Splithook
v1.0 · Auto re-signing now live

Inspect, replay, and re-sign
every webhook your stack receives.

Splithook captures from any provider, re-signs with your real secret and fans out to localhost, staging, or multiple sites simultaneously. One URL. Zero signature bypass hacks.

Start free — no card Watch live demo
✓ Free plan forever ✓ Stripe · GitHub · Shopify · Twilio · Svix · Mailgun · SendGrid · Vercel · Linear · Resend
splithook.com / dashboard / endpoints / demo1234
LIVE
streaming · 142 req/min
body headers raw ✓ signed · stripe
Fan-out · 3 destinations
10 156+
webhooks this week
5
providers re-signed
<50ms
p99 capture latency
99.9%
ingest uptime

The webhook journey

From your provider to your localhost,
signature intact.

Provider Stripe / GitHub / … Splithook Capture in <50ms Re-sign engine HMAC + timestamp Your localhost Verifier passes ✓
POST e.splithook.com/{slug}
persist body · async dispatch
strip → swap t= → recompute v1
your handler verifies normally

Auto-detection on capture · Re-signing on replay

Stripe
GitHub
Shopify
Twilio
AWS SNS
Mailgun
SendGrid
Vercel
Linear
Resend
Stripe
GitHub
Shopify
Twilio
AWS SNS
Mailgun
SendGrid
Vercel
Linear
Resend

Use cases

One tool, every webhook scenario.

Multi-site relay

One Stripe account.
Three independent sites.

Configure Splithook as your single Stripe webhook URL. It re-signs the event and fans it out to your DB and every site's API — simultaneously.

1 webhook URL in Stripe dashboard · 3 destinations · 0 extra Stripe configs

Local dev tunnel

External event. Localhost.
Signature valid.

AWS Lambda or Stripe fires to your Splithook URL. Splithook re-signs and forwards through NAT to your local services — no manual signature bypass, no NODE_ENV hacks.

● orange = AWS Lambda event  ·  ● green = Shopify order  ·  ● green darker = re-signed, crossing NAT

Features

Every tool your webhook workflow needs.

01 / Auto re-signing

Signatures that actually
pass in dev.

Signing secrets encrypted at rest with libsodium. On every replay the HMAC is re-computed against the stored body bytes — identical code path to production.

POST /hooks/demo · replay #3
Content-Type: application/json
Stripe-Signature: t=1714000001,v1=a3f9…8c2d
{
  "id": "evt_1Pq…",
  "type": "payment_intent.succeeded"
}

02 / Fan-out & filters

One event,
every destination.

Add destinations with optional per-destination filters (event type, expression language). Works for localhost ports, external APIs, and cross-site relays.

localhost:3000
payment.*
api.shop1.com
all events
api.shop2.com
orders/*

03 / Replay

Replay to localhost

One click. Timestamp swapped so 5-minute windows still pass. Original body bytes preserved.

# destination
http://localhost:3000/webhooks
✓ 200 OK · 12ms

04 / Inspect

Split-screen inspector

Payload, headers, response side-by-side. Visual diff across replay iterations.

request body
response

05 / Capture

Persistent capture

URL that never changes. Sub-50ms ingestion. Body and headers stored intact for 24h–90d.

streaming · auto-detect provider
Without Splithook 
if (env === 'development') {
  // signature won't match replay
  return handler(req.body);
}
verifyStripeSignature(req);
handler(req.body);

Bugs surface in production only.

With Splithook 
// re-signed at replay time
// timestamp swapped to now()
verifyStripeSignature(req); // ✓
handler(req.body);

Same code path, dev and prod.

Dev / prod parity

Stop disabling signature verification in dev.

Every webhook replay carries a fresh HMAC — timestamp rewritten, signature recomputed with your real secret. Your verification middleware runs the exact same code path in dev as in production. No NODE_ENV branches. No if dev: skip. Bugs that only appear in production become bugs you catch in dev.

  • Stripe tolerance window: timestamp rewritten so 5-min window passes
  • GitHub: sha256-hex recomputed over preserved body bytes
  • Shopify: base64 HMAC — not hex, not URL-encoded, exactly per spec
  • Twilio: SHA-1 of URL + sorted form fields, destination URL-aware

Inside the workspace

Every webhook in one split-screen.

splithook.com / dashboard / endpoints / demohook
streaming
04:34:40
checkout.session.completed
04:33:39
Notification
04:32:38
push
04:31:37
Notification
04:30:36
pull_request
200 OK · captured 38ms · re-signed for stripe 
{
  "id": "evt_3PqM9z...",
  "type": "payment_intent.succeeded",
  "created": 1714984320,
  "data": {
    "object": {
      "id": "pi_3PqM...",
      "amount": 2400,
      "currency": "eur",
      "customer": "cus_QcVx...",
      "status": "succeeded"
    }
  }
}
Destinations · 3
localhost:3000
where event=*
api.shop1.com
where payment.*
api.shop2.com
where orders.*
Click anywhere to open the live demo →

Honest comparison

Splithook vs the alternatives.

Each tool exists for a reason — most are great at one job. Splithook is the only one that re-signs replays with your real provider secret, which is the difference between a debugging session that mirrors production and one that doesn't.

Capability Splithook ngrok smee.io webhook.site Hookdeck
Public capture URL
Replay to localhost
HMAC re-signing
Multi-destination fan-out
Tunnel to localhost
Provider-aware inspection
Built-in retention & replay history

Why re-signing matters: any tool that captures and replays without re-signing hands your handler a body whose signature was computed against the original timestamp. Once that timestamp is older than the provider's tolerance window (5 min for Stripe), your middleware rejects it as a replay attack. Splithook regenerates the timestamp and HMAC every time.

Combine, don't replace: Splithook + ngrok is a common setup. Use Splithook as the public capture URL and ngrok as the tunnel to localhost. Stable URL on the provider side, fresh tunnel every dev session, zero signature pain.

Pricing

Start free. Upgrade when
you replay signed webhooks.

Cancel anytime. No credit card on Free.

Free
0€

Solo dev. Covers the basics forever.

  • 1 endpoint
  • 24h retention
  • 500 req/mo
  • Manual replay
  • No credit card
Get started free
Developer
9€ /mo

More capacity, same focus.

  • 3 endpoints
  • 7d retention
  • 10k req/mo
  • Re-signing (1 provider)
  • Email support
Start Developer
Most popular
Pro
19€ /mo

Full re-signing. Multi-site fan-out.

  • 10 endpoints
  • 30d retention
  • 100k req/mo
  • Re-signing (all providers)
  • Fan-out · Filters · Multi-site
  • Priority support
Start Pro
Team
49€ /mo

Multi-user with shared signing secrets.

  • Unlimited endpoints
  • 90d retention
  • 500k req/mo
  • 5 users
  • Shared secrets
  • SSO ready
Start Team

All plans include fan-out, inspection, and live streaming. · See full feature comparison

FAQ

Common questions, answered.

How is webhook re-signing safe? +
Your signing secret is encrypted at rest with libsodium (key derived from APP_SECRET). It never leaves the server, is never logged, and is only used to compute a fresh signature when you trigger a replay.
Does my handler verify signatures normally? +
Yes — that is the entire point. Splithook strips the original signature, swaps the timestamp where applicable, and re-signs with your real secret. Your verification middleware has zero changes vs. production.
Which providers are supported for re-signing? +
Stripe, GitHub, Shopify, Twilio, Svix, AWS SNS, Mailgun, SendGrid, Vercel, Linear, Resend and Generic HMAC — every provider we detect is also re-signable.
How is Splithook different from ngrok? +
ngrok exposes localhost via a tunnel. Splithook captures, inspects, replays and re-signs — they are complementary. Many users run Splithook as the public capture URL and ngrok or cloudflared as the tunnel from Splithook to localhost.
Does Splithook store webhook bodies? +
In Redis with a per-plan TTL: 24h on Free, 7 days on Developer, 30 days on Pro, 90 days on Team. You can delete any captured webhook from the dashboard at any time.
What HMAC algorithms does Splithook support? +
HMAC-SHA256 for Stripe, GitHub (X-Hub-Signature-256), Shopify and most modern providers. HMAC-SHA1 for Twilio. The signature scheme — including timestamp prefixing, version tagging, and base64 vs hex encoding — is per-provider and handled automatically.
What happens when my localhost is offline? +
The webhook is captured and stored regardless — your provider gets its 200 OK from Splithook. When you bring localhost back up, click replay and the body arrives with a fresh, valid signature. No retries to chase, no duplicate events from the provider.
Can I use Splithook in CI/CD pipelines? +
Yes. Capture a representative webhook once, then replay it from your test suite by calling the Splithook API. This gives you reproducible end-to-end tests against real provider payloads with valid signatures, without depending on the provider sending a fresh event during CI.
How fast is the capture-to-localhost path? +
Capture latency stays under 50ms p99 even with the worker chain dispatching downstream. The live timeline updates over Mercure SSE typically within 100ms of capture.

Stop debugging webhooks in production.

Sign up in 30 seconds, paste your endpoint URL into Stripe, and watch the next webhook hit your dashboard in real-time.

Start free — no card See it live

$ curl https://e.splithook.com/your-endpoint -X POST -d ''