Terms & PII notice
v0 — informal, plain language. A proper legal Terms will replace this before paid plans launch.
What hookjar is
A free, anonymous webhook-capture service for developers testing integrations. Point any service at the URL we generate, and inspect what was sent.
What you must not do
- Do not point production webhooks at hookjar. The captured payloads will likely contain personal data of your customers or end-users.
- Do not send Stripe / Twilio / GitHub production webhook URLs here — the signing secrets in the headers and the payload could be replayed by anyone who guesses or sees the endpoint URL.
- Do not use hookjar as a dead-drop for credentials, malware, illegal content, or personal data of third parties. Endpoints found to be used this way will be disabled without notice.
Endpoint URLs & access
Endpoint URLs (/h/<id>) and their inspection pages
(/e/<id>) are not authenticated.
Anyone with the URL can read every capture sent to it. The 10-character id makes guessing
impractical, but if you share or paste the URL anywhere it becomes effectively public.
Treat the URL itself as the only access control.
Retention
Captures are kept for 30 days from receipt, then deleted by a background sweep. Endpoints themselves are kept indefinitely in v0; this may change once accounts ship.
PII / data-processor posture
If you send personal data through hookjar, you remain the data controller and we are acting as a processor on your behalf — without a signed DPA. We have no agreement with your end-users. Do not send production PII. If you do anyway, you accept responsibility for that decision and we will delete data on request to the abuse contact below.
Abuse
Report abuse — including endpoints used as dead-drops, capturing illegal content, or affecting third-party systems — to [email protected]. We will disable an endpoint without warning if we have a reasonable abuse signal.
No warranty
hookjar is provided as-is, without warranty of any kind, for testing purposes. Use at your own risk.