Hookbase
HomePrivacyTerms

Security

A practical security posture for webhook operations

Hookbase is built for teams handling real webhook traffic in production. That means request visibility, replay control, access boundaries, retention rules, and operational safeguards matter just as much as transport security. This page summarises the core controls available in the product today.

Transport and request integrity

Hookbase is designed to receive traffic over HTTPS and supports endpoint-level HMAC verification so teams can validate whether incoming payloads were genuinely signed by the upstream source.

Access control and authentication

Accounts support password-based authentication, two-factor authentication, workspace roles, API keys, and Enterprise SSO / SAML so access can be controlled at the right operational level.

Operational visibility

Audit logs, request history, retention controls, replay workflows, and alerting are all built to help teams understand what happened before they take action.

Security controls

What the product is designed to protect

Authentication and account protection

  • Passwords are stored as hashes rather than plaintext.
  • Optional two-factor authentication is available for user accounts.
  • Enterprise workspaces can use SSO / SAML for centrally managed access.
  • Workspace member access is role-based rather than shared credentials.

Request security and payload handling

  • Endpoint-level signing secrets can be used to verify inbound HMAC signatures.
  • Captured request data includes headers, body, timing, and response metadata so teams can investigate failures accurately.
  • Replay and forwarding actions are explicit product actions rather than hidden automatic retries.
  • Share links can be revoked and should be treated as sensitive because they expose request content to anyone holding the token.

Retention and data lifecycle

  • Request retention follows the workspace plan: 7 days on Developer, 30 days on Pro, and 365 days on Enterprise.
  • Pinned requests are excluded from automatic purge until manually unpinned.
  • Account deletion removes associated data within the documented deletion window.
  • Usage counters are retained for quota enforcement and billing visibility.

Abuse controls and operational safeguards

  • Rate limits and quotas are used to protect critical paths such as replay and webhook ingestion.
  • Alerting helps surface failure spikes, slowdowns, and operational anomalies earlier.
  • Audit logs provide an account-level record of sensitive changes and actions.
  • Replay targets, routing rules, and API keys are plan-gated and workspace-scoped.

Reporting vulnerabilities

If you believe you have found a security issue, please disclose it responsibly to [email protected]. Include reproduction steps, impact, and any relevant logs or request details.

Operational incidents

For active incidents affecting production traffic, include your workspace name, affected endpoint, timeframe, and any request IDs that help us trace the issue quickly.

Important note

Webhook payloads can contain sensitive customer or business data. Teams using Hookbase remain responsible for the legality and sensitivity of the data they send through the service.

Security contact

Security contact

[email protected]

Disclosure path

Responsible disclosure welcomed. We aim to respond within 24 hours.

Legal operator

AfriSYS Group Ltd trading as Hookbase

Contact usRead privacy policy ->