Skip to main content

Documentation Index

Fetch the complete documentation index at: https://supahooks.ar27111994.dev/llms.txt

Use this file to discover all available pages before exploring further.

Every input option you pass to Webhook Debugger & Logger controls a specific aspect of how the actor captures, secures, transforms, or responds to incoming webhook traffic. This page documents all available fields drawn from the actor’s input schema, organized by functional group. You can set these values in the Apify Console input tab, pass them as JSON via the INPUT environment variable, or supply them through the Apify API.

Endpoint setup

Configure how many webhook URLs are generated and how long they stay active.
urlCount
integer
default:"3"
Number of unique webhook endpoints to generate for this run. Accepts a value between 1 and 50. Each endpoint gets its own ID and captures traffic independently.
retentionHours
integer
default:"24"
How long generated webhook URLs remain active, in hours. Accepts 1 to 168 (one week). After expiry, the endpoint immediately stops accepting traffic and its logs are removed from /logs during the next cleanup cycle (up to 10 minutes later).
Reducing retentionHours via hot-reload only affects newly generated webhooks. Pre-existing webhooks keep their original expiry window. Events already written to the Apify Dataset are not affected.
Protect the actor from traffic spikes and control how incoming payloads are handled.
maxPayloadSize
integer
default:"10485760"
Maximum allowed size for an incoming request body, in bytes. Accepts 1024 to 104857600 (100 MB). Requests that exceed this limit are rejected with 413 Request Entity Too Large. The default is 10 MB (10485760).
enableJSONParsing
boolean
default:"true"
When enabled, the actor automatically parses application/json request bodies into structured dataset objects, making payload fields searchable and filterable through the /logs API.
rateLimitPerMinute
integer
default:"60"
Maximum requests per minute allowed on management endpoints (/logs, /info, /replay, and similar routes). The limit is applied per client IP. Accepts 1 to 1000.
Control who can send traffic to your endpoints and how sensitive data is handled.
maskSensitiveData
boolean
default:"true"
When enabled, the actor automatically redacts Authorization, Cookie, and Set-Cookie headers from stored logs. Enable this when you are capturing traffic from real providers to avoid persisting credentials.
redactBodyPaths
array
A list of dot-notation paths inside the JSON body to redact before storage. All paths must start with body. — for example, body.token, body.user.password, or body.payment.card. Redacted values are replaced with a placeholder in the stored event.
authKey
string
A global API key that protects all incoming requests. Senders must provide the key via an Authorization: Bearer <key> header or a ?key=<key> query parameter. Treat this value as a secret.
allowedIps
array
An IP or CIDR allowlist. When set, the actor only accepts traffic from the listed addresses or blocks. Leave empty for unrestricted public access. Example entries: 203.0.113.0/24, 198.51.100.1.
signatureVerification
object
Configures automatic signature verification for a specific webhook provider. Set the shared secret in signatureVerificationSecret. Supported providers are stripe, shopify, github, slack, and custom.
FieldTypeDescription
providerstringWebhook provider: stripe, shopify, github, slack, or custom.
headerNamestring(Custom only) The request header that carries the signature.
timestampKeystring(Custom only) The header containing the request timestamp for replay protection.
algorithmstring(Custom only) HMAC algorithm: sha256 or sha1. Defaults to sha256.
encodingstring(Custom only) Signature encoding: hex or base64. Defaults to hex.
toleranceintegerMaximum age of the request timestamp in seconds before rejecting as a replay. Accepts 603600. Defaults to 300.
signatureVerificationSecret
string
The signing secret used by the provider configured in signatureVerification. Treat this value as a secret — it is stored encrypted and never surfaced in logs.
Control the HTTP response the actor sends back to the webhook sender.
defaultResponseCode
integer
default:"200"
The HTTP status code returned to the sender for every captured request. Accepts any valid status code from 100 to 599. You can override this per-request using the __status query parameter on the webhook URL.
defaultResponseBody
string
The exact response body returned to the sender. Supports JSON, XML, or plain text. Example: {"status": "received", "success": true}.
defaultResponseHeaders
object
A key-value map of HTTP headers to include in every webhook response. Example: {"X-Custom": "Value", "Content-Type": "application/json"}.
responseDelayMs
integer
default:"0"
Artificial response latency in milliseconds added after the actor finishes processing. Accepts 0 to 10000. Use this to simulate slow or overloaded downstream systems. This delay is not included in the processingTime field on captured events.
Configure automatic forwarding of captured requests and control retry behavior for forwarding and replay operations.
forwardUrl
string
When set, the actor automatically POSTs a copy of every captured request to this destination URL immediately after capture. Use this to pipe test traffic into a staging system while keeping a full audit trail.
forwardHeaders
boolean
default:"true"
When enabled, the original request headers are forwarded to forwardUrl along with the body. Disable this to send a clean request with only Content-Type and Content-Length.
maxForwardRetries
integer
default:"3"
Maximum number of retry attempts for a failed forward delivery. Accepts 0 to 10. Retries use exponential backoff and circuit breaker protection.
replayMaxRetries
integer
default:"3"
Maximum number of retry attempts when replaying a stored event to a target URL. Accepts 0 to 10.
replayTimeoutMs
integer
default:"10000"
Timeout per replay attempt in milliseconds. Accepts 1000 to 60000. Keeps a slow or unresponsive target from blocking the replay pipeline.
Validate incoming payloads and run inline transformations before storage.
jsonSchema
string
A JSON Schema document (as a string) used to validate every incoming payload. Requests that do not match the schema are rejected with 400 Bad Request. Leave empty to accept any payload structure.
{
  "type": "object",
  "required": ["event"],
  "properties": {
    "event": { "type": "string" }
  }
}
customScript
string
An inline JavaScript snippet that runs against each captured event before it is stored. Use it to normalize, enrich, or redact payload data. See Transform webhook payloads with custom JavaScript for full details, the script context, and usage examples.
Send real-time notifications to Slack or Discord when webhook events need attention.
alerts.slack.webhookUrl
string
A Slack incoming webhook URL. When set, the actor posts alert messages to the configured Slack channel for any trigger condition listed in alertOn.
alerts.discord.webhookUrl
string
A Discord webhook URL. When set, the actor posts alert messages to the configured Discord channel for any trigger condition listed in alertOn.
alertOn
array
default:"[\"error\", \"5xx\"]"
A list of conditions that trigger an alert notification. Supported values:
ValueWhen it fires
errorAn unhandled server-side error occurs during capture or processing.
4xxThe actor returns a 4xx response to the sender (e.g. auth failure, rate limit).
5xxThe actor returns a 5xx response to the sender.
timeoutA forward or replay request times out.
signature_invalidSignature verification fails for an incoming request.
You can apply most of these settings at runtime without restarting the actor. On Apify, the hot-reload manager polls for updated input automatically. Locally, it watches the storage/key_value_stores/default/INPUT.json file. Set DISABLE_HOT_RELOAD=true if you want a fixed configuration.