HookGrabber
Sign in

Documentation

Everything you need to get up and running.

Quick start

  1. 1 Sign in with GitHub and go to your dashboard.
  2. 2 Click New endpoint — you'll get a unique URL like https://hookgrabber.dev/in/xK9mPqRt.
  3. 3 Paste that URL into your webhook provider (Stripe, GitHub, etc.) as the destination.
  4. 4 Trigger a webhook event — it appears in your dashboard in real time. Click it to inspect headers, body, and timing.
  5. 5 Use Replay to resend any request to your local server or staging environment without triggering the original event again.

Replaying requests

Select any captured request in the dashboard, then click Replay. Enter the target URL and HookGrabber will resend the exact original request — same method, headers, and body.

Useful for testing your handler locally (http://localhost:4000/webhooks/stripe) without having to re-trigger the Stripe event or wait for a real payment.

Enabling and disabling endpoints

Open an endpoint's settings from the dashboard and toggle Enabled on or off. Disabled endpoints return a silent 404 with no body — indistinguishable from a non-existent URL.

Use this to temporarily block traffic to an endpoint without deleting it, or to stop ingesting webhooks you no longer care about.

Search & filter

Use the search bar above the request list to filter by body content or path. Results update as you type (with a short debounce). Use the method dropdown to narrow results to a specific HTTP verb.

Search is case-insensitive. Combining a query with a method filter uses AND logic — both conditions must match. A clear button appears when a filter is active. New live requests are paused from appearing in the list while a search is active so your results stay stable.

HMAC signature verification

Open endpoint settings and choose a Signature Verification provider — GitHub or Generic HMAC-SHA256 — then enter your signing secret. HookGrabber will verify every incoming request and show a Valid or Invalid badge in the request detail panel.

For GitHub, HookGrabber checks the x-hub-signature-256 header and displays the expected vs. received values side-by-side. For Generic, it computes the HMAC-SHA256 of the raw body and surfaces any signature-related headers present in the request for manual comparison.

Signing secrets are encrypted at rest. The verification secret field is write-only — leave it blank when saving settings to keep the existing secret.

Webhook forwarding Pro

Open endpoint settings and add a Forwarding Rule with a destination URL. Every incoming request to that endpoint is automatically relayed to your server in real time — same method, headers, and body.

You can add up to 5 rules per endpoint. Each rule can be individually enabled or disabled without deleting it. The Forwarding Log in the request detail panel shows the delivery status, HTTP response code, and latency for each attempt.

Destination URLs must use https:// or http:// and must point to a public host — private IP ranges are blocked.