Core Concepts: Understanding Sources

A Source is the foundation of your webhook pipeline. It's a single, unique, and public-facing URL you create in HookMux. You give this URL to any service that sends webhooks (like Stripe, GitHub, Shopify, etc.).

When a Source's URL receives an HTTP request (a webhook), it ingests the entire payload (body, headers, query parameters) and triggers deliveries to all of its attached Destinations.

The Ingest URL

When you create a Source, HookMux generates a unique Ingest URL for it. This is the URL you will paste into the "Endpoint URL" or "Payload URL" field in your third-party service's webhook settings.

It will always have this structure:

https://core.hookmux.com/ingest/[your-unique-slug]

The GET Proxy Feature

Your Source URL can accept both POST and GET requests.

  • POST requests are treated as incoming webhooks, which are logged and fanned out to all destinations.
  • GET requests are treated as a simple proxy and validation tool. A GET request to your Ingest URL will be forwarded to the first active destination on that Source.

Use Case:

This is useful for quickly validating that HookMux can reach your destination and for checking its response. For example, some webhook providers (like Svix) send a GET request as part of their "endpoint verification" flow.

Security:

When proxying GET requests, HookMux intelligently forwards safe headers (like Authorization) but strips sensitive, connection-specific headers (like Cookie) to protect your security.

Pro-Tip: Cloudflare Tunnel Errors

If you are using a Cloudflare Tunnel for a destination and your GET proxy test fails with a DNS points to prohibited IP error, it is almost always because you have a conflicting A record in your Cloudflare DNS settings (e.g., local-testdest A 127.0.0.1).

To fix this: Delete the A record pointing to the local IP. Your Cloudflare Tunnel only needs the CNAME record pointing to its tunnel UUID (e.g., local-testdest CNAME ...cfargotunnel.com) to function correctly.

(Coming Soon) Signature Verification

To provide maximum security, we are actively working on Incoming Signature Verification.

This feature will allow you to store a "signing secret" (provided by services like Stripe or GitHub) for each Source. When a webhook arrives, HookMux will use this secret to cryptographically verify that the request is actually from the service it claims to be from (e.g., Stripe) and not a malicious impostor.

This will protect your entire pipeline from forged requests. You will soon see fields for this in your Source settings.