Hookbox
Webhook inspection tool — create unique endpoints, capture incoming requests, and inspect payloads in real time.
Overview
A webhook inspection tool built for debugging external integrations without sacrificing a clean security model for user-owned data.
Problem
Webhook tooling needs to receive calls from third-party services that cannot share user credentials, but users still need secure access to the events they own. That creates a boundary problem between public ingestion and protected management.
Approach
Hookbox exposes public receiver endpoints for inbound webhook delivery and isolates all read, management, and deletion operations behind JWT-protected routes. The system runs on serverless AWS infrastructure with components chosen for low-ops event handling.
Engineering Decisions
The most important design choices behind the project and why they matter.
Separated public ingestion from protected management
Webhook delivery stays unauthenticated by design, while every user-facing management path requires auth, which keeps the integration surface usable without weakening account security.
Used serverless infrastructure for event traffic
Lambda, API Gateway, and DynamoDB fit bursty webhook workloads well and avoid operating always-on infrastructure for a traffic pattern that is naturally spiky.
Designed around real third-party constraints
The API shape reflects how services like Stripe or GitHub actually deliver payloads, rather than forcing an artificial auth story onto the inbound path.