Webhook Gateway
Instead of implementing webhook validation and routing logic separately in every service, a webhook gateway provides a single, secure entry point for all third-party webhooks from providers like Stripe, Twilio, Slack, and GitHub. This centralized approach validates webhook signatures, prevents tampering, and routes authenticated requests to the appropriate internal services in production environments.
With this setup, you can:
- Validate webhook signatures from 70+ supported providers in a single place
- Route authenticated webhooks to appropriate services based on the provider
- Prevent webhook spoofing and tampering with cryptographic verification
- Standardize webhook handling across your entire infrastructure
- Apply consistent logging and monitoring to all webhook traffic
1. Create endpoints for your services
Start internal Agent Endpoints for the services that will handle webhooks from different providers. You can also use one of our SDKs or the Kubernetes Operator.
For a payment service handling Stripe webhooks:
Loading…
For a notification service handling Slack webhooks:
Loading…
For a deployment service handling GitHub webhooks:
Loading…
2. Reserve a domain
Navigate to the Domains section of the ngrok dashboard and click New + to reserve a free static domain like https://your-service.ngrok.app or a custom domain you already own.
We'll refer to this domain as $NGROK_DOMAIN from here on out.
3. Create a Cloud Endpoint
Navigate to the Endpoints section of the ngrok dashboard, then click New + and Cloud Endpoint.
In the URL field, enter the domain you just reserved to finish creating your Cloud Endpoint.
4. (Optional) Create a vault and secrets
For production environments, store your webhook secrets securely using Secrets for Traffic Policy. This step is optional—you can also use plaintext secrets directly in your policy.
Create a vault to store your webhook secrets:
Loading…
Add your credentials to the vault, replacing the names and values, plus changing $VAULT_ID to match the vault ID from the response:
Loading…
5. Apply Traffic Policy to your Cloud Endpoint
While still viewing your new cloud endpoint in the dashboard, copy and paste one of the policies below into the editor.
Loading…
What's happening here? This policy routes incoming webhook requests based on their URL path. Each route first validates the webhook signature using secrets stored in your encrypted vault, then forwards authenticated requests to the appropriate internal service. If signature verification fails, the request is automatically rejected, protecting your services from spoofed or tampered webhooks.
6. Try out your endpoint
Visit the domain you reserved either in the browser or in the terminal using a tool like curl.
You should see the app or service at the port connected to your internal Agent Endpoint.
Configure your webhook endpoints in each provider's dashboard:
- Stripe:
https://$NGROK_DOMAIN/stripe - Slack:
https://$NGROK_DOMAIN/slack - GitHub:
https://$NGROK_DOMAIN/github
When webhooks are sent from these providers, they'll be validated and routed to your internal services automatically.
What's next?
- Read about other gateway shapes you can build with ngrok
- View the complete list of 70+ supported webhook providers including Twilio, Shopify, and DocuSign
- Add the
logaction to send webhook events to your observability platform for monitoring and debugging - Use Traffic Inspector to monitor webhook delivery and troubleshoot validation failures
- Learn more about webhook signature verification and security best practices