Sources
Source types, templates, signature verification, deduplication, and IP filtering.
A source is a webhook ingestion endpoint. Every source gets a unique URL that accepts any HTTP method — hookstream captures the full request, stores it as an event, and hands it off to the pipeline.
What is a Source?
A source is a single ingestion endpoint. When a request hits it, hookstream records the method, headers, body, query parameters, and source IP as an immutable event, then runs it through the delivery pipeline. Sources don't care what's inside the body — they'll accept anything and let connections decide what to do with it.
Source URL
Every source has a dedicated ingestion URL:
texthttps://hookstream.io/v1/ingest/<source_id>
This URL accepts POST, PUT, PATCH, DELETE, and GET. The complete request is captured — nothing is stripped, so you can always go back and inspect exactly what the sender delivered.
Source Templates
hookstream ships with templates for 15+ common webhook providers. Each template preconfigures signature verification, expected headers, and documentation links — just pick one and paste your signing secret.
| Provider | Template | Signature Scheme |
|---|---|---|
| Stripe | stripe | HMAC-SHA256 |
| GitHub | github | HMAC-SHA256 |
| Shopify | shopify | HMAC-SHA256 |
| Slack | slack | HMAC-SHA256 |
| Twilio | twilio | HMAC-SHA1 |
| SendGrid | sendgrid | HMAC-SHA256 |
| Intercom | intercom | HMAC-SHA1 |
| Linear | linear | HMAC-SHA256 |
| Clerk | clerk | Standard Webhooks |
| Svix | svix | Standard Webhooks |
| Paddle | paddle | HMAC-SHA256 |
| Resend | resend | Standard Webhooks |
| Postmark | postmark | — |
| Typeform | typeform | HMAC-SHA256 |
| Custom | custom | Configurable |
Preconfigured for Stripe, GitHub, Shopify, and 12 more providers — just pick a template and paste your signing secret.
Signature Verification
Sources can verify incoming webhook signatures so you only accept requests from who you expect. hookstream supports three schemes:
- HMAC-SHA256 — used by Stripe, GitHub, Shopify, and most modern providers
- HMAC-SHA1 — legacy providers like Twilio and Intercom
- Standard Webhooks — the standardwebhooks.com spec used by Svix, Clerk, and Resend
Configure a signing secret on the source and hookstream verifies every incoming request. Invalid signatures are rejected with 401 Unauthorized before the event is stored. See the Signature Verification guide for the full walkthrough.
Deduplication
Sources can dedupe events so a retried webhook doesn't trigger double-processing. Pick one of three strategies:
payload_hash— SHA-256 of the request body (default)header_field— use a specific header (e.g.Idempotency-Key) as the dedup keybody_field— use a JSON body field (e.g.data.id) as the dedup key
Dedup uses Cloudflare KV with a configurable window (default: 5 minutes). Duplicates return 200 OK but skip the pipeline entirely — your destinations never see them.
IP Filtering
Sources can restrict which IPs are allowed to send webhooks using an allowlist or denylist of addresses or CIDR ranges. Requests from blocked IPs are rejected with 403 Forbidden before any processing. Pair this with signature verification for defense in depth. See the IP filtering guide for details.
WebSocket Sources
Beyond HTTP ingestion, sources can accept inbound WebSocket connections. A per-source WebSocketSource Durable Object manages each connection, enabling bidirectional communication and real-time event streaming from connected clients. Useful for browser-facing event streams or IoT fleets.