Inspect Every Byte of Your Webhook — Before It Touches Your Code

Your Stripe integration has been running for six months. Last week, a charge.refunded event started failing silently. You've been handling payment_intent.succeeded correctly for months — but the refund event has a field structure you've never seen before. You didn't know because you'd never tested against a real refund event. You built against the documentation, not the actual payload.

This is how most webhook bugs start: a gap between the payload shape you expect and the payload shape that actually arrives.

The payload inspection problem

Webhook provider documentation shows you simplified examples. Real production events include nested objects, optional fields, provider-version-specific additions, and header combinations that only exist under specific conditions.

The gap between "the docs say the payload looks like this" and "the payload actually looks like this" is where webhook handlers break.

Until you see the real payload, you're guessing.

What HookTunnel shows you

Every inbound request is captured with full fidelity:

Headers — all of them, including provider-specific headers like Stripe-Signature, X-Twilio-Signature, Content-Type, and custom headers your provider adds Body — the complete request body, formatted and syntax-highlighted Metadata — HTTP method, path, query parameters, content length, timestamp (with millisecond precision), client IP Delivery context — whether the event was forwarded to a target, the response status code, response latency

Click any event to see the full detail. Copy any field value. Compare events side by side.

Signature verification is built in

When a Stripe event arrives, HookTunnel automatically checks the Stripe-Signature header against your configured signing secret and shows a verified/invalid status. You know immediately whether Stripe sent this event or whether something is wrong with your webhook configuration.

Persistent, not session-scoped

Unlike ngrok's inspect window — which disappears when your tunnel session ends — HookTunnel events are stored. The event that arrived three days ago is still there. You can open it, inspect it, and replay it.

Free tier: 24 hours. Pro: 30 days. Team: 90 days. Enterprise: 1 year.

What makes HookTunnel's inspector better

vs. ngrok inspect window: ngrok's inspector is tied to your live tunnel session. Close ngrok, lose your events. HookTunnel stores every event. Reconnect your tunnel tomorrow and replay everything you missed.

vs. Webhook.site: Webhook.site shows you the payload. HookTunnel shows you the payload, signature verification status, delivery attempt history, and whether the event was actually applied by your application. It's the difference between "here's the message" and "here's what happened to the message."

vs. manual logging in your handler: Adding console.log(req.body) to your handler means you can only inspect events that made it to your handler. Events that arrived while your handler was down are gone.

Beyond inspection: semantic search

The hardest part of debugging from logs isn't reading one event — it's finding the right event among hundreds.

HookTunnel's semantic search understands meaning. Type "failed payment for enterprise customer" and it returns events semantically related to that description, even if those exact words don't appear in the payload. Client-side, under 50ms, no API call.

The outcome context

Here's what no other webhook inspector shows you: whether the event was applied by your application.

Every event in HookTunnel shows three status indicators:

• Paid (Stripe): signature verified, payment event type confirmed
• Delivered: your handler returned 2xx
• Applied: your application sent a receipt confirming the side-effect was committed

This turns the inspector from a passive log viewer into an active debugging tool. You're not just seeing what arrived — you're seeing what happened to it.

Frequently asked questions

How long are webhook payloads stored? Free: 24 hours. Pro: 30 days. Team: 90 days. Enterprise: 1 year.

Can I inspect Stripe signature headers? Yes. Stripe-Signature is shown with verification status. Invalid signatures are flagged visually.

Is there a payload size limit? Standard webhook payloads (up to 5MB) are fully stored. Larger payloads are stored with metadata only (body truncated).

Can I search through old webhook payloads? Yes — semantic search across your full retention history. Find events by meaning, not just text matching.

Can I share a webhook inspection link? Payloads are private to your account (RLS-enforced). You can share a direct link to a specific event with other members of your account.

Does inspecting a webhook affect delivery? No. Capture is non-blocking. Your event is forwarded to your configured target regardless of whether you've viewed the inspection.