Webhook infrastructure for AI apps

Stop duplicate webhooks.

Stripe times out at 10s. Your agent takes 45. Your AI agents need 45s to think.

We return HTTP 200 in 50ms, so the sender never sees a timeout.

The problem

Senders give up. Your handler runs twice.

Every retry-on-timeout sender hits the same wall. Four flavors of the same pain — you're probably hitting at least one.

Payments
YOUR DB · user_creditsINSERT +500 creditshandler #1 · 08:41:02INSERT +500 creditshandler #2 (retry) · 08:41:13FULFILLED 2×

Stripe 10s. LLM 45s.

Sender times out → retry → 2× credits for one payment.

AI chatbot
SLACK · #supportbotHere's your summary.botHere's your summary.(dup)botHere's your summary.(dup)3× SPAM

Slack 3s. Agent 15s.

Slack retries → bot dumps identical replies.

Serverless
VERCEL · /api/webhook08:41attempt 1504timeout @ 10s08:42attempt 2504timeout @ 10s08:43attempt 3504timeout @ 10s08:44attempt 4504timeout @ 10s08:45attempt 5504timeout @ 10sretrying forever · never delivered

Vercel kills @ 10s.

Cold start → 504. Sender retries → 504 loop.

Outage recovery
YOUR SERVER · downevt_ma4fdropped · retries exhaustedevt_8bjcdropped · retries exhaustedevt_1k2pdropped · retries exhaustedevt_wqxrdropped · retries exhaustedDATA LOST · 147 eventsno record · no recovery path

Server down. Events pile up.

Sender exhausts retries → 147 events lost forever.

One URL

Change one URL.

No SDK. No code changes. Point Stripe, GitHub, or Shopify at your AnyHook inbound URL — we queue, buffer, and forward.

Three steps. Thirty seconds. Async decoupling for your webhooks.

StripeGitHubShopifyPaddleDiscordANYHOOKverifyqueueforwardyour-api.com
1

Swap the URL

In Stripe, GitHub, or Shopify, replace your endpoint with your AnyHook inbound URL. Paste your provider's webhook signing secret so AnyHook can verify every request at the edge.

https://in.anyhook.net/{you}/{app}
2

We queue it instantly

AnyHook's edge verifies the signature, accepts the webhook in under 50ms, and drops it into a durable queue. The sender gets 200 — your backend processes at its own pace.

3

Your API receives it

Events flow from the queue to your endpoint on a controlled schedule. Full payload, headers, and delivery status — all visible in one dashboard.

Event log

See every event.

Inbound payload, each delivery attempt, and the response body — one screen before you hit Replay.

anyhook — event stream
live
timeeventappstatusms
7 events · Free plan retains 3 daysclick to inspect

Automation

APIs for AI agents.

Give your agent an API key. It handles the rest — provisioning, monitoring, and recovery through a simple REST API.

# All requests require: Authorization: Bearer ahk_live_... — get yours from Dashboard → Settings → API Keys

Provision a relay

Your agent creates a webhook relay and gets an inbound URL. Point Stripe at this URL — AnyHook verifies signatures and forwards to your endpoint.

# Create a relay for Stripe webhooks
POST /api/v1/apps
"name": "stripe-payments"
"destination_url": "https://api.acme.com/hooks"
"source": "stripe" # auto-verifies signatures
→ { "inbound_url": "https://in.anyhook.net/you/stripe-payments" }
# Set Stripe signing secret for edge verification
PATCH /api/v1/apps/stripe-payments
"source_secret": "whsec_..." # from Stripe Dashboard
→ 200 OK
# Now paste the inbound_url into Stripe → Webhooks

Delivery pipeline

Clear traffic, full control.

Receive → normalize → log → deliver. Every webhook visible at each hop, from inbound to your API.

1/4Receive

Catch it fast.
Edge ack in under 50ms.

Cloudflare Workers at the edge accepts the webhook and returns 200 — all in under 50ms. The sender thinks you're instant. Your downstream can take as long as it needs.

receive
POST in.anyhook.net/acme/stripe
1. Accept incoming POST ✓
2. Queue event to pipeline ✓
3. Return 200 OK in 38ms ✓
→ Stripe: delivered.
Your agent hasn't started yet.

Security

Drop the SDKs. Check one header.

Stripe, GitHub, Shopify — every provider signs differently. Paste your provider's signing secret once, and AnyHook validates every request at the edge. You get one unified signature.

Original provider headers preserved. Your existing SDK verification still works — or just check one AnyHook header and skip the rest.

your-server.ts
// Every provider. One check.
const sig = req.headers['x-anyhook-signature'];
if (!verify(sig, body, process.env.ANYHOOK_SECRET))
return res.status(401);
// Trust the payload. It's already verified at edge.
// Original Stripe/GitHub headers still included.
20+ providers0 SDKs required

Supported Event Sources

Stripe
GitHub
Shopify
Discord
Sentry
Linear
Vercel
Paddle
Clerk
Lemon Squeezy
Intercom
HubSpot
Resend
WooCommerce
PayPal
Slack
Twilio
SendGrid
Svix
Others

Zero-config signature unification

Unified AnyHook-Signature

20+ providers, one HMAC. AnyHook verifies Stripe/GitHub/Shopify signatures at the edge, then re-signs every delivery with a fresh AnyHook-Signature. Verify once on your server, trust everything.

Retry-safe by design

Original provider signatures expire after ~5 minutes — retries fail verification on your server. AnyHook solves this: we verify once at the edge, then re-sign with a fresh timestamp on every retry. Your server never sees an expired signature.

Original headers preserved

Raw body forwarded byte-for-byte with original Stripe-Signature intact. Need to double-verify on first delivery? Your existing SDK still works — AnyHook-Signature is additive, not a replacement.

AES-256-GCM encrypted at rest

Every webhook payload, header, and signing secret is encrypted before it hits the database. Zero plaintext secrets stored. A database breach yields only ciphertext.

Fail-safe

Your server goes down.
Nothing is lost.

Timeout? 500? Deploy gone wrong? AnyHook absorbs the impact, protects your quota, and holds every event until you're ready.

Exponential backoff

5xx or timeout? We retry on an increasing schedule — 5 min, 30 min, 2 hours, 12 hours. Client errors (400, 422, etc.) are marked failed immediately — no wasted retries.

Circuit breaker

20 consecutive failures → progressive pause (10 min → 30 min → 2 h → 24 h → deactivate). Inbound keeps receiving — only outbound pauses. Any single success resets everything.

Failure alert

When all retries are exhausted, you get an email with the event ID, destination, HTTP status, and a direct link to the event in your dashboard.

Batch replay

Server back up? One call to POST /replay-failed replays every failed event. Or inspect first with GET /undelivered. Replays don't count against your quota.

Who it's for

Built for builders.

Same webhook relay — three common situations teams land in first.

AI Agents

Senders retry. Your agent runs twice.

Slack 3s · GitHub 10s · Stripe 10s · Your LLM 45s.

Every retry-on-timeout sender hits the same wall. Stripe retries at 10s. Slack at 3s. GitHub at 10s. Shopify at 5s. Your handler fires again mid-run — duplicate fulfillment, dirty DB rows, duplicate messages, duplicate token burn. We catch the event in 50ms and hold it until your agent finishes. One delivery, guaranteed.

ai-agents.ts
1// Without AnyHook — any slow handler
2app.post("/webhook", async (req, res) => {
3 const result = await agent.run(req.body);
4 // ↑ 45s — sender already timed out
5 // ↑ retry fires → handler runs TWICE
6 // Stripe → +500 credits granted 2×
7 // Slack → 3 duplicate replies
8 // GitHub → 5× OpenAI token burn
9 res.json({ ok: true });
10});
11// With AnyHook → 200 in 50ms at edge
12// Your agent runs once. No duplicates.
Solo Builders

Swap the URL. Ship tonight.

No SQS. No DLQ config. No SDK.

Point your Stripe webhook here instead of your server. We handle retries, logs, and replay. Developing locally? Set your destination to a tunnel URL — or capture real events in production and replay them to localhost anytime.

solo-builders.ts
1// Step 1: Stripe Dashboard → Webhooks
2// Change endpoint URL to:
3const url = "https://in.anyhook.net/you/app";
4// Local dev? Set destination to:
5"https://your-tunnel.ngrok.io/webhook"
6// Or replay any prod event to localhost
7// ✓ Retries + Logs + Replay included
Backend Devs

Don't build it. Outsource it.

$20/mo beats 2 weeks of your time.

Queue, worker, DLQ, dead-letter alerts, manual replay UI. You've done it before. It still silently drops under load. Outsource the commodity work.

backend-devs.ts
1// What you'd build yourself:
2Ingress → Auth → Kafka → Worker
3→ Fails → Redis Delay Queue → DLQ
4→ CloudWatch Alerting → Manual Replay
5→ 2 weeks eng time · $3k+/mo ongoing
6// What AnyHook replaces it with:
7One URL. $20/mo. Zero maintenance.
8Retries + logs + replay included.

Pricing

Simple pricing.

Start free. Upgrade when your traffic grows. No surprise bills on Free — metered overage on paid plans so we never silently drop your events.

Free
For testing and first integrations
$0/ month
Get started free
  • EventsCovers a Stripe SaaS with ~200 customers, a GitHub team of 20, or a Shopify store with ~500 orders/month. More than enough for most indie projects.3,000 / month
  • AppsEach App is one inbound URL you configure. One App = one webhook source pointed at AnyHook.1
  • RetriesAutomatic retry attempts with exponential backoff (5 min → 30 min → 2 h) when your endpoint returns an error or times out.3
  • RetentionHow long AnyHook stores your event logs and payloads. After this period events are permanently deleted. Replay is available within this window.3 days
  • TimeoutTime AnyHook waits for your endpoint to respond. Enough for most endpoints. For longer tasks (AI agents, batch jobs), return HTTP 202 — AnyHook handles the rest.60s
  • Max payloadCovers standard JSON webhooks from Stripe, GitHub, Shopify, and most providers. Only large file uploads or base64-encoded attachments exceed this.512 KB
  • OverageFree plan does not support overage. Events beyond the monthly or daily cap are rejected until the next cycle. Upgrade to Pro for metered overage so nothing is dropped.
  • 100 events / day cap
  • Email alerts
  • Ticket support
Most teams start here
Pro
For production webhook traffic
$20/ month
Start Pro
  • EventsTotal webhook events AnyHook will receive and attempt to deliver per calendar month.50,000 / month
  • AppsEach App is one inbound URL you configure. One App = one webhook source pointed at AnyHook.10
  • RetriesAutomatic retry attempts with exponential backoff (5 min → 30 min → 2 h → 12 h) when your endpoint returns an error or times out.5
  • RetentionHow long AnyHook stores your event logs and payloads. After this period events are permanently deleted. Replay is available within this window.30 days
  • TimeoutTime AnyHook waits for your endpoint to respond. Great for AI agents and heavier processing. For tasks over 2 minutes, return HTTP 202 — AnyHook handles the rest.120s
  • Max payloadMaximum request body size per event. Covers 99%+ of webhook payloads. Oversized requests are rejected at the edge with HTTP 413.2 MB
  • OverageMetered overage at $0.90 per 1,000 events beyond your monthly quota. Set a spending cap ($5–$50) and toggle per-app. Charged on your next invoice.$0.90 / 1k
  • No daily cap
  • API access
  • Signature mismatch logs
Scale
For high-volume pipelines
$90/ month
Start Scale
  • EventsTotal webhook events AnyHook will receive and attempt to deliver per calendar month.250,000 / month
  • AppsEach App is one inbound URL you configure. One App = one webhook source pointed at AnyHook.50
  • RetriesAutomatic retry attempts with exponential backoff (5 min → 30 min → 2 h → 12 h → next-day) when your endpoint returns an error or times out.10
  • RetentionHow long AnyHook stores your event logs and payloads. After this period events are permanently deleted. Replay is available within this window.90 days
  • TimeoutTime AnyHook waits for your endpoint to respond. Built for AI agents, multi-step workflows, and heavy processing. Return HTTP 202 if you need even longer.5 min
  • Max payloadMaximum request body size per event. Built for large AI payloads, base64-encoded content, and batch data. Oversized requests are rejected with HTTP 413.5 MB
  • OverageMetered overage at $0.70 per 1,000 events beyond your monthly quota — 22% cheaper than Pro. Set a spending cap ($5–$50) and toggle per-app. Charged on your next invoice.$0.70 / 1k
  • No daily cap
  • Ticket support
  • Custom domains soon
Enterprise
For security reviews and custom limits
Custom
Contact sales
  • EventsFlexible
  • AppsFlexible
  • RetriesFlexible
  • RetentionFlexible
  • TimeoutFlexible
  • Max payloadCustom
  • OverageCustom
  • SSO and reviews
  • Dedicated onboarding
  • Custom routing options

Most teams start with Pro — production-grade volume, zero maintenance. Retry queues, dead-letter handling, idempotency — let us own the complexity so you can ship what matters.

FAQ

You can. Here's what you're signing up for:

Reliability — Idempotency keys, dead-letter queues, backoff state machines. One missed edge case and you double-process a payment or silently drop an event. Most teams find these bugs in production, at 2 AM.

Security — Every provider signs differently. Stripe HMAC-SHA256 + timestamp, GitHub raw SHA-256, Shopify Base64. You maintain one verifier per provider, handle key rotation, encrypted storage. Skip one = accepting unsigned traffic.

Observability — Debugging means grepping CloudWatch across Lambda invocations. No searchable event log, no replay, no full payload history.

Cost — Infra is $50–200/mo. The real cost is $3,000–5,000/mo in engineer time: on-call, migrations, debugging stuck retries. AnyHook Pro is $20/month and zero maintenance.

How delivery works under the hood

Different hops. Stripe's clock runs on the connection to your public URL. Point that at AnyHook and Stripe waits on our edge — which returns 2xx in milliseconds.

The Timeout column is our delivery clock: how long we wait for your endpoint to respond (60s Free, 120s Pro, 5 min Scale). Most endpoints respond well within that. For tasks that take even longer, return 202 Accepted and process async.

Retry schedule & timeout details

Zapier/Make are low-code automation platforms — visual editors, drag-and-drop flows. AnyHook is a developer-grade relay: your webhook, your endpoint, your code, your infrastructure.

Writing Python or TypeScript to process webhooks? Use AnyHook. Want "if payment → send email" without code? Use Zapier.

Events are written to a durable queue before we return 200 to the sender. If our Forwarder is temporarily down, events queue up and process on recovery. The sender already got their 200 — no retries, no data loss.

Uptime published at status.anyhook.net.

Yes — that's exactly what AnyHook is for. We acknowledge Stripe in under 50ms. Your Agent runs as long as it needs.

Your endpoint should return 202 Accepted immediately, then process async. AnyHook's delivery timeout (60s Free, 120s Pro, 5 min Scale) only applies to that initial HTTP round-trip.

Delivery timeout & retry schedule

No. Return 200 as soon as the webhook is authenticated. Run business logic async. This is Stripe's recommended pattern.

With AnyHook: edge validates signature → event queued → Stripe gets 200 instantly → failures retried and replayed in AnyHook instead of forcing Stripe to redeliver.

AnyHook handles async event webhooks where a fast 2xx is the contract. Not a fit for synchronous control webhooks that need a specific response body:

Twilio Voice (expects TwiML), Discord Interactions (expects JSON UI), Shopify Carrier Shipping (expects live rates). Standard event webhooks from these providers work perfectly.

Your endpoint returns 202 Accepted immediately → processes the task async. AnyHook marks delivery successful on the 202. Your Agent runs for minutes or hours — no impact on the webhook lifecycle.

If your endpoint returns 200 only after the Agent completes, it will trigger retries on long tasks. Fix: 202 + async.

Yes — three ways:

1. Dashboard — click Replay on any event. One click, no re-triggering from Stripe.

2. API single replayPOST /api/v1/events/{id}/replay to replay one event programmatically.

3. Batch recoveryPOST /api/v1/apps/{slug}/replay-failed replays all failed events for an app in one call.

Need to inspect first? GET /api/v1/apps/{slug}/events/undelivered lists every event that didn't make it. Replays are tagged is_replay: true and linked to the original event. Replays don't count against your quota.

Dashboard replay & API replay

No — and that's intentional. AnyHook classifies HTTP status codes into retryable and terminal:

Retryable (will retry with backoff): 5xx server errors, 408 timeout, 429 rate limited, network errors.

Terminal (marked failed immediately): 400, 401, 403, 404, 422 — any 4xx except 408/429.

Why? A 400 Bad Request or 422 Unprocessable Entity means the payload or auth is wrong — retrying the same request wastes your retry quota and delays the real fix. AnyHook marks it failed immediately so you get notified faster and can fix the root cause.

Failed events are always available for replay once you've fixed the issue.

Full retry classification table

AnyHook is a real-time relay — events are forwarded as fast as they arrive. We do not currently apply rate limiting or concurrency caps on outbound delivery.

For most teams this is ideal: you want events delivered immediately, not artificially delayed. If your server can handle the traffic from your webhook source directly, it can handle the same volume through AnyHook.

If your server is sensitive to bursts:

1. Return 429 with a Retry-After header — AnyHook will back off and retry.

2. Use your own queue internally (e.g. accept fast, process async).

Per-destination concurrency limits are on our roadmap — if this is critical for your use case, let us know.

Delivery pipeline architecture

Nothing is lost. Here's the sequence:

1. AnyHook keeps retrying on an exponential backoff (5 min → 30 min → 2 h → 12 h).

2. If all retries fail, we email you with the event ID, destination, status code, and a direct link to the event in your dashboard.

3. You also get a circuit breaker alert if 20+ deliveries fail in a row — AnyHook progressively pauses that destination (10 min → 30 min → 2 h → 24 h) to protect your quota. Inbound events keep being received and stored — only outbound delivery pauses.

4. When your server is back: call GET /api/v1/apps/{slug}/events/undelivered to see what you missed, then POST /api/v1/apps/{slug}/replay-failed to catch up. One API call replays everything.

Circuit breaker & recovery flow

Encrypted in transit (TLS) and at rest. Retained only for your plan window (3 / 30 / 90 days), then permanently deleted. We never use payload data to train models. Secrets stored encrypted, never exposed in logs.

Pro: $0.90 / 1,000 events. Scale: $0.70 / 1,000 events. Set a monthly spending cap ($5–$50) in Settings — once reached, events stop until the next cycle. You can also toggle overage per-app so only critical apps keep flowing.

Free: 3,000/mo + 100/day cap. Overages queue for the next cycle — no surprise bills.

Overage billing details

Yes — two approaches:

1. Set your destination to a tunnel URL (ngrok, cloudflared, localhost.run). AnyHook forwards webhooks there just like any other endpoint.

2. Even better: let AnyHook capture real production events, then replay them to your localhost whenever you need. No need to trigger events manually — test against real data, unlimited times.

Local development guide

Yes — fully. AnyHook works with any HTTP POST webhook, not just the 20+ providers we auto-detect.

For unsupported or custom sources, select "Generic" when creating your App. AnyHook will:

1. Accept and queue every inbound POST — no signature check required.

2. Forward the original headers and body byte-for-byte to your destination.

3. Attach an AnyHook-Signature header (timestamped HMAC-SHA256) so your endpoint can verify the request came through AnyHook.

If your custom source uses HMAC-SHA256, you can configure a signing secret under Generic — AnyHook will verify it at the edge. Otherwise, skip it and let AnyHook act as a secure, logged relay.

Edge verification & supported sources

Yes — per-event limits by plan:

Free: 512 KB · Pro: 2 MB · Scale: 5 MB · Enterprise: custom.

Oversized requests get 413 Payload Too Large at the edge — not silently dropped, not queued, not billed. You see the rejection in your event log with full headers for debugging.

These limits cover 99%+ of webhook payloads. Stripe events are typically 2–8 KB. Even AI-heavy payloads (summaries, embeddings) rarely exceed 1 MB. If you need more, Enterprise plans support custom limits.

Plan limits & payload specs

Three layers:

1. Original provider headers (Stripe-Signature etc.) forwarded intact — your existing SDK verification works without changes on first delivery.

2. Custom headers (Authorization, x-api-key) attached per-destination. Secrets encrypted at rest.

3. AnyHook-Signature header on every request — timestamped HMAC-SHA256 with a per-destination secret. Recommended for production.

AnyHook-Signature verification guide

You can — on the first delivery. But retries will fail.

Provider signatures include a timestamp. Most providers reject signatures older than 5 minutes to prevent replay attacks. AnyHook's retry schedule (5 min → 30 min → 2 h → 12 h) means retries carry the original timestamp from hours ago — your server's signature check will reject them.

AnyHook's solution: we verify the original signature once at the edge, then re-sign every delivery (including retries) with a fresh AnyHook-Signature and current timestamp. Your server checks one header — it never expires, even on the 5th retry.

Trust chain: Provider → AnyHook verifies → AnyHook re-signs → your server verifies AnyHook. You trust AnyHook, AnyHook trusts the provider.

Ship your agent.
We handle delivery.

Talk to us