•Fixed the endpoint settings dialog showing a disabled “Deleting...” button when opening another endpoint's settings right after deleting one — previously only a page reload cleared it
Web Appv0.26.0
The Landing Page Is Now the Dashboard
•Visit webhooks.cc and you're in the inspector: a live guest webhook URL is created the moment you arrive — no signup — with the full request dashboard (live feed, body tree, headers, replay) filling the first screen
•One-click test sends from the empty state: a custom payload or signed Stripe, GitHub, and Shopify templates, plus a copy-able curl command
•One click with GitHub or Google keeps your guest endpoint and unlocks the free plan — messaging now spells this out at every step, including a guest-vs-free comparison
•/go retired: it permanently redirects to the landing page, which now provides the same experience
•Crawler protection: guest endpoints are no longer created for bots (server-side user-agent screen + creation waits for a human input signal)
•SEO: HowTo structured data, new FAQ entries, and an instant-URL page title and description
Web Appv0.25.0
Landing Redesign + Per-Provider Webhook Pages
•New provider pages at /webhooks — setup steps, signature details, and sample events for all 32 supported providers, plus a browsable hub grouped by category
•Landing page redesigned around a sign-up-first hero: prominent GitHub/Google start-free buttons, with the no-signup guest endpoint as the secondary path
•New provider strip and navbar links (Docs, Providers, Compare, Pricing, Blog) for easier discovery
•SEO: provider pages added to the sitemap, /agent/claim marked noindex
Web Appv0.24.0
4 New Providers — DocuSign, Adyen, PayPal, Plaid
•Provider catalog grows from 28 to 32: added DocuSign, Adyen, PayPal, and Plaid across templates and detection
•Server-side signature verification now supports DocuSign HMAC, Adyen body-embedded HMAC, and PayPal RSA certificate verification; Plaid remains template-only until Plaid JWT/JWK credentials are supported
•Endpoint settings and the Signature tab use provider-specific credential labels, including PayPal Webhook ID and Adyen HMAC Key
SDKv1.9.0
4 New Providers — DocuSign, Adyen, PayPal, Plaid
•Added DocuSign, Adyen, PayPal, and Plaid templates, bringing TEMPLATE_PROVIDERS to 32 named providers
•New verifiers: verifyDocuSignSignature, verifyAdyenSignature, and verifyPayPalSignature with PayPal certificate URL validation and RSA-SHA256 verification
•New detection helpers: isDocuSignWebhook, isAdyenWebhook, isPayPalWebhook, and isPlaidWebhook; Plaid remains template-only for verification
MCPv1.7.0
4 New Providers
•DocuSign, Adyen, PayPal, and Plaid are available in provider template tools through the SDK catalog; verify_signature now exposes DocuSign, Adyen, and PayPal while keeping Plaid template-only
Web Appv0.23.1
Fix: send-webhook templates for newer providers
•Fixed the dashboard send-webhook dialog failing with “Unsupported template "custom"” for 14 providers (HubSpot, Square, Meta, Lemon Squeezy, Coinbase Commerce, Razorpay, Cal.com, Intercom, Telegram, Mailgun, Calendly, Mux, Sentry, Bitbucket) — their template presets now derive from the SDK provider metadata so every listed provider can send a signed test webhook
•Unclaimed agent credentials now work immediately in a bounded sandbox: an anonymous key can create ephemeral endpoints and read only its own captured requests, with strict cross-tenant isolation, before a human claims it
•Anonymous registrations get a short human-friendly claim code (e.g. ABCD-EFGH) alongside the claim link — a signed-in user can claim by typing the code at /agent/claim
•Verification emails (OTP) now send over SMTP in production (SMTP → Resend → dev fallback); local dev and tests keep using the in-process capture transport
•Documented the ID-JAG trusted-provider config format and added an identity-provider onboarding section to the hosted /auth.md
SDKv1.8.0
Agent self-registration on-ramp
•New static WebhooksCC.register helpers let an agent obtain its own credential before it has one: anonymous (with claim code + poll/waitForClaim), verified_email (withEmail + confirmEmailOtp), and identity_assertion (withIdJag)
•WebhooksCC.describeRegistration() and client.describe().registration surface the auth.md on-ramp so an unauthenticated agent can discover how to register
•Standalone exports (registerAnonymous, registerWithEmail, confirmEmailOtp, registerWithIdJag, pollClaim, waitForClaim) plus an AgentRegisterError carrying the auth.md error code
MCPv1.6.0
Agent self-registration on-ramp
•New unauthenticated tools — how_to_register, register_agent, and check_claim — let an agent with no API key learn the auth.md flows and drive the anonymous register + claim handshake
•The MCP server now boots without WHK_API_KEY, exposing only the registration on-ramp so an agent can obtain a credential instead of failing to start
•describe now includes the registration on-ramp block from the SDK
•Implements the WorkOS auth.md agent-registration protocol: agents self-register a credential anonymously, via a verified-email one-time code, or by presenting a provider-signed ID-JAG identity assertion
•Adds RFC 9728 discovery (/.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server), a hosted /auth.md, and a WWW-Authenticate hint on 401s so agents can discover how to authenticate
•Anonymous credentials can be claimed by a signed-in user from an in-app claim page, permanently attaching the key to their account
•Supports provider-driven revocation (logout token) for ID-JAG-issued credentials
•Provider catalog grows from 21 to 28: added Square, HubSpot, Mailgun, Calendly, Mux, Sentry, and Bitbucket across templates, auto-detection, and signature verification
•Three new signing schemes are now supported server-side: URL + body (Square), HTTP method + URI + body + timestamp (HubSpot), and body-embedded signature fields (Mailgun)
•Endpoint settings, the send-webhook dialog, and the Signature tab list all 28 named providers; automatic server-side verification works for every one except SendGrid (IP allowlisting)
•Refreshed provider template and signature-verification docs with payload shapes, headers, and algorithms for each new provider
•Provider catalog grows from 14 to 21: added Meta (WhatsApp/Messenger/Instagram), Lemon Squeezy, Coinbase Commerce, Razorpay, Cal.com, Intercom, and Telegram across templates, auto-detection, and signature verification
•Endpoint settings, the send-webhook dialog, and the Signature tab now list all new providers; server-side automatic verification works for every one
•Refreshed provider template and signature-verification docs with payload shapes, headers, and algorithms for each new provider
•Added Square, HubSpot, Mailgun, Calendly, Mux, Sentry, and Bitbucket to templates, detection, and verification — the catalog now covers 28 named providers
•VerifySignatureOptions gains an optional method field; Square and HubSpot verification require the request url (HubSpot also uses the method and rejects timestamps older than 5 minutes)
•Bitbucket is detected on x-event-key before Intercom to avoid the shared x-hub-signature collision (Bitbucket sha256=, Intercom sha1=)
SDKv1.6.0
7 New Providers
•Added Meta (WhatsApp/Messenger/Instagram), Lemon Squeezy, Coinbase Commerce, Razorpay, Cal.com, Intercom, and Telegram to templates, detection, and verification
•Square, HubSpot, Mailgun, Calendly, Mux, Sentry, and Bitbucket are now available in send_webhook, send_to, preview_webhook, list_provider_templates, and verify_signature — wired automatically through the SDK provider lists, bringing the catalog to 28 named providers
MCPv1.4.2
7 New Providers
•Meta, Lemon Squeezy, Coinbase Commerce, Razorpay, Cal.com, Intercom, and Telegram are now available in send_webhook, send_to, preview_webhook, list_provider_templates, and verify_signature — wired automatically through the SDK provider lists
Web Appv0.20.3
CLI v1.1.2 Release
•Ships the CLI v1.1.2 polish — correct version display in `whk update` and a clear, actionable message when the install directory isn't writable
CLIv1.1.2
Update Command Polish
•`whk update` now displays the current version correctly (was rendering as `vv1.0.0` due to a double `v` prefix)
•When the install directory isn't user-writable, `whk update` fails fast with a clear message naming the path and suggesting `sudo whk update` or a user-writable reinstall — instead of the cryptic `Permission denied (os error 13)` after a multi-MB download
Web Appv0.20.2
MCP v1.4.1 & CLI v1.1.1 Release
•MCP and CLI version bumps ship transitive dependency upgrades — zod 4 in MCP, tokio 1.52 and rustls-webpki refresh in the CLI
•Internal clippy 1.95 cleanups in the TUI event loop and update screen (no behavior change)
MCPv1.4.1
zod 4 Upgrade
•Upgrades the zod dependency from 3.x to 4.x with the matching tool-schema adaptation in src/tools.ts
Web Appv0.20.1
CI hardening & lint cleanup
•CI: Build Web App job now uses placeholder env values when Supabase secrets aren't available (e.g. Dependabot PRs), so dependency-update PRs get a meaningful build signal
•Resolved new strict react-hooks lint errors surfaced by an upcoming plugin bump, keeping the workspace lint-clean across plugin versions
Web Appv0.20.0
Provider Auto-Detect & Typeform Support
•Dashboard auto-detects the webhook provider from headers and payload and renders a colored provider badge on each request
•Provider icons (Stripe, GitHub, Shopify, Twilio, Slack, Paddle, Linear, Clerk, Discord, Vercel, GitLab, Typeform, and more) across the request list and detail panes
•Typeform added to provider templates and signature verification — configure on any endpoint
•Hardened signing configuration invariants: partial or stale provider state is no longer possible, eliminating a class of silent verification failures
•Refreshed provider docs, ngrok and webhook.site comparison guides, signature verification guide, and MCP tools reference
SDKv1.5.0
Typeform Provider & Webhook Auto-Detect
•Typeform provider templates (form_response, partial_response, payment) and verifyTypeformSignature
•detectWebhookInfo() and detectWebhookProvider() helpers for provider auto-detection from headers and body
•DetectedWebhookInfo type and isTypeformWebhook detection helper
MCPv1.4.0
Typeform Provider Support
•Typeform exposed in list_provider_templates with templates, default event, and signature metadata
•Typeform usable in create_endpoint and update_endpoint signing config
Web Appv0.19.1
Guest Dashboard SEO Overhaul
•Fixed layout bug on /go where hero copy rendered above the navbar
•Added feature cards flanking the Send Your First Webhook widget — mock responses, signature verification, CLI tunnel, SDK testing, MCP, and search/replay — visible without scrolling on xl+ screens
•Promoted the page h1 to a visible subtitle inside the nav on md+ screens
CLIv1.1.0
Signature Verification
•Tunnel forwards X-Signature-Verified, X-Signature-Provider, and X-Signature-Error headers
•Listen shows inline verification status (checkmark/cross) per request
•Create supports --signing-provider and --signing-secret flags (or WHK_SIGNING_SECRET env var)
SDKv1.4.0
Signature Verification Matchers
•matchVerified() and matchUnverified() matchers for signature verification assertions
•signatureVerified, signatureError, and signingProvider fields on Request and Endpoint types
MCPv1.3.0
Signature Verification Tools
•Signing config (provider + secret) on create_endpoint and update_endpoint
•verify_signature tool returns stored server-side results with skipped detection
•Discord publicKey support for Ed25519 verification
Web Appv0.19.0
Signature Verification
•Server-side webhook signature verification for 13 providers — configure once per endpoint, every request verified automatically
•New Signature tab in request detail: paste a secret for instant client-side verification, or view stored server-side results with detailed error diagnostics
•Verification badges (shield icons) in the request list and summary bar for at-a-glance valid/invalid status