Security
Hookbase is built for teams handling real webhook traffic in production. This page covers the controls available for authentication, request handling, data retention, and operational safeguards. Teams remain responsible for the sensitivity of data they send through the platform.
Transport integrity
HTTPS + HMAC verification
Access control
2FA, SSO, workspace roles
Operational visibility
Audit logs, alerting, replay
Account protection
Authentication and access boundaries are layered by design.
- Passwords are stored as hashes rather than plaintext.
- Optional two-factor authentication is available for user accounts.
- Enterprise workspaces can use SSO / SAML for centrally managed access.
- Workspace member access is role-based rather than shared credentials.
Request security
Payload handling is intentional — capture, inspect, and forward are separate explicit actions.
- Endpoint-level signing secrets can be used to verify inbound HMAC signatures.
- Captured request data includes headers, body, timing, and response metadata.
- Replay and forwarding actions are explicit product actions rather than hidden automatic retries.
- Share links can be revoked and should be treated as sensitive — they expose request content to anyone holding the token.
Data retention
Request history follows the workspace plan. Deletion is final.
- Request retention: 7 days on Developer, 30 days on Pro, 365 days on Enterprise.
- Pinned requests are excluded from automatic purge until manually unpinned.
- Account deletion removes associated data within the documented deletion window.
- Usage counters are retained for quota enforcement and billing visibility.
Abuse controls
Rate limits, quotas, and alerting protect both the platform and your integrations.
- Rate limits and quotas apply to critical paths including replay and webhook ingestion.
- Alerting surfaces failure spikes, slowdowns, and operational anomalies.
- Audit logs record sensitive changes and actions at workspace level.
- Replay targets, routing rules, and API keys are plan-gated and workspace-scoped.
Responsible disclosure
If you believe you have found a security vulnerability, contact us before public disclosure. Include reproduction steps, impact, and any relevant request details. We aim to acknowledge reports within 24 hours.