Guaranteed delivery, automatic retries, and cryptographic verification for your webhooks. Drop-in reliability layer for MTN MoMo, Hubtel, Paystack, and any webhook provider.
Webhooks fail silently — and your system pays the price.
Your server was down for 2 minutes. MoMo sent a payment notification. You never got it. The customer paid — your system doesn't know.
A webhook from Hubtel never arrives. The order sits unprocessed. The customer calls support. You have no idea what happened.
A valid webhook is replayed 10 times. Your system processes the same payment 10 times. Refunds, angry customers, manual cleanup.
Something went wrong. Was the webhook sent? Did it arrive? Was the signature valid? No logs, no trail, no answers.
A single reliability layer between your providers and your app. No code changes on the provider side.
Verified, reliable, deduplicated webhooks
Not "secure". Not "reliable". Not "fast". Here's exactly what WebhookShield does.
Every webhook is cryptographically verified. HMAC-SHA256 for standard providers, adapter-specific verification for MoMo, Hubtel, and Paystack.
Each webhook ID is tracked in Redis. Duplicates are rejected within a configurable time window. No more double-processing payments.
Stale webhooks are rejected. Configurable tolerance window (default 5 minutes) prevents old webhooks from being replayed.
If your server is down, webhooks are queued in RabbitMQ and retried with exponential backoff. Up to 5 attempts before dead-lettering.
Every webhook is logged with its payload, headers, delivery attempts, and status. See exactly what happened and when.
Failed or dead-lettered webhooks can be replayed with a single click from the dashboard or API call. No data loss, ever.
No need to ask MTN or Hubtel to change their webhook format. WebhookShield adapts to each provider's proprietary format automatically.
X-Callback-Token header verification with constant-time comparison
Sender UUID in the ingestion URL acts as access control
X-Paystack-Signature header with full payload signing
Standard WebhookShield format for any provider that adopts it
Three steps to reliable, verified webhooks.
Register your webhook provider (e.g., MTN MoMo) as a sender and your application as a receiver. You get signing secrets for both.
Configure your provider's callback URL to point to your WebhookShield ingestion endpoint. Webhooks are verified, logged, and queued.
WebhookShield delivers the webhook to your application, re-signed with your receiver secret. Failed deliveries are retried automatically.
A simple REST API. Register a receiver, create a sender, and start receiving verified webhooks.
# 1. Create a receiver (your application)
curl -X POST http://localhost:8080/api/v1/receivers \
-H "Content-Type: application/json" \
-d '{"name": "My App", "endpoint_url": "https://myapp.com/webhooks"}'
# Response: {"receiver": {...}, "secret": "17bea62d..."}
# 2. Create a sender (e.g., MTN MoMo)
curl -X POST http://localhost:8080/api/v1/senders \
-H "Content-Type: application/json" \
-d '{
"name": "MTN MoMo",
"slug": "mtn-momo",
"provider_type": "mtn_momo",
"receiver_id": "<receiver-id>"
}'
# Response: {"sender": {...}, "secret": "e0f90615..."}
# 3. Configure MoMo callback URL:
# https://your-webhookshield.com/ingest/<sender-id>
# Set the callback token to the sender secret
# Done! Webhooks are now verified, logged, and reliably delivered.func HandleWebhook(w http.ResponseWriter, r *http.Request) {
// WebhookShield re-signs with your receiver secret
signature := r.Header.Get("X-WebhookShield-Signature")
if !webhookshield.Verify(signature, r.Body, receiverSecret) {
http.Error(w, "invalid signature", http.StatusUnauthorized)
return
}
// Safe to process — verified, deduplicated, fresh
processPaymentNotification(r.Body)
w.WriteHeader(http.StatusOK)
}Provider webhooks work — until they don't. Here's what you're missing.
| Direct from Provider | With WebhookShield | |
|---|---|---|
| Retry guarantees | Varies by provider, often limited or unclear | Guaranteed retries with exponential backoff |
| Replay attack protection | Not provided | Automatic deduplication via Redis |
| Debugging failed webhooks | Check provider dashboard (if available) | Full event log with payload, headers, and status |
| Signature verification | Different per provider, easy to get wrong | Standardized — handled automatically per provider |
| Replay failed events | Not possible | One-click replay from dashboard or API |
| Consistent format | Every provider is different | Unified, re-signed delivery to your app |
Start free. Pay only when your webhook volume grows. Self-host anytime with the open source edition.
For developers testing integrations and side projects.
For small fintechs and startups processing real transactions.
For scaling fintechs and logistics companies.
For banks, telcos, and large platforms with compliance needs.
All paid plans include a 14-day free trial. No credit card required.
Need a self-hosted or on-premise deployment? Contact us for enterprise options.
Get started with Docker Compose. Or join the waitlist for our managed cloud offering.