTES	Create, update, and delete routing rules
CAN_EXPORT	Download audit logs and request exports as CSV

✓

ADMIN and OWNER roles always have full access — fine-grained permissions only apply to MEMBER-role users.

Security

API key authentication

Generate named API keys from the API Keys page. Keys are prefixed hb_ and hashed with SHA-256 before storage — the raw value is shown only once at creation. Use the key via the x-api-key header or as a Bearer token in the Authorization header. Keys support optional expiry dates and show last-used timestamps.

Token-based endpoint security

Every endpoint URL contains a 128-bit random UUID token. Without the exact token, it is computationally infeasible to discover or brute-force an endpoint URL.

Token rotation

If a token is compromised, rotate it instantly from the Endpoints page. The old URL is invalidated immediately — no grace period.

Endpoint pausing

Pause an endpoint to block all incoming requests without deleting it. Useful for temporary maintenance or incident response.

IP allow-listing

Each endpoint has an optional IP allowlist. When one or more IPs are configured, any request arriving from an unlisted IP is rejected with 403 — nothing is stored.

Role-based access

Workspace members can only access data within their workspace. Owners and Admins control who can manage endpoints and invite new members.

Data isolation

Requests, projects, and endpoints are scoped to workspaces. No data is shared across workspaces.

Audit log

Every create, update, delete, role change, and status change is recorded in the workspace audit log with actor identity, action, entity type, and metadata. Admins and Owners can export up to 10,000 rows as CSV from Audit Log → Export.

PII redaction

Workspaces can enable automatic PII detection and redaction. When active, incoming payloads are scanned for email addresses, credit card numbers, SSNs, phone numbers, IBANs, and custom regex patterns before being written to the database. Original data is never stored.

Encryption at rest

Signing secrets, replay target headers, and alert channel configs are encrypted with AES-256-GCM envelope encryption keyed by the server-side SECRET_MASTER_KEY environment variable. The raw values are never stored or returned in API responses.

HMAC Signing Secrets

Each endpoint can optionally require senders to sign their requests with an HMAC-SHA256 signature. When a secret is configured, unsigned or incorrectly-signed requests are rejected with 401 Unauthorized before any data is stored. Endpoints without a secret continue to accept all requests — the feature is opt-in per endpoint.

Setting a secret

Go to Endpoints → Manage → Secret. Use the Generate button to create a cryptographically random 64-character hex secret, copy it, then click Save Secret. The value is encrypted at rest with AES-256-GCM — it is never returned in API responses.

How senders must sign requests

Compute HMAC-SHA256 of the raw request body using the secret, then send the hex digest in any one of these headers (checked in order):

• x-hub-signature-256 — GitHub-style, value: sha256=<hex>
• x-webhook-signature — bare hex digest
• x-signature — bare hex digest

Node.js example

import crypto from 'node:crypto'

const secret = process.env.WEBHOOK_SECRET  // the value you saved
const body   = JSON.stringify(payload)     // must match the raw bytes sent

// Option A — GitHub-style header
const sig = 'sha256=' + crypto
  .createHmac('sha256', secret)
  .update(body)
  .digest('hex')

await fetch(webhookUrl, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-hub-signature-256': sig,
  },
  body,
})

Python example

import hmac, hashlib, requests

secret = os.environ['WEBHOOK_SECRET'].encode()
body   = json.dumps(payload).encode()

sig = 'sha256=' + hmac.new(secret, body, hashlib.sha256).hexdigest()

requests.post(webhook_url, data=body, headers={
    'Content-Type': 'application/json',
    'x-hub-signature-256': sig,
})

⚠ Always sign the exact raw bytes you send. Re-serialising the body on the sender side (e.g. re-ordering JSON keys) will produce a different signature and cause a 401.

Signing Secret Rotation

Rotate a signing secret without breaking live integrations. Go to Endpoints → Manage → Secret → Rotate Secret and choose a grace period:

Immediate

1 hour

24 hours

7 days

During the grace period both the old and new secrets are accepted. After the grace period expires, the old secret is automatically retired on the first incoming request — no manual step required. A pending rotation is displayed as an amber banner on the endpoint secret panel with the option to cancel. All rotation events are written to the audit log.

Enterprise (SSO & SCIM)

Enterprise workspaces can authenticate users through a corporate identity provider via Single Sign-On (SSO) and automate user lifecycle management through SCIM provisioning. Both are configured per-workspace from Workspaces → Manage → Enterprise.

Single Sign-On

Hookbase supports both OIDC (OpenID Connect) and SAML 2.0 identity providers — Okta, Azure AD, Google Workspace, Auth0, and any other standards-compliant IdP.

OIDC

Client ID and Client Secret
Issuer URL (e.g. https://accounts.google.com)
Email domain to scope sign-in (e.g. company.com)
Optional: discovery endpoint if non-standard

SAML 2.0

IdP Entry Point URL (SSO URL)
IdP Certificate (PEM format)
Issuer / Entity ID
Email domain to scope sign-in

How SSO sign-in works

1On the login page, click Sign in with SSO and enter your work email address.

2Hookbase resolves the provider by domain and redirects you to your IdP.

3After authenticating with your IdP, you are redirected back and signed in automatically.

4If no account exists, one is created linked to your workspace.

SP metadata for SAML

When configuring your IdP, use the following callback URL as the ACS (Assertion Consumer Service) URL:

https://<your-domain>/api/auth/sso/saml2/callback/ws-<workspace-id>

●

Each workspace has exactly one SSO provider. To change providers, remove the existing one from the Enterprise tab and configure a new one — no downtime required.

SCIM Provisioning

SCIM 2.0 lets your directory provider (Okta, Azure AD, JumpCloud, etc.) automatically create, update, and deactivate Hookbase accounts as people join or leave your organisation.

Setting	Value
SCIM Base URL	https://<your-domain>/api/auth/scim/v2
Authentication	Bearer token (generated in Enterprise tab)
Supported operations	Create user, update user, deactivate user

Token security

The SCIM bearer token is shown only once at generation time. Store it immediately in your IdP configuration — it cannot be retrieved again. If lost, generate a new token (this invalidates the previous one) and update your IdP.

✓

Only workspace Admins and Owners can configure SSO and SCIM. Both features are available from Workspaces → Manage → Enterprise.

Schema Detection & Contracts

Hookbase automatically infers the JSON schema of every captured webhook payload. As your upstream service evolves its payload structure, Hookbase stores each new schema as a versioned snapshot — so you always have a complete history of how your webhook shape has changed over time.

How auto-detection works

Receive a webhook

When a request arrives at an endpoint, Hookbase parses the JSON body and recursively walks the payload to infer field names, types (string, number, boolean, object, array, null), and nullability.

Deduplicate by hash

Each inferred schema is SHA-256 hashed. A new version is only created when the schema actually changes — repeated requests with the same shape produce no new versions.

First version becomes the contract

The very first schema version is automatically pinned as the contract — the reference shape your handlers are expected to receive. You can re-pin any later version as the contract at any time.

Viewing schema history

Every schema version is visible in the dashboard under Schemas, or per-endpoint via the Schema button in the Endpoints table. Each row shows the version number, a short hash, the capture date, and the contract badge.

Schema Tree

Visual typed tree of every field in the payload, including nested objects and arrays.

Visual Diff

Select any two versions to see exactly which fields were added, removed, or changed.

Contract Pin

Mark any version as the stable contract to generate mocks and run CI assertions against.

Diffing versions

The diff view highlights exactly what changed between any two schema versions — colour-coded green for added fields, red for removed, and yellow for type changes.

Hookbase schema diff <endpoint-id> --from 1 --to 3
# Output:
#   + body.amount       (number)  — added
#   ~ body.currency     type changed: null → string
#   - metadata.legacy   removed

Pinning a contract

The contract is the schema version you consider stable. Only one version per endpoint can be the contract at any time. Pinning a new version automatically unpins the previous one.

# Pin version 2 as the stable contract
Hookbase schema set-contract <endpoint-id> 2

✓

Pin a contract after every intentional breaking change on the upstream service side so your team can track when the payload shape was officially updated.

Mock payload generation

Hookbase can generate a realistic mock JSON payload that matches the pinned contract schema and POST it to any URL. This is useful for:

Testing your webhook handler locally without a real upstream service.
Running integration tests in CI pipelines.
Smoke-testing new deployments against the expected payload shape.

# Generate a mock payload and POST it to your local handler
Hookbase mock <endpoint-id> --forward-to http://localhost:3000/webhook

# Use in CI — exit 1 if response is not 200
Hookbase mock <endpoint-id> \
  --forward-to http://localhost:3000/webhook \
  --assert-status 200

●

Mock values are generated from types: strings become "string", numbers become 0, booleans false, arrays an empty list, and nested objects are recursively populated.

Command reference

Hookbase schema show <endpoint-id>Print the latest inferred schema for an endpoint as a typed tree.

Hookbase schema history <endpoint-id>List all schema versions: version number, hash, date, and whether it is the pinned contract.

Hookbase schema diff <endpoint-id> --from N --to MShow field-level diff between two schema versions (added / removed / changed).

Hookbase schema set-contract <endpoint-id> <v>Pin a specific schema version as the contract — used for mock generation and CI assertions.

Hookbase mock <endpoint-id> --forward-to <url>Generate a realistic mock payload from the pinned contract and POST it to a local URL.

Hookbase mock <endpoint-id> --forward-to <url> --assert-status <code>Same as above but exit with code 1 if the response does not match the expected HTTP status. Ideal for CI pipelines.

CLI

The Hookbase CLI gives you full terminal access to your webhook platform — tunnel public URLs to localhost, inspect and replay captured requests, manage endpoints, run schema contract tests in CI, and configure your workspaces without touching the dashboard.

Installation

npm / bun / pnpm:

npm install -g hookbase-cli

Homebrew (macOS / Linux):

brew install Hookbase/tap/Hookbase

Direct download (Windows / Linux):

curl -sSL https://cli.yourdomain.com/install.sh | sh

Authentication

Hookbase login

A browser window opens for you to complete the sign-in flow. Your session token is saved to ~/.Hookbase/credentials.

Or use an API key

Generate an API key in Settings → API Keys and pass it with every command:

Hookbase requests list --api-key whk_live_xxxxxxxxxxxxxxxx

Or set the environment variable:

export Hookbase_API_KEY=whk_live_xxxxxxxxxxxxxxxx

Tunnel — public URL to localhost

The tunnel command is the fastest way to expose your local webhook handler to the internet. It auto-creates a temporary endpoint, prints the public URL, streams all incoming requests to your local server, and deletes the endpoint on exit.

# One-command public URL for your local server
Hookbase tunnel --forward-to http://localhost:3000/webhooks
# → Public URL: https://hooks.yourdomain.com/hook/a4992507...
# Ctrl+C to stop and delete the temporary endpoint

✓

Use listen instead if you want to attach to an existing endpoint rather than creating a temporary one.

Forwarding from an existing endpoint

The listen command opens a persistent SSE connection and proxies every incoming request to your local server.

Hookbase listen <endpoint-id> \
  --forward-to http://localhost:3000/webhooks

Replaying requests

Replay any captured request to a new destination — useful for local debugging after a handler failure.

Hookbase replay req_01hxyz \
  --to http://localhost:3000/webhooks

Schema contracts & mock testing

Hookbase auto-detects the JSON schema from every captured payload. Use the schema and mock commands to inspect version history, diff schema changes, pin a stable contract, and drive contract tests directly from the CLI.

# In your CI pipeline:
Hookbase mock <endpoint-id> \
  --forward-to $WEBHOOK_HANDLER_URL \
  --assert-status 200

✓

See the Schema Detection & Contracts section for full documentation on how schema versioning and contract pinning work.

Configuration

Use Hookbase config to inspect your current settings or point the CLI at a self-hosted instance:

# View current config
Hookbase config show

# Point at a self-hosted instance
Hookbase config set-api-url https://api.yourdomain.com

Command reference — Auth & identity

Hookbase loginAuthenticate via browser. Session token saved to ~/.Hookbase/credentials.

Hookbase logoutRemove locally stored credentials.

Hookbase whoamiPrint the currently authenticated user, workspace, and project.

Command reference — Endpoints

Hookbase endpoints listList all endpoints with their tokens, status, and webhook URLs.

Hookbase endpoints create --project <id> --name "My Hook"Create a new endpoint and print the webhook URL.

Hookbase endpoints inspect <endpoint-id>Show full details of a single endpoint.

Hookbase endpoints pause <endpoint-id>Pause an endpoint — returns 403 to all incoming requests.

Hookbase endpoints resume <endpoint-id>Resume a paused endpoint.

Hookbase endpoints delete <endpoint-id>Permanently delete an endpoint and all its captured data.

Command reference — Requests

Hookbase requests listPrint the most recent captured requests as a table.

Hookbase requests list --method POST --status 4xxFilter by HTTP method and status class (2xx, 3xx, 4xx, 5xx).

Hookbase requests list --text "payment"Full-text search across path, headers, and body.

Hookbase requests list --from 2026-03-01 --to 2026-03-08Filter by date range.

Hookbase requests list --min-duration 500 --has-errorSlow requests that returned a non-2xx status.

Hookbase requests inspect <request-id>Print full details: method, path, status, headers, and body.

Hookbase requests pin <request-id>Pin a request to prevent purge by retention policies.

Hookbase requests share <request-id>Generate a time-limited public share link (no account required to view).

Command reference — Replay

Hookbase replay <request-id>Replay a captured request to its original endpoint.

Hookbase replay <request-id> --to <url>Replay to a specific URL — overrides the original destination.

Command reference — Tunnel & listen

Hookbase tunnelAuto-creates a temporary endpoint, prints the public URL, and forwards all arriving requests to --forward-to. Cleans up on Ctrl+C.

Hookbase tunnel --forward-to <url>Forward live requests to a local server. Equivalent of ngrok but powered by Hookbase.

Hookbase listen <endpoint-id> --forward-to <url>Forward requests from an existing endpoint to a local URL via the live SSE stream.

Command reference — Schema & mocks

Hookbase schema show <endpoint-id>Print the latest inferred schema as a typed field tree.

Hookbase schema history <endpoint-id>List all schema versions with hashes, dates, and contract status.

Hookbase schema diff <endpoint-id> --from <v> --to <v>Show a field-level diff between two versions (added / removed / changed).

Hookbase schema set-contract <endpoint-id> <version>Pin a schema version as the stable contract for mocks and CI assertions.

Hookbase mock <endpoint-id> --forward-to <url>Generate a mock payload from the pinned contract and POST it to a URL.

Hookbase mock <endpoint-id> --forward-to <url> --assert-status <code>Same as above, but exit 1 if the response status does not match. Perfect for CI.

Command reference — Projects & workspaces

Hookbase projects listList all projects across your workspaces.

Hookbase projects create --workspace <id> --name "Prod" --slug prodCreate a new project.

Hookbase projects delete <project-id>Delete a project (irreversible).

Hookbase workspaces listList all workspaces you belong to.

Hookbase workspaces members <workspace-id>List members and roles in a workspace.

Command reference — Routing rules

Hookbase routing-rules list --project <id>List all routing rules in a project with match type, action, and priority.

Hookbase routing-rules inspect <rule-id>Print full rule configuration including match and action config.

Hookbase routing-rules delete <rule-id>Delete a routing rule.

Command reference — Config

Hookbase config showPrint the current CLI configuration (API URL, workspace, project, login status).

Hookbase config set-api-url <url>Point the CLI at a self-hosted Hookbase instance.

Global flags

--workspace <id>Override the active workspace for this command.

--project <id>Override the active project for this command.

--output jsonOutput raw JSON instead of formatted tables.

--api-key <key>Use a specific API key instead of the stored session token.

--take <n>Limit the number of results returned (default: 20).

●

Run Hookbase <command> --help at any time for full flag documentation.