I built a webhook inspector because tunnel logs are a bad source of truth

Provider callbacks look simple until they fail at the worst possible time.

You get a payment callback, delivery update, message event, or integration ping. Then something does not line up. The signature is wrong, the body was transformed, the provider retried, the local tunnel dropped, or someone asks, "Can we replay the exact event?"

If the answer is "let me scroll through terminal logs," the debugging loop is already broken. You end up guessing at what actually arrived.

The tool

The Webhook Relay and Inspector is a FastAPI ingress with a React inspector UI.

It receives provider-style callbacks, keeps the raw body for verification and replay, checks HMAC signatures when configured, stores the event, broadcasts it to the UI over WebSockets, and can forward matching events to downstream targets with bounded retries.

The goal was not to build a giant integration platform. The goal was to make the operational loop visible:

what arrived
whether it was verified
which headers came with it
whether it matched a forwarding rule
whether forwarding succeeded
whether the exact event can be replayed

Why raw bytes matter

One easy mistake is parsing the JSON first and verifying later.

That breaks the trust model for many providers. Signatures are typically calculated over the original request body, not the pretty version your framework gives you after parsing. Parse first, verify second, and you can get a signature match failure even on a valid event — or worse, you miss a tampered one.

The service keeps the raw payload path explicit. Verification happens close to ingress. The parsed body is useful for search and display, but it is not the source of truth for signature checks.

What I was actually solving

This started as tooling for my own provider integration work. The number of times I have had to reconstruct "what actually arrived" from partial logs convinced me that the right answer is to capture everything at the edge and make it queryable.