Standard Webhooks SpecRFC 7807SOC2 CC6.7IETF Webhooks BCPDeep Prototype
WebhookDelivery — Outbound Webhook Reliability + Signature Rotation
22 outbound webhook subscribers. Per subscriber: success rate, retry attempts, DLQ depth, signature version (HMAC-SHA256 v2 vs deprecated HMAC-MD5 v1), idempotency-key support, exponential-backoff cadence. Surfaces 4 with chronic failures + 2 still on legacy HMAC-MD5.
Open live →
What it is
The reliability + security audit for outbound webhooks. Most platforms ship webhooks once + never audit; failure rates drift; signature schemes go stale.
What’s in it
- 22 subscribers × success rate, DLQ depth, signature version, idempotency support, backoff cadence
- Per subscriber: real-shape integrations (ERP, accounting, Salesforce, billing-vendor, push relay, SIEM, fraud vendor, warehouse, partner systems, internal mTLS)
- Worst-offender findings: 2 legacy HMAC-MD5 partners (DeprecationCalendar DEP-010 cross-ref), 1 customer-X chronic-flake endpoint, 1 test endpoint left running with 288 messages in DLQ
Why this shape
Standard Webhooks spec + IETF Webhooks BCP define modern webhook delivery. The hard finding: a partner stuck on legacy crypto with no migration path.
How it ships
Single HTML file, ~14KB. Zero dependencies. 22 subscribers × signature/status filters + per-subscriber drilldown in 130 lines of vanilla JavaScript.