Appearance
Webhooks
The Krafter Webhooks service is an inbound webhook relay. It accepts webhook deliveries from third-party providers (Stripe, GitHub, Shopify, or any generic HMAC-signed source), verifies signatures, persists every event, and fans them out to one or more of your own destination URLs.
If you only want to receive Krafter's own outgoing webhooks (Mail, Forms, Flags, Push, etc.), see the platform-wide Outgoing delivery contract instead.
What you get
- Public ingest URL per source —
https://app.krafter.dev/in/<slug>. Hand this to the provider; no Krafter API key needed for ingest. - Signature verification — Stripe, GitHub, and Shopify formats are built in. Generic HMAC-SHA256 over the raw body works for everything else.
- Fan-out to multiple destinations — each source can forward to many destination URLs, with optional per-destination event-type filtering.
- Persistence + replay — every event is stored with its raw body and signature-validity flag. Re-deliver any historical event to all or some destinations with one API call.
- Auto-disable — destinations failing 10 times in a row are disabled automatically; clear the failure counter and re-enable manually.
- At-rest encryption — destination secrets are encrypted in the database with
cloak.
Two API surfaces
| Surface | Auth | Used by |
|---|---|---|
| Management API | API key + webhooks:* scopes | Your code, scripts, infra-as-code |
POST /in/:slug | Provider signature only | Stripe, GitHub, Shopify, etc. |
The management API lives at /api/v1/webhooks/* and is documented under API Reference in the sidebar. The ingest endpoint is documented under API Reference → Ingest.
Scopes
| Scope | Grants |
|---|---|
webhooks:read | List/get sources, destinations, events; outgoing aggregation |
webhooks:write | Create/update/delete sources & destinations, replay, test send |
Generate keys at https://app.krafter.dev/dashboard/api-keys.