Hi everyone,
I’ve released Hookbound v0.2.0, an Apache-2.0 Go library for securely sending and receiving webhooks.
Hookbound provides:
-
Signed outbound webhook delivery
-
Inbound signature verification
-
Standard Webhooks HMAC-SHA256 and Ed25519 support
-
GitHub and Stripe webhook verification
-
Replay protection and SSRF-aware delivery
-
Optional PostgreSQL-backed durable delivery with retries, renewable leases, deduplication, and crash recovery
-
A dependency-free core built on
net/http,context.Context, andlog/slog
Install it with:
go get github.com/kzelealem/hookbound@v0.2.0
GitHub: https://github.com/kzelealem/hookbound
Go documentation: https://pkg.go.dev/github.com/kzelealem/hookbound
The project has race-detector testing, real PostgreSQL integration tests, fuzzing, CodeQL, vulnerability scanning, golangci-lint, signed releases, an SBOM, and build provenance.
The public API may still evolve before v1.0. I would especially appreciate feedback on:
-
The sender and receiver API design
-
The security defaults
-
The reliability and at-least-once delivery contract
-
Whether the PostgreSQL functionality feels sufficiently optional
-
Anything that would prevent you from adopting it
Thanks! I’m happy to answer questions and would appreciate honest technical feedback.