Hookbound: secure inbound and outbound webhooks for Go

Hi everyone,

I’ve released Hookbound v0.2.0, an Apache-2.0 Go library for securely sending and receiving webhooks.

Hookbound provides:

  • Signed outbound webhook delivery

  • Inbound signature verification

  • Standard Webhooks HMAC-SHA256 and Ed25519 support

  • GitHub and Stripe webhook verification

  • Replay protection and SSRF-aware delivery

  • Optional PostgreSQL-backed durable delivery with retries, renewable leases, deduplication, and crash recovery

  • A dependency-free core built on net/http, context.Context, and log/slog

Install it with:

go get github.com/kzelealem/hookbound@v0.2.0

GitHub: https://github.com/kzelealem/hookbound
Go documentation: https://pkg.go.dev/github.com/kzelealem/hookbound

The project has race-detector testing, real PostgreSQL integration tests, fuzzing, CodeQL, vulnerability scanning, golangci-lint, signed releases, an SBOM, and build provenance.

The public API may still evolve before v1.0. I would especially appreciate feedback on:

  • The sender and receiver API design

  • The security defaults

  • The reliability and at-least-once delivery contract

  • Whether the PostgreSQL functionality feels sufficiently optional

  • Anything that would prevent you from adopting it

Thanks! I’m happy to answer questions and would appreciate honest technical feedback.