Proxy headers

Hookman adds a set of x-hookman-* headers to every request it forwards. These are added to the outbound request — the one your application receives. The original sender never sees them.

Added headers

Header	Example value	Description
x-hookman-org	acme	The org slug
x-hookman-project	payments	The project slug
x-hookman-deployment	dep_01hw...	The internal deployment ID that received this request
x-hookman-deployment-label	feature/checkout	The human-readable deployment label (branch name)
x-hookman-routing-method	header	How the deployment was resolved: header, query, payload, switch
x-hookman-routing-key	feature/checkout	The value that was matched (absent for switch)
x-hookman-received	2025-03-12T14:22:58.341Z	ISO 8601 timestamp when Hookman received the original request
x-hookman-log-id	log_01hw...	The webhook log entry ID — use this to find the log in your dashboard
x-forwarded-for	54.187.0.1	Original caller IP (Stripe’s IP, for example)

Replay-only headers

These are added only when the delivery is a replay (not a live webhook):

Header	Example value	Description
x-hookman-replay	true	Always true for replayed webhooks
x-hookman-original-log-id	log_01hw...	Log ID of the original event being replayed
x-hookman-truncated	true	Present and true if the stored body was truncated at 100 KB

Detecting replays in your application

// Express / Node.js
app.post('/api/webhooks/stripe', (req, res) => {
  const isReplay = req.headers['x-hookman-replay'] === 'true'

  if (isReplay) {
    // Skip sending confirmation emails, avoid double-charging, etc.
    console.log('Replay of log', req.headers['x-hookman-original-log-id'])
  }

  // ... process webhook
})

Original headers are preserved

All headers from the original sender are forwarded unchanged. Hookman does not remove or modify any headers the sender included (e.g. stripe-signature, x-paddle-signature).

This means your existing HMAC signature verification continues to work without any changes.

// Stripe signature verification still works
const event = stripe.webhooks.constructEvent(
  rawBody,
  req.headers['stripe-signature'],  // ← forwarded unchanged by Hookman
  process.env.STRIPE_WEBHOOK_SECRET
)

import { Aside } from ‘@astrojs/starlight/components’

Hookman strips `Authorization` and `Cookie` headers from **stored payloads** (used for replay) but does **not** strip them from live forwarded requests. If your webhook sender includes an `Authorization` header, it is forwarded to your deployment.