Security

Webhooks sit between your systems and your customers'. We treat them as critical infrastructure.

Signed delivery

Every webhook we send is signed with HMAC-SHA256. Your consumers verify the signature with a shared secret, so they can trust the payload's origin and integrity. Secrets can be rotated at any time.

Encryption

• In transit: TLS for every connection, inbound and outbound.
• At rest: payloads and secrets are encrypted in our European datastores.

Reliability as a security property

• Automatic exponential retries on failure.
• Manual replay of any past event.
• Full, queryable delivery logs for audit and incident response.

European, auditable infrastructure

All event data is hosted in the EU (France). We run on open, widely-audited components and keep our subprocessor list public and versioned. See our sovereignty commitment.

Responsible disclosure

Found a vulnerability? Email security@wehook.io. We acknowledge reports quickly and will work with you on a fix. Please do not publicly disclose before we have had a chance to respond.