Security

Hookbase is built for teams handling real webhook traffic in production. This page covers the controls available for authentication, request handling, data retention, and operational safeguards. Teams remain responsible for the sensitivity of data they send through the platform.

Transport integrity

HTTPS + HMAC verification

Access control

2FA, SSO, workspace roles

Operational visibility

Audit logs, alerting, replay

Account protection

Authentication and access boundaries are layered by design.

  • Passwords are stored as hashes rather than plaintext.
  • Optional two-factor authentication is available for user accounts.
  • Enterprise workspaces can use SSO / SAML for centrally managed access.
  • Workspace member access is role-based rather than shared credentials.

Request security

Payload handling is intentional — capture, inspect, and forward are separate explicit actions.

  • Endpoint-level signing secrets can be used to verify inbound HMAC signatures.
  • Captured request data includes headers, body, timing, and response metadata.
  • Replay and forwarding actions are explicit product actions rather than hidden automatic retries.
  • Share links can be revoked and should be treated as sensitive — they expose request content to anyone holding the token.

Data retention

Request history follows the workspace plan. Deletion is final.

  • Request retention: 7 days on Developer, 30 days on Pro, 365 days on Enterprise.
  • Pinned requests are excluded from automatic purge until manually unpinned.
  • Account deletion removes associated data within the documented deletion window.
  • Usage counters are retained for quota enforcement and billing visibility.

Abuse controls

Rate limits, quotas, and alerting protect both the platform and your integrations.

  • Rate limits and quotas apply to critical paths including replay and webhook ingestion.
  • Alerting surfaces failure spikes, slowdowns, and operational anomalies.
  • Audit logs record sensitive changes and actions at workspace level.
  • Replay targets, routing rules, and API keys are plan-gated and workspace-scoped.

Responsible disclosure

If you believe you have found a security vulnerability, contact us before public disclosure. Include reproduction steps, impact, and any relevant request details. We aim to acknowledge reports within 24 hours.

Security contact[email protected]
IncidentsInclude your workspace name, affected endpoint, timeframe, and any request IDs.
Legal operatorAfriSYS Group Ltd trading as Hookbase