WebhookLab
Dashboard

WebhookLab documentation

API, MCP, and Safety Model

WebhookLab provides public-safe webhook simulation, transient signature utilities, redacted discovery, and protected webhook delivery operations for PlatPhorm News.

OpenAPI JSONCapabilities harnessMCP descriptor

Public-safe APIs

These routes are safe for discovery, demo validation, and redacted reads without credentials.

  • GET /api/health
  • GET /api/capabilities
  • GET /api/docs
  • GET /api/openapi.json
  • GET /api/mcp
  • POST /api/mcp public-safe tools
  • GET /api/v1/agent
  • POST /api/v1/agent public-safe actions
  • POST /api/v1/signatures/generate
  • POST /api/v1/signatures/verify
  • GET /llms.txt
  • GET /sitemap.xml
  • GET /.well-known/platphorm.json

Protected APIs

These operations require Authorization: Bearer $PLATPHORM_API_KEY or X-PlatPhorm-API-Key.

  • POST /api/v1/endpoints
  • POST /api/v1/events
  • POST /api/v1/deliveries/{id}/replay
  • POST /api/v1/deliveries/{id}/cancel
  • POST/PUT/DELETE /api/v1/contracts
  • POST /api/v1/receive/{endpointSlug}
  • POST /api/webhooks
  • MCP protected tools and report publishing

Capabilities

Webhook Simulation

working

Generate webhook event payloads and run public-safe local simulations without persistent delivery.

Access: public-safe

Signature Generation

working

Generate HMAC signatures for test webhook payloads without persisting raw secrets.

Access: public-safe

Signature Verification

working

Verify webhook signatures against payloads and timestamp tolerance without persisting raw secrets.

Access: public-safe

Endpoint Registration

working

Register webhook receiver endpoints with SSRF-safe URL validation.

Access: protected with protected operations

Event Creation and Listing

working

Create persistent webhook events with protected dispatch; public reads are redacted.

Access: public-safe with protected operations

Delivery Tracking

working

Inspect webhook delivery and attempt state with public-safe redaction.

Access: public-safe

Delivery Replay

working

Replay webhook deliveries with protected authorization and explicit operator confirmation.

Access: protected with protected operations

Contract Creation

working

Create and manage persistent webhook contracts.

Access: protected with protected operations

Payload Validation

working

Validate webhook payloads against known contracts or demo schemas.

Access: public-safe

Vercel Webhook Receiver

working

Receive Vercel webhook events and verify configured Vercel signatures.

Access: protected with protected operations

MCP Integration

working

Expose webhook tools, resources, and prompts through JSON-RPC MCP.

Access: public-safe

Agent Endpoint

working

Expose safe agent actions with protected mutations gated by PLATPHORM_API_KEY.

Access: public-safe with protected operations

Docs and OpenAPI

working

Publish human API docs and parseable OpenAPI metadata for public and protected routes.

Access: public-safe

llms, Sitemap, Robots, Feed

working

Expose public-safe discovery files for agents and crawlers.

Access: public-safe

Signature Handling

Signature generation and verification are public-safe because they are stateless. Raw secrets are accepted only in JSON request bodies, never persisted, never returned, and never included in evidence. Public examples use demo secrets.

curl is not required. Use Node fetch or platphormctl:

fetch("https://webhooks.platphormnews.com/api/v1/signatures/generate", {
  method: "POST",
  headers: {"content-type": "application/json"},
  body: JSON.stringify({
    payload: { id: "evt_demo", type: "webhook.test" },
    secret: "demo-secret",
    algorithm: "sha256"
  })
})

Trust Policy

Web dashboard, public-safe discovery, browser-based operations, trusted-domain discovery, standard route compliance, Vercel metadata capture, trace inspection, and agentic workflow discovery are intentionally supported for public read-only debugging and operator workflows. Mutating, administrative, ingestion, replay, fork, remediation, deployment, sync, test-triggering, reporting, and write actions require PLATPHORM_API_KEY.

Agent Handoff

npx @platphormnews/platphormctl site inspect https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site routes https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site openapi https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site llms https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site sitemap https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl mcp initialize https://webhooks.platphormnews.com/api/mcp --json --trace
npx @platphormnews/platphormctl mcp tools https://webhooks.platphormnews.com/api/mcp --json --trace
npx @platphormnews/platphormctl --include webhooks.platphormnews.com network validate --best-effort --evidence --json --trace