# hookjar

> Catch-all webhook capture service. EU-hosted (Germany). Free. No signup.

Hookjar lets you generate a URL, point any HTTP client at it (Stripe, GitHub, Twilio, your own integration), and inspect what was actually sent — method, headers, body, query. Useful for testing webhook integrations without running ngrok or a tunnel.

## How agents use it

You (an agent acting on a user's behalf) can use hookjar fully without authentication. The endpoint URL is the only credential. There is no signup, no API key, no token. To get a capture endpoint:

```
curl -X POST https://hookjar.dev/endpoints
```

This returns a 303 redirect whose Location header is `/e/<id>`. The corresponding capture URL is `https://hookjar.dev/h/<id>` — point any service at it.

## Endpoints

- `POST /endpoints` — create a new bin. Returns 303 to `/e/<id>`.
- `ANY /h/<id>[/<path-tail>]` — capture endpoint. Any HTTP method, any path tail, any body up to 1 MiB. Returns 200 with `{"ok":true}` by default.
- `GET /api/e/<id>` — list captures for a bin as JSON.
- `GET /api/e/<id>/r/<cap_id>` — one capture as JSON (headers, body, metadata).
- `POST /api/e/<id>/config` — configure per-bin response (status, body, headers, delay up to 5s, 30x redirect) via JSON body.
- `GET /openapi.json` — full OpenAPI 3 schema (auto-published).

## Auth model

- The capture endpoint `/h/<id>` is always open — webhook senders never authenticate.
- Inspection pages (`/e/<id>`) and the JSON API are open by default; if the bin's owner sets a password, they then require HTTP Basic auth (username ignored, password matches).
- No tokens, no API keys, no signup. The URL itself is the credential.

## Limits

- Body size: 1 MiB per request (exceeding returns 413).
- Retention: 30 days from receipt, then auto-deleted.
- Rate limits: 5 endpoint-creates per hour per IP+UA fingerprint; 120 captures per minute per fingerprint.
- Anonymous endpoints — no accounts, no team features (yet).

## Programmable response (rule engine)

Per-bin response can be configured to test receiver behaviour. POST a JSON body to `/api/e/<id>/config` with any of: `status` (100–599), `delay_ms` (0–5000), `body` (string), `content_type` (string), `headers` (object), `redirect_to` (http(s) URL), `redirect_status` (301/302/303/307/308). Example:

```
curl -X POST -H 'content-type: application/json' \
  -d '{"status":503,"delay_ms":1500,"body":"down for maintenance"}' \
  https://hookjar.dev/api/e/<id>/config
```

## Custom slugs

A bin can be addressed by a human-readable slug instead of the random 10-character id. Set via the bin's settings page or via the config API (`{"custom_slug":"my-stripe-test"}`). Both `/h/<id>` and `/h/<slug>` then capture; both `/e/<id>` and `/e/<slug>` show the same bin.

## Replay

From any captured request you can replay it server-side to any public URL via `POST /e/<id>/r/<cap_id>/replay` with `target_url=...`. The replay refuses non-public targets (loopback, RFC1918, link-local, AWS/GCP metadata IPs, non-http/https schemes).

## Contact

- Bugs / feature requests / abuse: contact@hookjar.dev