All Glossary Terms
Core

What is a webhook url?

The webhook URL is the public HTTPS address you register with a source system to receive webhook deliveries — what you paste into Stripe's dashboard, GitHub's settings page, or Shopify's admin to tell the source where to send events. Three rules govern it: HTTPS with a publicly-trusted certificate (no self-signed, no expired), publicly resolvable (no localhost, no `192.168.x.x`, no `*.local`), and stable long-term since changing it means re-registering with every source. For local development, tools like ngrok, localtunnel, and WebhookWhisper bridge a public HTTPS URL to your localhost server so you can test with real provider deliveries.

The webhook URL is what you paste into Stripe's dashboard, GitHub's settings page, or Shopify's admin to tell the source where to send events. It is just a URL — https://api.example.com/webhooks/stripe — but the act of registering it is the configuration step that makes the integration real.

Three rules govern the URL. It must be HTTPS with a publicly trusted certificate (no self-signed certs, no expired certs — every major provider rejects them). It must be publicly resolvable (no localhost, no 192.168.x.x, no *.local). It must be stable — once registered, the URL is dialed from the provider's servers indefinitely, so changing it means re-registering with every source.

For local development, the URL constraint creates the entire ecosystem of webhook tunnels and forwarders. Your localhost server is none of public, HTTPS, or stable. Tools like ngrok, localtunnel, and WebhookWhisper solve this by giving you a public HTTPS URL — https://abc123.webhookwhisper.com — that bridges to your localhost. WebhookWhisper specifically gives you a stable URL across sessions, so you can register once with Stripe and keep using the same URL for weeks.

URL design matters more than people expect. Three patterns:

- Per-source, per-environment URLs. https://api.example.com/webhooks/stripe/prod, /webhooks/stripe/staging. Lets you route prod and staging traffic to the same handler code without environment-detection logic. - Per-source, per-tenant URLs. https://api.example.com/webhooks/stripe/customer/abc123. Common in B2B SaaS where each customer brings their own Stripe account; the URL identifies which customer's secret to verify against. - Single shared URL. https://api.example.com/webhooks. Switches on User-Agent or a custom header. Don't do this — it makes per-source rate limiting, signature verification, and observability all harder than separating routes.

URL hygiene: never put the secret in the URL (?secret=... ends up in access logs everywhere); never share a URL across environments (a misfired prod webhook hitting staging will corrupt staging data); never expect the URL to be guessable as security ("nobody knows this URL" is not a defense — signature verification is).

See Webhook URL in real traffic

WebhookWhisper captures every webhook with full headers, body, signature, and timing — so concepts like webhook url stop being abstract and become something you can inspect.

Start Free

Related Terms

Webhook Endpoint
A webhook endpoint is the public HTTPS URL on your server that receives webhook POST requests from a source system.
Webhook
A webhook is an HTTP POST request that one service sends to another to notify it that an event has occurred.
Webhook Receiver
The webhook receiver is the system that accepts webhook deliveries — your application, an inspector, or a forwarder.
Webhook Signature
A webhook signature is a cryptographic hash in a request header that proves the webhook came from the claimed source.
Webhook Source
The webhook source is the system that emits webhook events — for example, Stripe, GitHub, or your own application.
 All Glossary Terms →