WebhookLab
Dashboard

WebhookLab documentation

API, MCP, and Safety Model

WebhookLab provides public-safe webhook simulation, transient signature utilities, redacted discovery, and protected webhook delivery operations for PlatPhorm News.

OpenAPI JSONCapabilities harnessMCP descriptor

Public-safe APIs

These routes are safe for discovery, demo validation, and redacted reads without credentials.

  • GET /api/health
  • GET /api/capabilities
  • GET /api/docs
  • GET /api/openapi.json
  • GET /api/mcp
  • POST /api/mcp public-safe tools
  • POST /api/v1/signatures/generate
  • POST /api/v1/signatures/verify
  • GET /api/v1/agent compatibility action catalog
  • GET /llms.txt
  • GET /sitemap.xml
  • GET /.well-known/platphorm.json

Protected APIs

These operations require Authorization: Bearer $PLATPHORM_API_KEY or X-PlatPhorm-API-Key.

  • POST /api/v1/endpoints
  • POST /api/v1/events
  • POST /api/v1/deliveries/{id}/replay
  • POST /api/v1/deliveries/{id}/cancel
  • POST/PUT/DELETE /api/v1/contracts
  • POST /api/v1/receive/{endpointSlug}
  • POST /api/webhooks
  • MCP protected tools and report publishing

Capabilities

Webhook Simulation

working

Generate webhook event payloads and run public-safe local simulations without persistent delivery.

Access: public-safe

Signature Generation

working

Generate HMAC signatures for test webhook payloads without persisting raw secrets.

Access: public-safe

Signature Verification

working

Verify webhook signatures against payloads and timestamp tolerance without persisting raw secrets.

Access: public-safe

Endpoint Registration

working

Register webhook receiver endpoints with SSRF-safe URL validation.

Access: protected with protected operations

Event Creation and Listing

working

Create persistent webhook events with protected dispatch; public reads are redacted.

Access: public-safe with protected operations

Delivery Tracking

working

Inspect webhook delivery and attempt state with public-safe redaction.

Access: public-safe

Delivery Replay

working

Replay webhook deliveries with protected authorization and explicit operator confirmation.

Access: protected with protected operations

Contract Creation

working

Create and manage persistent webhook contracts.

Access: protected with protected operations

Payload Validation

working

Validate webhook payloads against known contracts or demo schemas.

Access: public-safe

Vercel Webhook Receiver

working

Receive Vercel webhook events and verify configured Vercel signatures.

Access: protected with protected operations

MCP Integration

working

Expose webhook tools, resources, and prompts through JSON-RPC MCP.

Access: public-safe

Agent Endpoint

working

Expose safe agent actions with protected mutations gated by PLATPHORM_API_KEY.

Access: public-safe with protected operations

Docs and OpenAPI

working

Publish human API docs and parseable OpenAPI metadata for public and protected routes.

Access: public-safe

llms, Sitemap, Robots, Feed

working

Expose public-safe discovery files for agents and crawlers.

Access: public-safe

Signature Handling

Signature generation and verification are public-safe because they are stateless. Raw secrets are accepted only in JSON request bodies, never persisted, never returned, and never included in evidence. Operators provide a transient local secret at runtime.

curl is not required. Use Node fetch or platphormctl:

const localOnlySecret = getSecretFromOperatorInput();

fetch("https://webhooks.platphormnews.com/api/v1/signatures/generate", {
  method: "POST",
  headers: {"content-type": "application/json"},
  body: JSON.stringify({
    payload: { id: "evt_demo", type: "webhook.test" },
    secret: localOnlySecret,
    algorithm: "sha256"
  })
})

Trust Policy

Web dashboard, public-safe discovery, browser-based operations, trusted-domain discovery, standard route compliance, Vercel metadata capture, trace inspection, and agentic workflow discovery are intentionally supported for public read-only debugging and operator workflows. Mutating, administrative, ingestion, replay, fork, remediation, deployment, sync, test-triggering, reporting, and write actions require PLATPHORM_API_KEY.

Agent Handoff

npx @platphormnews/platphormctl site inspect https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site routes https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site openapi https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site llms https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl site sitemap https://webhooks.platphormnews.com --json --trace
npx @platphormnews/platphormctl mcp initialize https://webhooks.platphormnews.com/api/mcp --json --trace
npx @platphormnews/platphormctl mcp tools https://webhooks.platphormnews.com/api/mcp --json --trace
npx @platphormnews/platphormctl --include webhooks.platphormnews.com network validate --best-effort --evidence --json --trace