Webhook Inspector
Webhook Inspector
The Webhook Inspector gives you a permanent HTTPS endpoint that captures every incoming HTTP request in real time — headers, body, query params, and timing — with no server setup and no infrastructure to manage.
Your endpoint URL
Each MockLab account gets one webhook endpoint on the Free plan (unlimited on Pro). Your endpoint URL follows this format:
This URL accepts any HTTP method (GET, POST, PUT, PATCH, DELETE, OPTIONS) and any Content-Type. MockLab will capture and display the request regardless of format.
What gets captured
Sending test requests
You can send requests from any HTTP client. Here are examples in common tools:
curl -X POST https://wh.mocklab.dev/your-endpoint-id \
-H "Content-Type: application/json" \
-H "Stripe-Signature: t=1714000000,v1=abc123..." \
-d '{
"id": "evt_3Pxr...",
"type": "payment_intent.succeeded",
"data": {
"object": {
"id": "pi_3Pxr...",
"amount": 4999,
"currency": "usd",
"status": "succeeded"
}
}
}' const crypto = require('crypto');
const payload = JSON.stringify({
event: 'order.shipped',
orderId: 'ord_9kXz',
trackingNumber: '1Z999AA10123456784'
});
const signature = crypto
.createHmac('sha256', process.env.WEBHOOK_SECRET)
.update(payload)
.digest('hex');
await fetch('https://wh.mocklab.dev/your-endpoint-id', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-Signature-SHA256': signature,
},
body: payload,
}); Request retention limits
| Plan | Retention | Max stored |
|---|---|---|
| Free | 7 days | 100 requests |
| Pro | 30 days | 10,000 requests |
Signature verification
MockLab can validate HMAC signatures on incoming requests. Set a secret key in your endpoint settings and the inspector will show a verified/failed badge next to the signature header for:
- Stripe (Stripe-Signature header)
- GitHub (X-Hub-Signature-256)
- Shopify (X-Shopify-Hmac-SHA256)
- Custom HMAC-SHA256 with any header name