Documentation Index
Fetch the complete documentation index at: https://docs.hookr.app/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Forwarding is a feature that automatically sends your webhook event data to external URLs you specify. When enabled, Hookr acts as a middleware—receiving webhook events and instantly relaying them to your own services, integrations, or APIs.
This is especially useful when an event source supports only a single webhook URL, but you need to send the data to multiple destinations like Zapier, custom APIs, or other automation platforms.
Why Use Forwarding?
- Multiple Destinations: Send a single event to up to 3 different URLs simultaneously
- Secure Verification: Each forwarded request includes cryptographic signatures so recipients can verify authenticity
- Easy Integration: Works with Zapier, Make, IFTTT, custom APIs, and any HTTP endpoint
- Complete Transparency: View the history of every forwarded request with response details
- Original Data Preserved: The exact event payload is forwarded without modification
- Works with Everything: Compatible with Private Mode, Time Sensitive notifications, and all other features
When to Use Forwarding
Enable Forwarding for webhooks when you need to send event data to external services:
| Use Case | Example |
|---|
| Multiple Integrations | Event source has one webhook URL, but you need both Zapier AND a custom API to receive it |
| Automation Workflows | Forward form submissions to Zapier, Make, or IFTTT for workflow automation |
| Data Distribution | Send the same event to multiple logging, analytics, or monitoring services |
| Audit Trails | Forward events to an external system that maintains compliance audit logs |
| Partner Integration | Send data to a partner’s API while keeping Hookr for your mobile notifications |
| Backup & Redundancy | Send critical events to multiple endpoints for reliability |
| Custom Processing | Forward to your own server for custom business logic or data transformation |
When NOT to Use Forwarding
Avoid Forwarding if:
- No external services needed — If you only need mobile notifications, standard webhooks are simpler
- Service can’t handle HTTP POST — Your destination must accept HTTP POST requests
- Need data transformation — Hookr forwards data as-is; use an intermediary service for transformations
How It Works
What Happens When Forwarding Is Enabled
When a webhook with Forwarding enabled receives an event:
- ✅ Event arrives — Hookr receives the webhook at your unique URL
- ✅ Notification sent — You get a push notification (if a message is configured)
- ✅ Data forwarded — The complete event payload is sent to each configured URL
- ✅ Request signed — Each forwarded request includes an HMAC SHA256 cryptographic signature
- ✅ History recorded — Forwarding results (status, response, timing) are saved for review
Data Flow Comparison
| What Happens | Normal Webhook | Webhook with Forwarding |
|---|
| Event received | ✅ | ✅ |
| Notification sent | ✅ | ✅ |
| Event stored in database | ✅ | ✅ |
| Data forwarded to external URLs | ❌ | ✅ |
| Cryptographic signature included | ❌ | ✅ |
| Forwarding history recorded | ❌ | ✅ |
What Gets Forwarded
The complete original payload is forwarded to your external URLs, including:
- All JSON fields from the original request
- Query string parameters
- Original HTTP method (POST, PUT, etc.)
- Exact data structure (no transformation)
Important: Hookr forwards the raw data as received. No filtering or modification is applied.
Setup: Enabling Forwarding
Enabling Forwarding is straightforward:
- Open your webhook — Find the webhook you want to enable forwarding on
- Edit the webhook — Click the edit button or settings
- Toggle “Enable Forwarding” — This reveals the forwarding configuration options
- Add destination URLs — Add 1-3 URLs where events should be forwarded:
- Click the + button to add a URL field
- Enter a valid
https:// or http:// URL
- Click - to remove unwanted URLs
- Copy your secret — A forwarding secret is automatically generated:
- Displayed as masked text:
XXXX...XXXX
- Click the copy button to copy it
- Click reset to generate a new secret anytime
- Save your webhook — Future events will be automatically forwarded
Once enabled, an arrow icon badge (↗️) appears next to your webhook name so you can quickly identify which webhooks have Forwarding enabled.
Note: Forwarding is disabled by default. All webhooks send only notifications until you explicitly enable Forwarding.
URL Requirements
- Format: Must be a valid HTTP or HTTPS URL
- Prefix: Must start with
http:// or https://
- Count: Enter 1-3 URLs (fields can be left empty)
- Length: Each URL must be 2,048 characters or less
Valid Examples:
https://zapier.com/hooks/catch/123456/abchttps://api.myapp.com/webhooks/eventshttps://example.com/webhook?token=abc123http://localhost:3000/webhook (for local testing)
Secret Key Management
The Forward Secret is your security credential used to sign every forwarded request.
- Auto-Generated: When you enable Forwarding, Hookr automatically generates a secure random secret
- Displayed Masked: Shown as
XXXX...XXXX (first and last 6 characters visible)
- Copy & Share: Click the copy button and share it with services receiving your webhooks
- Reset Anytime: Click reset to generate a new secret (old secret stops working immediately)
- Treat Like a Password: Never share your secret publicly or commit it to version control
Security & Verification
Why Verify Signatures?
Every forwarded request includes a cryptographic signature. This allows your external service to verify:
- Authenticity — The request actually came from Hookr (not spoofed)
- Integrity — The payload hasn’t been tampered with during transmission
How Signatures Work
Hookr includes these headers with every forwarded request:
| Header | Example | Purpose |
|---|
X-Hookr-Signature | sha256=abc123... | HMAC SHA256 signature of the request body |
X-Hookr-Timestamp | 1738243200 | Unix timestamp when the request was sent |
Content-Type | application/json | Indicates the payload format |
User-Agent | Hookr/1.0 | Identifies the request came from Hookr |
Verification Methods
You can verify signatures in two ways:
- Body Signature (Recommended) — Verify the HMAC of the entire request body
- Timestamp Signature — Verify the HMAC of just the timestamp (for GET requests or when body verification isn’t possible)
Code Examples: Signature Verification
Body Signature Verification
This is the standard method for verifying POST requests with a body.
const crypto = require('crypto');
function verifyBodySignature(body, signature, secret) {
// Extract the hash from the signature header
const [algorithm, receivedHash] = signature.split('=');
// Calculate expected signature
const expectedHash = crypto
.createHmac('sha256', secret)
.update(body, 'utf8')
.digest('hex');
// Compare signatures
return receivedHash === expectedHash;
}
// Usage
const rawBody = request.body; // Raw request body as string
const signature = request.headers['x-hookr-signature'];
const secret = 'your-forward-secret-here';
if (verifyBodySignature(rawBody, signature, secret)) {
console.log('✅ Signature valid - request is authentic');
} else {
console.log('❌ Signature invalid - reject request');
}
Timestamp Signature Verification
For requests without a body (like GET requests) or as an additional security check, verify the timestamp signature.
const crypto = require('crypto');
function verifyTimestampSignature(timestamp, signature, secret) {
const [algorithm, receivedHash] = signature.split('=');
const expectedHash = crypto
.createHmac('sha256', secret)
.update(timestamp.toString(), 'utf8')
.digest('hex');
return receivedHash === expectedHash;
}
// Usage
const timestamp = request.headers['x-hookr-timestamp'];
const signature = request.headers['x-hookr-signature'];
const secret = 'your-forward-secret-here';
if (verifyTimestampSignature(timestamp, signature, secret)) {
console.log('✅ Timestamp signature valid');
} else {
console.log('❌ Timestamp signature invalid');
}
Best Practices
Security
- Always verify signatures — Never process forwarded events without verifying the signature
- Treat secrets like passwords — Don’t share them in Slack, email, or commit to version control
- Rotate secrets periodically — Generate a new secret every 6-12 months
- Rotate if exposed — If you accidentally leak a secret, reset it immediately
- Use HTTPS — Always use
https:// URLs for forwarding (never http:// in production)
- Check timestamps — Reject requests with timestamps older than 5 minutes to prevent replay attacks
- Set timeouts — Configure your external service with reasonable timeouts (Hookr waits 30 seconds maximum)
- Return quickly — Have your endpoint return a response quickly; do heavy processing asynchronously
- Monitor forwarding history — Check the Events list to track delivery success rates
Testing
- Test before enabling — Send test events to verify your external service receives and processes them correctly
- Use local tunneling — Tools like ngrok let you test forwarding to your local development server
- Check forwarding history — Review response codes and bodies in the event details to debug issues
Viewing Forwarding History
Where to Find It
- Open the Events tab in your Hookr app
- Tap on any event from a webhook with Forwarding enabled
- Scroll to the Forwarding History section
What You See
Each forwarded URL shows:
| Item | Description |
|---|
| Status Badge | Color-coded: 🟢 Green (2xx success), 🟡 Yellow (3xx redirect), 🔵 Blue (4xx client error), 🔴 Red (5xx server error) |
| URL | The destination URL this event was forwarded to |
| Status Code | HTTP response code (200, 404, 500, etc.) |
| Duration | Request execution time in milliseconds |
| Response Body | Response from the external service (expandable) |
| Content-Type | The content type of the response |
Frequently Asked Questions
Does Forwarding work with Private Mode?
Yes! Forwarding works perfectly with Private Mode. Events are still forwarded to your external URLs even though the payload data isn’t stored in Hookr’s database. The signature verification works identically.
Can I forward to more than 3 URLs?
No, the limit is 3 URLs per webhook. If you need to send to more destinations, consider forwarding to a service that can fan out to additional URLs (like Zapier or a custom relay).
What happens if one destination fails?
Forwarding happens in parallel to all URLs. If one fails, the others are unaffected. Each result is recorded independently in the forwarding history.
Can I see what was forwarded?
Yes! View the event details in the Events list. The forwarding history shows the response from each destination, including status codes and response bodies.
Forwarding uses credits from your account. Each event costs 1 base credit, plus 1 credit per destination URL. Example: forwarding to 2 URLs costs 3 credits total (1 base + 2 destinations).
Can I test Forwarding locally?
Yes! Use a tool like ngrok to create a public URL that forwards to your local development server. Add the ngrok URL to your webhook’s forwarding destinations.
What if my external service is slow?
Hookr waits up to 30 seconds for a response. If your service takes longer, the request will time out and be marked as failed. Process events asynchronously on your end to return responses quickly.
Can I change the forwarding secret?
Yes, click the reset button in the webhook settings to generate a new secret. The old secret stops working immediately, so update all external services before resetting.
What HTTP methods are supported?
Hookr preserves the original HTTP method from the incoming webhook (GET, POST). Most webhooks use POST.
