Naptown Labs

Instant Webhook URLs
for Testing

Create a unique URL in one click, send any HTTP request to it, and see the full payload in real time. Debug webhooks, test integrations, and forward requests — no signup required.

hooktest.dev

API Routes

DB Tables

Blog Posts

5K+

Developers

Core Features

Everything you need to debug webhooks

A fire-and-forget webhook testing tool. The modern alternative to RequestBin and webhook.site.

🔗

Instant URLs

Get a unique webhook URL in one click. No signup, no config. Start capturing HTTP requests immediately.

⚡

Real-Time SSE Feed

Watch requests arrive live via Server-Sent Events. See method, headers, body, query params, and source IP instantly.

🔄

Auto-Forwarding

Forward captured requests to Slack, Discord, or any custom URL. Perfect for monitoring production webhooks in real time.

🎯

Custom Responses

Configure custom HTTP status codes and response bodies for your webhook URL. Simulate any API behavior for testing.

🔒

Passwordless Auth

Magic link authentication via email (Resend). No passwords to remember. Secure httpOnly cookie sessions with JWT.

💰

Stripe Billing

Seamless Pro upgrade via Stripe Checkout. Webhook handler for subscription events including payment failure downgrade.

How It Works

Three steps to webhook testing

No signup, no config, no waiting. Create and start capturing in seconds.

Create a Bin

Click the button and get a unique webhook URL. That's it — no account required.

Send Requests

Point your webhook, API, or curl at the URL. Any HTTP method works — GET, POST, PUT, DELETE, PATCH.

Inspect & Forward

See every request in real time via SSE. Optionally auto-forward to Slack, Discord, or your own endpoint.

# Create a bin and send a test webhook
curl -X POST https://hooktest.dev/api/hook/abc123 \
  -H "Content-Type: application/json" \
  -d '{"event": "payment.success", "amount": 49.99}'

# The request appears instantly in your real-time feed
# Method: POST | Headers | Body | Query | Source IP

# Stream live requests via SSE
curl https://hooktest.dev/api/bins/abc123/stream
    

Architecture

How it works under the hood

Serverless on Vercel with SQLite at the edge. Zero infrastructure to manage.

Client

Any HTTP Method

→

Webhook Receiver

/api/hook/[slug]

→

Database

Turso (SQLite)

→

Real-time

SSE Stream

Forwarding

Slack / Discord / URL

←

Rules Engine

forwarding_rules

←

Captured

requests table

Auth

Magic Link + JWT

→

Billing

Stripe Checkout

→

Cleanup

Daily Cron Job

// DB Schema — 4 tables
bins       → id, slug, ownerId, ownerToken, responseStatus, responseBody, expiresAt, requestCount, maxRequests
requests   → id, binId, method, path, headers, body, query, sourceIp, createdAt
users      → id, email, stripeCustomerId, isPro, magicToken, magicTokenExpiresAt
forwarding → id, binId, type (slack|discord|url), target, active

// API Routes
POST   /api/bins                  — create new bin
GET    /api/bins                  — list user's bins
ALL    /api/hook/[slug]           — capture webhook (all methods)
GET    /api/bins/[slug]/requests  — list captured requests
GET    /api/bins/[slug]/stream    — SSE real-time feed
POST   /api/auth/send-magic-link  — passwordless auth
GET    /api/auth/verify           — verify magic link token
POST   /api/checkout              — Stripe subscription
POST   /api/webhook               — Stripe webhook handler
GET    /api/cron/cleanup          — daily expired bin cleanup
    

Security

Hardened through 3 audit rounds

Comprehensive security audit identified and fixed critical issues across auth, data exposure, and infrastructure.

🛡

IDOR Protection

Owner token column on bins with httpOnly cookie. Ownership checks on PATCH/DELETE. Timing-safe comparison prevents token extraction.

🔐

Header Sanitization

Vercel internal headers (x-vercel-*, x-forwarded-*, cf-*) stripped before storage. No infrastructure leaks in captured requests.

📐

Rate Limiting

10 bins per IP per hour via in-memory rate limiter. 256KB body size cap on webhook receiver prevents abuse.

🔒

SSRF Prevention

Forwarding URL validation blocks private IPs (10.x, 172.16-31.x, 192.168.x), loopback, and non-HTTP(S) schemes.

🛡

Security Headers

CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy, HSTS with preload.

💰

Payment Resilience

Stripe webhook handles invoice.payment_failed to auto-downgrade Pro users. No hardcoded secrets — JWT_SECRET required at runtime.

Pricing

Simple, transparent pricing

Free for quick tests. Pro for permanent endpoints and production use.

Free

$0 /forever

Instant webhook URLs
100 requests per bin
24-hour bin expiry
Real-time SSE feed
No signup required

Pro

$4.99/mo

Unlimited requests per bin
Permanent bins (no expiry)
Slack webhook forwarding
Discord webhook forwarding
Custom URL forwarding
Custom response codes & bodies
Dashboard & bin management
Cancel anytime

Tech Stack

Built with modern tools

Serverless-first, edge-native, zero infrastructure to manage.

▲

Next.js 15

App Router + API Routes

◓

Turso

SQLite at the Edge

💧

Drizzle ORM

Type-safe Queries

💌

Stripe

Subscriptions + Webhooks

✉

Resend

Magic Link Email

☁

Vercel

Hosting + Serverless

🎨

Tailwind CSS

UI Styling

🔐

jose (JWT)

Session Management

Ready to try it?