How HookReplay works
We don't hide complexity. Here's exactly how your webhooks flow through our system, how we keep data safe, and how you can run it yourself.
Request path
- SSRF protection: Replays are validated against private IP ranges and DNS rebinding domains before any outbound request is made.
- Signature verification: We verify Stripe, GitHub, Slack, Shopify, Svix, Twilio, SendGrid, and generic HMAC signatures before storing the request.
- Payload limits: Webhook ingestion is capped at 5MB per request. Auth and replay APIs are capped at 64KB.
Data policies
PostgreSQL runs on managed cloud infrastructure with TLS encryption. Passwords are bcrypt-hashed. Tokens are SHA-256 hashed.
Current deployment is in Ohio (US-East). Data does not leave the region unless you self-host elsewhere.
Free: 7 days. Pro: 90 days. Team: unlimited. You can delete your data — or your entire account — at any time.
We do not sell or share your webhook data with third parties. Your payloads are isolated per account.
Enterprise ready
- ✓Cloud-agnostic. Runs on any Node 20+ host with PostgreSQL and Redis. No vendor lock-in.
- ✓SOC 2 aligned. TLS in transit, bcrypt passwords, SHA-256 token hashing, and full audit logs.
- ✓Custom domain. Bring your own domain and SMTP sender for white-label deployments.
- ✓Self-hostable. Deploy via Docker Compose, Kubernetes, or any PaaS in minutes.
Self-hosting
HookReplay is a standard Next.js 16 application. You can run it on your own infrastructure with Docker Compose in a single command.
git clone https://github.com/anxovatomica/hookreplay.git cd hookreplay cp .env.example .env.local # Edit DATABASE_URL, REDIS_URL, JWT_SECRET docker compose up --buildRequirements: Node 20+, PostgreSQL 15+, Redis 7+. See the README for detailed environment configuration.