Catch, inspect, and replay any HTTP webhook in real time. No more lost payloads. No more ngrok nightmares. No more guessing what Stripe actually sent you.
Works with your stack
You used a free bin to test Stripe webhooks. You went to bed. You woke up. The request is gone. Now you're debugging blind.
You tunnel localhost, add a temporary route, paste JSON into Postman, and pray your laptop doesn't sleep. This is not a workflow. This is suffering.
Stripe updated their object shape last Tuesday. Your integration broke Wednesday. You have no record of what the old payload looked like. Good luck.
You need a permanent, replayable inbox for your webhooks.
Get a unique public URL in one click. Accept any HTTP method. Store headers, body, query params, and IP. All in real time.
Syntax-highlighted JSON viewer. Headers table. Query param breakdown. Search by body text, filter by status, sort by time. Dark mode included — obviously.
Click any past webhook. Edit the target URL. Modify the payload. Hit replay. Watch it hit your local server with the exact same data. Fix bugs without waiting for the next real event.
Select any two webhooks and see exactly what changed side-by-side. Perfect for debugging when Stripe updates their payload shape or tracking down regressions.
Pro and Team plans get clean, memorable URLs. No more random strings. Looks professional in your webhook settings.
Get notified in Slack, Discord, or Telegram the instant a webhook hits — or when your server responds with a 500. Set it and forget it.
Share projects with your team in real time. Comment on webhooks, tag teammates, and track every action in the activity log. Free users on team projects get full TEAM privileges.
A centralized, real-time comment stream across all your team's webhooks. Reply inline, react with likes, and jump directly to any webhook — all without leaving the workspace.
Send realistic test payloads from Stripe, GitHub, Shopify, Twilio, Slack, Discord, and 10+ more providers to any URL. No setup required.
Webhooks sent to /hook/abc123/api/webhook forward to localhost:3000/api/webhook automatically. Your routes stay intact.
Instantly verify Stripe, GitHub, PayPal, and Shopify webhook signatures. Debug HMAC and signature mismatches with clear error messages and common fixes.
With HookSwing, everything is easy. Point Stripe, PayPal, GitHub — whatever you use — to a single URL. We preserve the path and forward it straight to your local server.
https://hooks.hookswing.com/hook/project-1https://hooks.hookswing.com/hook/project-1localhost:3000/api/stripe/webhookhttps://hooks.hookswing.com/hook/project-1localhost:3000/api/paypal/webhookhookswing forward project-1 3000That's it. Any port number works — 3000, 8080, 1337, whatever you use.
Real-time comment stream across all team webhooks with inline replies and reactions.
Expandable sidebar chat with 5-min reply promise and built-in feedback forms.
Safe routers, graceful shutdowns, and connection pooling that will not let you down.
Shared comment cache eliminates request floods. One fetch per webhook, period.
npm CLI: Install hookswing globally. Run hookswing forward to pipe webhooks straight to localhost. No ngrok. No tunnel config. Just works.
Web CLI: Prefer staying in the browser? Open the built-in terminal right in your dashboard at /dashboard/cli — same commands, zero install.
View CLI Docs →Create a team workspace. Share projects. Comment on specific webhooks. ('This one caused the double-charge bug.') Export logs for compliance. Your backend team and your frontend team finally speak the same language.
"Our team was sharing ngrok URLs in Slack like cavemen. Now we have one shared project in HookSwing. Everyone sees the same webhooks. No more chaos."
Connect Slack, Discord, or Telegram. Get notified the moment a webhook arrives — or when your server returns a 500. Compare two webhooks side-by-side to spot exactly what changed. No more refreshing the dashboard like a maniac.
A security researcher sent forged Stripe webhooks to 6,000 websites. 1,542 returned "200 OK" and processed them as real payments. No signature. No verification. No actual money.
The attacker didn't hack anything. They just told those servers 'I paid' — and the servers believed it.
A researcher sent a fake checkout.session.completed event with NO signature header. 1,542 apps said 'thanks for the payment' and activated accounts, shipped products, or granted premium access.
Developers use app.use(express.json()) globally, then try to verify Stripe signatures. But the body is already parsed into a JavaScript object. The signature never matches. Some devs just... remove the verification.
The developer journey: build route → console.log body → get logic working → 'TODO: add signature check' → ship → 6 months pass → forget → get exploited.
HookSwing doesn't just catch your webhooks. It makes sure nobody else can fake them.
Test your own webhook endpoint in 10 seconds. Find out if you're one of the 1,542 before an attacker does.
Enter your webhook URL. HookShield sends three test payloads: one with no signature, one with an invalid signature, and one with the wrong secret. See exactly how your server responds.
Green (90-100): You're secure. Yellow (70-89): Mostly safe. Red (0-69): Vulnerable. No guessing. No "I think it's fine." Just facts.
If you're vulnerable, HookShield generates the exact code you need for Express, FastAPI, Next.js, or Django. Copy, paste, deploy. Signature verification in 5 minutes.
| webhook.site | ngrok | HookSwing | |
|---|---|---|---|
| Catch webhooks | ✅ 24h | ✅ Live | ✅ 90 days |
| Replay payloads | ❌ | ❌ | ✅ |
| Forward to localhost | ❌ | ✅ | ✅ |
| Security scan your endpoint | ❌ | ❌ | ✅ HookShield |
| Detect signature vulnerabilities | ❌ | ❌ | ✅ |
| Generate fix code | ❌ | ❌ | ✅ |
Other tools help you test. HookSwing helps you test AND makes sure you don't get exploited in production.
// ❌ WRONG: express.json() breaks signature verification
app.use(express.json());
app.post('/api/webhook/stripe', (req, res) => {
// req.body is already parsed — signature NEVER matches
});
// ✅ CORRECT: Use express.raw() on the webhook route
app.post('/api/webhook/stripe',
express.raw({ type: 'application/json' }),
(req, res) => {
const sig = req.headers['stripe-signature'];
let event;
try {
event = stripe.webhooks.constructEvent(
req.body, sig, process.env.STRIPE_WEBHOOK_SECRET
);
} catch (err) {
return res.status(400).send(`Webhook Error: ${err.message}`);
}
// Process verified event safely
res.json({ received: true });
}
);This is the exact fix HookShield generates for your framework.
Every webhook payload, header, and response body is encrypted with AES-256-GCM before it hits the database. Only you can read it.
Industry-standard authenticated encryption. Each webhook gets a unique IV and authentication tag. Tamper-proof by design.
Decryption happens automatically when you view webhooks in the dashboard, forward them to integrations, or export data. You never touch a key.
Existing webhooks remain readable. New webhooks are encrypted automatically. No migration scripts, no downtime, no broken dashboards.
No configuration required. Encryption is enabled for all projects, all plans, at no extra cost.
Sign up. Click "New Project". We give you a unique URL.
Drop that URL into Stripe, GitHub, PayPal, your payment gateway, or any service that sends webhooks. They all work. We catch everything.
See the payload in real time. Replay it against localhost. Fix your code. Ship. Sleep.
All plans include SSL, API access, and dark mode. Upgrade or downgrade anytime.
"I lost a critical Stripe payload during a production incident using webhook.site — it had expired. HookSwing kept it. That alone paid for the year."
"The replay feature let me take a webhook from last Tuesday, change the amount field, and re-fire it at my local server. Fixed the bug without waiting for Stripe to send another real event."
"We stopped sharing ngrok URLs in Slack. One shared project, everyone sees the same webhook feed in real time, and the discussion feed means no context gets lost."
Scan your webhook endpoint free. Fix the vulnerability in 5 minutes. Sleep better tonight.
No signup required for first scan. Takes 10 seconds. Results in real time.
Join 500+ developers who stopped losing webhooks. Start free. Upgrade when you're ready.