Skip to main content Skip to main content

Documentation

Everything you need to receive, inspect, debug, and replay webhooks with Payloader.

Overview

Payloader is a webhook inspection and testing platform. Point any service's webhook URL at Payloader and instantly see every incoming payload — parsed, summarized, and ready to debug.

Unlike generic webhook catchers, Payloader recognizes 20+ platforms and translates raw JSON into human-readable summaries. A Stripe payment_intent.succeeded event becomes "Payment of $149.00 succeeded for [email protected]".

Key capabilities

Real-time webhook feed via SSE
Platform detection & summaries
Replay webhooks to any URL
Diff two payloads side-by-side
HMAC signature verification
Export to JSON, CSV, HAR, Postman
Email, Slack & Discord alerts
Full REST API for automation

Quick Start

Get your first webhook captured in under a minute.

  1. 1

    Create an account

    Sign up at payloader.dev/accounts/register. Every account starts with a free 14-day trial — no credit card required.

  2. 2

    Create an endpoint

    From the dashboard, click Create Endpoint. Give it a name and Payloader generates a unique URL like:

    https://hook.payloader.dev/h/a1b2c3d4e5f6
  3. 3

    Point your service at it

    Copy the endpoint URL and paste it into Stripe, GitHub, Shopify, or any service that sends webhooks. You can also test it immediately:

    curl -X POST https://hook.payloader.dev/h/a1b2c3d4e5f6 \
    -H "Content-Type: application/json" \
    -d '{"event": "test", "message": "Hello Payloader!"}'
  4. 4

    Watch it arrive

    The webhook appears in your live feed instantly. Click it to see full headers, body, platform detection, and an intelligent summary.

Core Concepts

Workspace

A workspace is your team's container. Every endpoint, request, API key, and notification rule belongs to a workspace. When you sign up, a "Personal" workspace is created automatically. On Team and Business plans, you can invite additional members.

Endpoint

An endpoint is a unique URL that receives webhooks. Each endpoint has its own slug (12 alphanumeric characters), response configuration, HMAC settings, and notification rules. All webhooks sent to an endpoint are captured and stored as requests.

Request

A request is a single captured webhook. It includes the full HTTP method, headers, query parameters, body, remote IP, and any intelligence data extracted by Payloader (platform, event type, summary, key fields).

Intelligence

Payloader's intelligence engine analyzes every incoming webhook to detect which platform sent it, extract the event type, generate a human-readable summary, and pull out key fields. This happens automatically within seconds of receiving a webhook.

Creating Endpoints

From the dashboard, click Create Endpoint and give it a descriptive name (e.g., "Stripe Production", "GitHub Staging"). Payloader generates a unique 12-character slug and your webhook URL is ready immediately.

Your webhook URL format

https://hook.payloader.dev/h/{slug}

Each endpoint can be independently:

  • Toggled on/off — paused endpoints still capture webhooks but mark them as received while inactive
  • Renamed — change the display name anytime without affecting the URL
  • Deleted — permanently removes the endpoint and all its captured requests

Plan limits: Developer plans support up to 10 endpoints, Team up to 20, and Business has unlimited endpoints.

Receiving Webhooks

Payloader accepts webhooks sent with any HTTP method (GET, POST, PUT, PATCH, DELETE). The receiver captures:

  • HTTP method and path
  • All request headers
  • Query parameters
  • Request body (up to 5 MB)
  • Remote IP address
  • Precise timestamp

After capture, the receiver immediately returns your configured response (default: 200 OK with {"received": true}) and queues the webhook for intelligence processing.

Testing with cURL

# Simple POST curl -X POST https://hook.payloader.dev/h/your-slug \ -H "Content-Type: application/json" \ -d '{"test": true}' # Simulate a Stripe webhook curl -X POST https://hook.payloader.dev/h/your-slug \ -H "Content-Type: application/json" \ -H "Stripe-Signature: t=123,v1=abc" \ -d '{"type": "payment_intent.succeeded", "data": {"object": {"amount": 5000}}}'

Custom Responses

Configure what Payloader sends back to the webhook sender. This is useful when a service expects a specific response format or status code.

Navigate to your endpoint's Response tab to configure:

Custom response configuration settings
Setting Default Description
Status Code 200 HTTP status code returned to the sender
Content-Type application/json Response content type header
Body {"received": true} Response body content

HMAC Verification

Business plan

HMAC signature verification lets you confirm that incoming webhooks are authentic. When configured, Payloader verifies the signature in the specified header using your shared secret.

Navigate to your endpoint's HMAC tab and configure:

HMAC verification configuration settings
Setting Description
Secret The shared HMAC secret from your webhook provider
Header Header containing the signature (default: X-Signature-256)
Algorithm sha256, sha1, or sha512

Once configured, every request detail page shows a verification badge: verified, failed, or not checked.

Live Feed

Each endpoint has a real-time live feed powered by Server-Sent Events (SSE). When a webhook arrives, it appears instantly in your dashboard — no page refresh or polling needed.

New webhooks slide in with a brief animation and flash, making it easy to spot incoming events while you work. The feed shows:

  • Platform badge (Stripe, GitHub, etc.)
  • Intelligent summary
  • Relative timestamp
  • HTTP method

Click any entry to view the full request details.

Global feed

The global feed shows webhooks from all endpoints in your workspace in a single stream. Access it from the Feed link in the dashboard sidebar. This is useful for monitoring all your integrations at once without switching between endpoints.

Request Details

The request detail view shows everything captured about a webhook:

Metadata

HTTP method, received timestamp, remote IP, body size, and detected platform.

Headers

All request headers, displayed as a readable key-value list. Sensitive headers (Authorization, Cookie) are captured but can be excluded via HMAC config.

Query Parameters

Any URL query parameters, displayed as key-value pairs.

Body

Full request body with automatic JSON pretty-printing. Non-JSON bodies are displayed as raw text.

Intelligence

Platform detection, event type, human-readable summary, and extracted key fields. Also shows HMAC verification status if configured.

Payload Intelligence

Payloader automatically analyzes every incoming webhook and extracts structured information:

Platform Detection

Identifies the sending platform based on headers, body structure, and known patterns.

Event Type Extraction

Pulls the specific event (e.g., payment_intent.succeeded, push, orders/create).

Human-Readable Summary

Translates raw payload into plain English. Example: "Payment of $149.00 succeeded for [email protected]"

Key Fields

Extracts important values (amount, customer, status, etc.) and displays them in a structured grid.

AI-Powered Analysis

Team & Business plans

When Payloader can't match a webhook to a known platform, Team and Business plan users can enable AI-powered analysis per endpoint. When enabled, Claude analyzes the payload structure and generates a best-guess platform, event type, and summary. Results are cached for 7 days per unique payload schema, so similar webhooks are analyzed instantly. Toggle AI analysis on or off from the endpoint header bar.

Search & Filter

Find specific webhooks across your endpoint's history using the search bar and filter dropdowns.

Available search and filter options
Filter Description
Search (q) Full-text search across body, summary, and event type
Platform Filter by detected platform (Stripe, GitHub, etc.)
Event type Filter by event type substring
Method Filter by HTTP method (GET, POST, PUT, etc.)
Date range Filter by date range (from/to)

Filters can be combined. The same filters apply when exporting data, so you can export exactly the subset you need.

Bulk delete

Need to clear out old requests? Use the Bulk Delete action on the endpoint page to delete all requests matching a date range. Individual requests can also be deleted from the request detail page.

Replay

Replay lets you re-send a captured webhook to any URL. This is invaluable for debugging your webhook handler — capture the webhook once, then replay it against your local development server as many times as needed.

How to replay

  1. 1. Open any captured request detail page
  2. 2. Click Replay
  3. 3. Enter the target URL (must start with http:// or https://)
  4. 4. Click Send

Payloader sends the original request body, headers, and method to your target URL and captures the response. You can see the response status code, headers, and body on the replay result page.

Each request keeps a history of all its replays, so you can track debugging progress.

Diff & Compare

Team & Business plans

Compare two webhook payloads side-by-side to spot differences. This is useful when a webhook starts failing and you need to see what changed between a working and broken payload.

How to compare

  1. 1. Navigate to your endpoint's Diff tab
  2. 2. Select Request A and Request B from the dropdowns
  3. 3. Click Compare

The comparison view shows both payloads with pretty-printed JSON, platform badges, event types, and timestamps — making it easy to spot structural differences.

Export

Export captured webhook data in four formats. Exports respect any active search filters, so you can export exactly the data you need.

JSON

Full request data as a JSON array. Includes all fields.

CSV

Spreadsheet-friendly format with columns for timestamp, method, platform, event type, summary, and body.

HAR

HTTP Archive v1.2 format. Import into browser dev tools or REST clients for further analysis.

Postman

Postman Collection v2.1. Import directly into Postman to replay requests from your collection.

Exports are capped at 500 requests. Use date range filters to narrow your export if you have more data.

Analytics

Team & Business plans

The analytics dashboard gives you a high-level view of webhook traffic for any endpoint.

Daily request volume

Bar chart showing requests per day over a configurable time range (30-365 days).

Platform breakdown

See which platforms send the most webhooks, with percentage breakdowns.

Peak hours

Hourly distribution (0-23) to identify traffic patterns and peak activity.

Summary stats

Total requests, average per day, total data transferred, and peak hour.

Period comparison

Compare the current period against the previous period. See percentage changes in request volume, data size, and platform activity at a glance.

Forwarding

Automatically forward captured webhooks to a target URL. This lets you use Payloader as a proxy — inspect webhooks in the dashboard while also delivering them to your application in real time.

Configuration

Navigate to your endpoint's Forwarding tab to configure:

Target URL

The destination URL to forward webhooks to (must be http:// or https://).

Mode

Async (default) — returns 200 immediately and forwards in the background with retries. Passthrough — proxies the request synchronously and returns the target's response to the sender.

Retries & Timeout

Configure up to 5 retries with exponential backoff. Timeout is configurable from 1-30 seconds.

Forwarding filters

Only forward webhooks that match specific criteria:

  • Platform filter — forward only from specific platforms (e.g., Stripe, GitHub)
  • Event type filter — forward only specific events with wildcard support (e.g., charge.*)
  • HTTP method filter — forward only specific methods (e.g., POST only)
  • HMAC filter — forward only requests with valid HMAC signatures

Forwarding results

Each forwarded request logs the target's response status, headers, body, and duration. View forwarding results from the request detail page.

If a forward fails or you need to resend, click Re-forward on the request detail page to manually forward the request again to the configured target URL.

Notification Rules

Get alerted when specific webhooks arrive. Each endpoint can have multiple notification rules, each with its own channel, destination, and optional filters.

Navigate to your endpoint's Notifications tab to create and manage rules. Each rule can be independently toggled on/off.

A notification log tracks the history of all sent alerts, including delivery status and any errors.

Notification Channels

Email

All plans

Send notification emails to any address. Emails include the platform, event type, summary, and a link to the full request.

Slack

Team & Business

Post to a Slack channel via an Incoming Webhook URL. Messages include platform badge, summary, and a link to the full request in Payloader.

Discord

Team & Business

Post to a Discord channel via a Webhook URL. Similar formatting to Slack notifications.

Notification Filters

Avoid noise by filtering which webhooks trigger a notification:

  • Platform filter — only notify for a specific platform (e.g., only Stripe webhooks)
  • Event type filter — only notify for event types matching a substring (e.g., payment matches payment_intent.succeeded)

Filters can be combined. Leave both blank to get notified on every webhook.

Workspaces

A workspace is the top-level organizational unit in Payloader. All endpoints, requests, API keys, and notification rules belong to a workspace.

When you sign up, Payloader creates a "Personal" workspace automatically. You can rename it from Dashboard → Settings.

On Team and Business plans, you can invite team members to share access to all endpoints and requests in the workspace.

Multiple workspaces

You can create additional workspaces to separate projects or teams. Switch between workspaces using the workspace switcher in the dashboard sidebar.

Endpoints can be moved between workspaces you own. From the endpoint's settings, select Move to workspace and choose the destination. All request history moves with the endpoint.

Team Members

Manage team access from Dashboard → Members. Invite existing Payloader users by email address.

Roles

Team member roles and their permissions
Role Permissions
Owner Full access. Manage members, billing, and all workspace settings. Cannot be removed.
Admin Manage endpoints, notifications, and members. Cannot access billing.
Member View endpoints and requests. Create and manage own notification rules.

Plan limits: Developer plans support 1 user, Team up to 5 users, and Business is unlimited.

Plans & Billing

Every account starts with a free 14-day trial with full access. After the trial, your dashboard becomes read-only until you subscribe.

Subscription states

Trialing — full read-write access for 14 days
Active — paid subscription with full access
Past Due — payment failed, read-only access until resolved
Canceled — subscription ended, read-only access

Payments are processed securely through Stripe. Manage payment methods, view invoices, and cancel from Dashboard → Billing.

See the pricing page for a full feature comparison.

API Authentication

The Payloader REST API uses API keys for authentication. Create and manage keys from Dashboard → API Keys.

Creating an API key

  1. 1. Go to Dashboard → API Keys
  2. 2. Enter a name (e.g., "CI/CD", "Monitoring Script")
  3. 3. Click Create — the raw key is shown once
  4. 4. Copy and store the key securely

Using the API key

Include your key in the X-API-Key header:

curl -H "X-API-Key: pl_your_api_key_here" \
https://payloader.dev/api/v1/endpoints/

Keys are stored as SHA-256 hashes. Only the first 10 characters (prefix) are visible after creation. You can revoke a key at any time — it takes effect immediately.

Endpoints API

Manage webhook endpoints programmatically.

GET /api/v1/endpoints/

List all endpoints in your workspace. Returns paginated results (50 per page).

curl -H "X-API-Key: pl_..." https://payloader.dev/api/v1/endpoints/
POST /api/v1/endpoints/

Create a new endpoint.

curl -X POST -H "X-API-Key: pl_..." \
-H "Content-Type: application/json" \
-d '{"name": "Stripe Production"}' \
https://payloader.dev/api/v1/endpoints/
GET /api/v1/endpoints/{slug}/

Get details for a specific endpoint.

PATCH /api/v1/endpoints/{slug}/

Update an endpoint. Supports: name, is_active, response_status_code, response_body, response_content_type.

curl -X PATCH -H "X-API-Key: pl_..." \
-H "Content-Type: application/json" \
-d '{"is_active": false}' \
https://payloader.dev/api/v1/endpoints/a1b2c3d4e5f6/
DELETE /api/v1/endpoints/{slug}/

Permanently delete an endpoint and all its captured requests.

Requests API

Retrieve and manage captured webhook requests.

GET /api/v1/endpoints/{slug}/requests/

List requests for an endpoint. Supports query parameters: page, platform, method, q (search).

# List all Stripe webhooks
curl -H "X-API-Key: pl_..." \
"https://payloader.dev/api/v1/endpoints/a1b2c3d4e5f6/requests/?platform=stripe"

Returns a lightweight response (no full body/headers) with: id, method, received_at, platform, event_type, intelligence_summary, body_size_bytes, signature_verified.

GET /api/v1/requests/{id}/

Get full request details including headers, body, and query parameters.

DELETE /api/v1/requests/{id}/

Permanently delete a captured request.

CLI Installation

The Payloader CLI lets you manage endpoints and inspect webhooks from the terminal. It's a single Go binary with no dependencies.

Download

Download the latest binary for your platform:

macOS (Apple Silicon)

payloader-darwin-arm64

macOS (Intel)

payloader-darwin-amd64

Linux (x86_64)

payloader-linux-amd64

Linux (ARM64)

payloader-linux-arm64

Windows (x86_64)

payloader-windows-amd64.exe

After downloading, make it executable and move it to your PATH:

$ chmod +x payloader-darwin-arm64

$ mv payloader-darwin-arm64 /usr/local/bin/payloader

CLI Authentication

Authenticate the CLI with your API key (generate one in Dashboard → Settings → API Keys):

$ payloader auth login

Base URL (e.g. https://payloader.dev): https://payloader.dev

API Key: pl_••••••••••••••••••••

Verifying credentials... ok

You are now authenticated.

Credentials are saved to ~/.payloader.json. Other auth commands:

  • payloader auth status — check current authentication
  • payloader auth logout — remove stored credentials

CLI Commands

Most commands have shorter aliases: endpointsep, requestsreq. Subcommands also have aliases: listls, deleterm, updateset.

Endpoints

$ payloader endpoints list # List all endpoints (alias: ls)

$ payloader endpoints create "My Endpoint" # Create endpoint

$ payloader endpoints get <slug> # Get endpoint details

$ payloader endpoints update <slug> --name "New Name" # (alias: set)

$ payloader endpoints delete <slug> # Delete (alias: rm)

$ payloader ep delete <slug> --force # Delete without confirmation

Endpoint Update Flags

The endpoints update command accepts the following flags:

Flag Description
--name <name>Endpoint name
--active / --inactiveEnable or disable the endpoint
--response-status <code>Custom HTTP response status code
--response-body <body>Custom response body
--response-type <type>Custom response content type (MIME type)
--hmac-secret <secret>HMAC signing secret for signature verification
--hmac-header <header>Header name containing the HMAC signature
--hmac-algorithm <alg>HMAC algorithm: sha256, sha1, or sha512
--ai-intelligenceEnable AI payload analysis
--no-ai-intelligenceDisable AI payload analysis
--forwarding / --no-forwardingEnable or disable request forwarding
--forwarding-url <url>Target URL for forwarded requests
--forwarding-mode <mode>async (non-blocking) or passthrough (proxy response back)
--forwarding-hmac-filterOnly forward HMAC-verified requests
--no-forwarding-hmac-filterForward all requests regardless of HMAC

# Configure forwarding with custom response

$ payloader ep set abc123def456 --forwarding --forwarding-url https://example.com/webhook

$ payloader ep set abc123def456 --response-status 201 --response-body '{"ok":true}'

# Set up HMAC signature verification (e.g. for Stripe)

$ payloader ep set abc123def456 --hmac-secret whsec_... --hmac-header stripe-signature --hmac-algorithm sha256

Requests

$ payloader requests list <slug> # Recent requests (alias: ls)

$ payloader requests list <slug> --platform stripe # Filter by platform

$ payloader requests list <slug> --method POST # Filter by method

$ payloader requests list <slug> --query "invoice" # Search body/summary

$ payloader requests get <id> # Full request detail

$ payloader req rm <id> # Delete request

Account & Utilities

$ payloader account # Show workspace info

$ payloader account rename "New Name"

$ payloader version # Show version + check for updates

$ payloader update # Download & install latest version

Listen & Forward to Localhost

The listen command connects to an endpoint's live stream and forwards each incoming webhook to a local URL. No tunnel (ngrok, cloudflared, etc.) required. Use --forward-to (or -f) to specify the target.

$ payloader listen <slug> --forward-to http://localhost:8000/webhooks/

Listening to endpoint "Stripe Production" (a1b2c3d4e5f6)

Forwarding to http://localhost:8000/webhooks/

Press Ctrl+C to stop

[14:32:01] POST /h/a1b2c3d4e5f6 (stripe) → 200 OK (12ms)

[14:32:15] POST /h/a1b2c3d4e5f6 (github) → 200 OK (8ms)

[14:33:42] POST /h/a1b2c3d4e5f6 → 201 OK (23ms)

How it works

  1. 1. The CLI connects to the endpoint's server-sent events (SSE) stream via your API key
  2. 2. When a webhook arrives, the full request data (method, headers, body) is streamed to the CLI
  3. 3. The CLI forwards the request to your local URL, preserving the original method, headers, and body
  4. 4. The response status and latency are printed to the terminal

Typical workflow

# 1. Start your local dev server

$ python manage.py runserver

# 2. In another terminal, start listening

$ payloader listen a1b2c3d4e5f6 -f http://localhost:8000/webhooks/stripe/

# 3. Point Stripe (or any service) at your Payloader endpoint URL

# https://hook.payloader.dev/h/a1b2c3d4e5f6

# 4. Webhooks arrive in Payloader dashboard AND your local server

The connection auto-reconnects after 3 seconds if interrupted. Original headers are forwarded (except hop-by-hop headers like Host, Connection, etc.). Press Ctrl+C to stop.

Supported Platforms

Payloader detects and extracts intelligence from 18 webhook providers. Detection is based on headers, body structure, and known API patterns.

Stripe

GitHub

Shopify

Linear

Vercel

Slack

SendGrid

Twilio

AWS SNS

Braintree

Datadog

HubSpot

Intercom

Paddle

PagerDuty

Segment

Square

Zendesk

Webhooks from unrecognized platforms are still captured and displayed. On the Team and Business plans, you can enable AI analysis per endpoint to detect the platform and generate a summary.

Rate Limits

The webhook receiver enforces rate limiting to protect the service:

60 requests per minute per endpoint

Uses a sliding window algorithm. When exceeded, the receiver returns 429 Too Many Requests with headers:

Retry-After: seconds until the window resets

X-RateLimit-Limit: 60

X-RateLimit-Remaining: remaining requests in window

The REST API does not have rate limits. The receiver also enforces a 5 MB body size limit and a maximum of 100 headers and 100 query parameters per request.

Need higher rate limits or larger payload sizes? Contact [email protected] to discuss your requirements.

Plan Limits

Feature comparison across Developer, Team, and Business plans
Feature Developer
$19/mo		 Team
$59/mo		 Business
$99/mo
Endpoints 10 20 Unlimited
Team members 1 5 Unlimited
Request history 90 days 1 year Unlimited
Payload intelligence Included Included Included
Email notifications Included Included Included
Replay Included Included Included
Export Included Included Included
REST API Included Included Included
Analytics dashboard Not included Included Included
Diff & compare Not included Included Included
Slack & Discord notifications Not included Included Included
HMAC verification Not included Not included Included
AI-powered analysis Not included Included Included

Ready to get started?

Start your free 14-day trial. No credit card required.

Start free trial View pricing