Payment declines, suspicious logins, account lockouts — route security events to your fraud engine with guaranteed delivery, HMAC verification, and an immutable audit trail.
The HTTP webhook protocol has no persistence, no retries, and no observability — and it shows.
A payment processor sends a charge.disputed event. Your fraud engine is redeploying. The event is lost. The dispute goes uninvestigated. The chargeback succeeds. One missed event costs real money.
Without verifying the HMAC signature on each inbound security event, an attacker can POST fake events to your fraud engine — triggering false positives or hiding real fraud signals.
PCI-DSS and SOC 2 audits require evidence that security events were received, processed, and acted upon. Without a persistent event log with attempt history, you cannot satisfy these requirements.
From raw HTTP POST to guaranteed delivery — set up in under 10 minutes.
Create a Source with HMAC verification enabled. GetHook rejects any request that fails signature verification before it reaches your fraud engine — forged requests are blocked at the gateway.
POST /v1/sources
{ "name": "payment-processor-events", "auth_mode": "hmac", "verification_config": { "header": "X-Payment-Signature", "secret": "processor-webhook-secret" } }Route payment.declined and login.suspicious to your real-time fraud engine. Route * to your immutable audit log. Every security event is captured, regardless of destination delivery status.
POST /v1/routes
{ "event_type_pattern": "payment.declined", "destination_id": "dest_fraud_engine" }
{ "event_type_pattern": "login.suspicious", "destination_id": "dest_risk_api" }
{ "event_type_pattern": "*", "destination_id": "dest_audit_log" }After an incident, replay the full sequence of security events to reconstruct the attack timeline. The immutable event log with payloads and timestamps supports forensic analysis.
GET /v1/events?source_id=src_…&status=dead_letter
# Returns all events that failed delivery
# POST /v1/events/{id}/replay to re-process5-attempt exponential backoff ensures security events reach your fraud engine even during brief outages. Dead-lettered events are preserved for replay.
Forged security events are rejected before they reach your fraud engine. Signature verification runs on every inbound request.
Security event payloads and signing secrets are encrypted with AES-256-GCM. No plaintext sensitive data in the database.
Every security event is logged with full payload, attempt history, response codes, and timestamps. Satisfies SOC 2, PCI-DSS, and ISO 27001 audit requirements.
Route critical security events to PagerDuty, Slack, and your fraud engine simultaneously. One event, multiple response channels.
Reconstruct attack timelines by replaying the full sequence of security events. Post-incident analysis without re-triggering the original fraud vectors.
Guaranteed delivery for Stripe, Paddle, and PayPal webhooks — with automatic retry, HMAC verification, and a full audit trail built in.
Failed payments, new signups, system alerts — route each event type to Slack, PagerDuty, email, and SMS simultaneously, with guaranteed delivery and automatic retry.
GetHook's account and API key model maps perfectly to multi-tenant architectures. Complete data isolation, custom domains, and white-labeled brand settings per tenant.
Up and running in minutes. No credit card required. Connect your first source and see events flowing in real time.