Generic HTTP

Updated May 31, 2026

Overview

Splithook works with any provider that sends HTTP webhooks — not just the five natively supported ones. For providers without built-in signing support, use passthrough or strip mode and rely on other security measures.

Pointing any provider at Splithook

The endpoint URL works with any HTTP client:

https://e.splithook.com/{slug}

Security without signing

If your provider doesn't sign webhooks, you still have options:

Slug obscurity — The 8-character base32 slug has ~1 trillion combinations. It's not a secret, but it's not guessable by brute force either. Rotate it if you suspect it's been leaked.

IP filtering (self-hosted) — If you self-host Splithook, you can add IP allowlist rules at the reverse proxy level for providers that publish a static IP range.

HMAC via shared secret — Some providers let you configure a custom secret that they include in a header (e.g. X-Webhook-Secret: abc123). Use a filter to reject events without it:

headers['x-webhook-secret'] == 'abc123'
<div class="callout callout-info"> <svg class="callout-icon" viewBox="0 0 16 16" fill="none" stroke="#38bdf8" stroke-width="1.5"><circle cx="8" cy="8" r="6"/><path d="M8 11V7M8 5h.01"/></svg> <div> <strong>Filter evaluation is async</strong> <p>Filters run after the <code>200 OK</code> is returned to the provider. A filter rejecting an event means it won't be forwarded to destinations, but the event is still captured and visible in the dashboard.</p> </div> </div>

Non-JSON payloads

Splithook captures any body, but schema inference only works on valid JSON. For form-encoded or binary payloads:

Custom signing (beta)

For providers with a non-standard signing scheme, custom signing lets you define your own verification algorithm in a small JavaScript function. See the Custom signing page (beta) for details.