Hook0 is an open-source Webhooks-as-a-Service (WaaS) platform built in Rust that enables SaaS developers to offer robust, production-grade webhooks to their users without managing infrastructure. It solves the complexity of webhook delivery—retries, signing, persistence, and subscription management—by providing a unified API and dashboard. Hook0 is designed for developers building B2B SaaS products who need to integrate with third-party systems via webhooks but lack the bandwidth to implement reliability features like exponential backoff, TLS encryption, or event replay.
Built with Rust for performance and safety, Hook0 supports PostgreSQL as its database and can be deployed on-premises, via Docker, or on its free hosted Cloud tier. It includes a modern UI for non-technical users, a JSON REST API, SDKs, and an MCP Server for AI assistants. The SSPL license ensures it remains open while preventing cloud providers from reselling it as a managed service.
What You Get
- JSON REST API - A documented, production-ready API for sending events, listing subscriptions, and retrieving delivery logs with full HTTP status codes and payload inspection.
- Fine-grained subscriptions - Users can subscribe to specific event types (e.g., ‘payment.success’, ‘user.created’) and filter by business context like user ID or organization.
- Auto retry with exponential backoff - Hook0 automatically retries failed deliveries with configurable backoff intervals and monitors endpoint health to avoid spamming broken URLs.
- Signed and encrypted payloads - All webhooks are sent over TLS and include a cryptographic signature (HMAC) to verify authenticity and prevent tampering or replay attacks.
- Event and response persistence - Every event sent and every webhook delivery attempt (success or failure) is stored with full payload, headers, and HTTP status for debugging and replay.
- Embeddable subscriber portal - Customers get a branded, no-code dashboard with their own subdomain, logo, and real-time event logs to monitor webhook deliveries without technical knowledge.
- Multi-subscription support - A single subscriber can register multiple webhook endpoints; Hook0 delivers each event to all registered URLs simultaneously.
- Event scoping - Events can be scoped to users, organizations, or administrative levels, enabling multi-tenant SaaS applications to control who receives what events.
- GDPR-compliant data hosting - Hook0 Cloud stores all customer data in Europe, ensuring compliance with data sovereignty regulations and avoiding GAFAM infrastructure.
- MCP Server for AI assistants - Hook0 provides a dedicated server interface to integrate webhook events with AI agents and LLM-based automation tools.
Common Use Cases
- Building a SaaS integration platform - A B2B SaaS company uses Hook0 to let customers connect their CRM or ERP systems via webhooks without building retry logic, signing, or logging infrastructure.
- Enabling third-party automation for customers - A project management tool allows users to trigger Zapier-like workflows by subscribing to events like ‘task.completed’ via Hook0’s dashboard and API.
- Debugging webhook failures in production - A fintech startup uses Hook0’s event persistence and replay feature to inspect failed webhook deliveries, identify malformed payloads, and resend them without re-triggering the source event.
- Running a compliance-sensitive webhook service - A European healthcare SaaS uses Hook0’s on-prem deployment to ensure all webhook data stays within EU borders and meets GDPR requirements without vendor lock-in.
Under The Hood
Architecture
- Monolithic Rust workspace with clearly separated crates (api, cli, output-worker) enabling strong separation of concerns, where the API layer manages HTTP routing and the output-worker handles asynchronous event processing
- Event-driven design with typed payloads and a centralized event system that decouples webhook ingestion from downstream logic
- Dependency injection and configuration managed via environment variables and Docker Compose, with explicit service dependencies ensuring consistent deployment and testability
- Multi-layered security implemented in dedicated modules, including signature validation, IP filtering, and circuit breakers, avoiding controller-level pollution
- Clean API versioning and integrated OpenAPI documentation with consistent routing patterns and Swagger endpoints
- Frontend and API decoupled via environment-configured endpoints, with CI/CD pipelines automated through git-based changelog generation and static deployment
Tech Stack
- Rust monorepo with SQLx for PostgreSQL integration and async runtime support across services
- Express and Next.js for API and frontend, with TypeScript ensuring type safety and Docusaurus for documentation
- Docker Compose orchestrates PostgreSQL, Mailpit, and multiple services with multi-stage builds for optimized containerization
- GitLab CI/CD pipelines include comprehensive security scanning, automated release workflows, and SDK-specific test pipelines
- Cliff.toml enforces conventional commits and semantic versioning with automated changelog generation
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with clear layer separation
- Robust error handling through custom error types in Rust and structured assertions in frontend tests
- Consistent, domain-aligned naming conventions and test files following a Three-Step Verification Pattern
- Strong TypeScript type safety with precise type guards and comprehensive annotations in test utilities
- Comprehensive E2E testing with Playwright, including visual regression and CSS validation alongside API-driven setup
- Automated test isolation via unique resource naming, environment variables, and parallel-safe configurations
What Makes It Unique
- Native event routing engine that dynamically maps webhook payloads to handlers using declarative schemas, eliminating manual endpoint configuration
- Built-in Biscuit-based decentralized authorization embedding fine-grained permissions in tokens, enabling stateless cross-service access control
- Integrated SQLx query precompilation and vacuum optimization pipeline that maintains database performance under high event volumes
- End-to-end event tracing with embedded audit trails in the database, providing real-time observability without external logging
- Frontend shimmer patterns algorithmically randomized to mimic real data variance, enhancing perceived performance in a novel way
- SSPL-licensed architecture that intentionally restricts managed service offerings, preserving community ownership while enabling self-hosted enterprise use