Free Forever · Pro Early Bird — 6-month free trial · Business: Join waiting list · Enterprise: Contact us

Webhook delivery for public and private networks

Deliver webhooks to any public HTTP endpoint — zero install, no runtime required — or to services behind NAT, VPN, or corporate firewall with Edge Lite or Kubernetes edge runtime.

Free forever. No credit card required.

Stripe
zen-ingester Event intake
mTLS · SPIFFE · HMAC non-negotiable
Your Private Network
zen-egress deployed in your cluster
Your Service

The Webhook Problem

🔥

Firewall Headaches

Opening ports for webhooks is a security nightmare. Every open port is a potential attack vector.

🔄

Reliability Issues

Direct connections fail behind NAT, VPNs, or when your team rotates IPs. Retries don't help if the path is broken.

🔐

Security Trade-offs

Tailscale requires UDP, WireGuard needs kernel modules. Sometimes you can't install anything on the target.

Outbound-Only Delivery

Your internal services connect outbound only. No firewall changes needed. No UDP. No kernel modules. See the architecture overview for the full three-plane design.

Two delivery paths: public target (no-install) or private target (Edge Lite/Kubernetes).

How webhook delivery works

1

Create a Webhook Entry Point

Zen Mesh gives you a stable public endpoint for providers like Stripe, GitHub, or Twilio.

2

Choose your delivery path

Point to a public HTTP endpoint for zero-install delivery, or deploy Edge Lite (Docker) or Kubernetes Edge Plane for private targets behind NAT/firewall.

3

Deliver to your target

Webhook events are carried from the public entry point to your configured target — public HTTP endpoint or private service behind NAT/firewall — without opening inbound access.

Webhook Delivery for Any Network

Deliver webhooks to public HTTP endpoints or private services behind NAT/firewall — one platform, two first-class delivery paths.

Boundary-Mapped Security

Ingester ↔ Egress: mTLS, SPIFFE/SPIRE, and HMAC on the data-plane path — non-negotiable. Provider signatures on ingress where configured; customer target TLS is configurable.

Stripe → Your Private Network

Receive Stripe webhooks directly in your Kubernetes cluster. No firewall changes. No VPN. No second product needed.

Private Network Delivery

Deliver to services behind NAT, firewall, or VPN. Your internal endpoints stay hidden.

No-Install Public Delivery

Deliver to any public HTTP endpoint without deploying Edge Lite, Docker, or Kubernetes. Configure in the UI and start receiving webhooks in under 2 minutes.

Outbound-Only Private Delivery

Deploy Edge Lite (Docker) or Kubernetes Edge Plane for private targets behind NAT/firewall. Outbound-only — no inbound ports, VPN, or kernel modules required.

Provider Template Packs

Starting with Stripe, GitHub, Shopify, Twilio, and custom signed webhooks. Packs provide structured defaults for endpoint setup, provider verification, event classification, and operational visibility.

Canary Certificate Rotation

Certificate rotation wired with health checks and auto-rollback. See wedge claim map for per-capability status.

Delivery History & Replay

Full delivery audit trail. Inspect failures by correlation ID. Replay from dead letter queue.

Audit Logging

Comprehensive audit logging with delivery receipts and operational metadata.

Three-Plane Security Model

Strict separation between control, data, and edge planes ensures your data never crosses untrusted boundaries.

1

Control Plane

SaaS-only. Handles enrollment, policy, config, certificates, and audit. Never in runtime event path.

  • UI/API — Dashboard and REST API
  • Policy & Config — Tenant management
  • Certificates — Lifecycle management
2

Data Plane

Zen-owned public intake and routing layer. Events flow through but never touch SaaS.

  • zen-ingester — Event intake
  • zen-agent — Cluster registration & adapter sync (also participates in edge plane for enrollment)
  • zen-lock — Identity and access control (also manages secrets in edge plane)
3

Edge Plane

Customer-boundary delivery layer. zen-egress runs in your cluster and maintains an outbound-only connection to the data plane.

  • zen-egress — Delivery to internal services
  • zen-agent — Enrollment & flow configuration
  • zen-lock — Secrets & certificate custody

Private network delivery vs. alternatives

See how Zen Mesh's private-network delivery stack compares to webhook gateways, mesh VPNs, and tunneling proxies.

Feature Zen Mesh Hookdeck Svix Tailscale ngrok
Private network delivery Yes No No Yes Limited
No inbound firewall changes Yes No No Partial (UDP) Yes
Works behind NAT/firewall Yes No No Yes Yes
Shared static public ingress Yes No No No No
Dedicated public IP (add-on) Business/Enterprise +$100/mo Enterprise No $900/mo/region
Provider signature verification Yes Yes Yes No Limited

Zen Mesh capability statements are scoped by the public evidence system. Local/sandbox validation, production-live validation, and planned capabilities are tracked separately in claim-maturity and non-claims artifacts.

Zen Mesh combines private-network delivery posture with webhook-specific operations — two categories that most tools address separately.

Webhook operations vs. alternatives

See how Zen Mesh's webhook operations compare to dedicated webhook gateways, mesh VPNs, and tunneling proxies.

Feature Zen Mesh Hookdeck Svix Tailscale ngrok
Provider templates Stripe, GitHub, Twilio, Shopify, Custom 120+ sources No No No
Event inspection / delivery status Yes Yes Yes No Limited
Retry / replay / DLQ Yes Yes Yes No Limited
Event filtering / routing Yes Yes Yes No No
Payload transformations Yes Yes Yes No No
Operational logs / retention Yes Yes Yes No No

Zen Mesh capability statements are scoped by the public evidence system. Local/sandbox validation, production-live validation, and planned capabilities are tracked separately in claim-maturity and non-claims artifacts.

Built for production trust

Review commitments, evidence, subprocessors, and privacy controls before routing webhook traffic through Zen Mesh. Per-capability status tracked in the evidence system — not a global production-live claim.

Built for teams that cannot treat webhooks as best-effort glue

Private runtime, public endpoint, verifiable controls — every layer is designed with tenant isolation and delivery visibility.

SPIFFE/SPIRE Identity

Every workload gets a cryptographic identity using X.509 SVIDs — no shared secrets for workload authentication.

mTLS Data Path

Data-plane delivery path (ingester↔egress) uses mTLS with short-lived certificates — non-negotiable, fail-closed. Control-plane paths in scope: ingester↔backend, agent↔SaaS.

HMAC Verification

Provider webhook signatures validated on ingress. Tampered payloads are rejected before delivery.

Tenant Isolation

Application-layer tenant scoping with role-separated control, data, and edge planes. No cross-tenant data paths.

Delivery Visibility

Delivery and audit events tracked with delivery receipts and operational metadata where available.

Rate Limiting & Payload Controls

Per-endpoint rate limits, payload size enforcement, redirect-chain blocking, and header spoofing protection applied at the data-plane edge.

Open-source foundation

Zen Mesh builds on open-source components for Kubernetes, validation, delivery workflows, SDKs, and developer automation. Use the OSS projects directly, or connect them to the hosted Zen Mesh control plane when you need team workflows, evidence, governance, and managed operations.

Frequently Asked Questions

How do I get started with Zen Mesh?

Sign up at app.zen-mesh.io using Google or GitHub to create your free account. Create a webhook endpoint in the dashboard, copy the endpoint URL and configure it as your webhook receiver in your provider (Stripe, GitHub, Twilio, etc.). If your target is publicly reachable, you're done — no install required. For private targets behind NAT/firewall, deploy Edge Lite (Docker) or Kubernetes Edge Plane. No firewall changes required.

Do I need to install anything to deliver webhooks to a public endpoint?

No. If your target is publicly reachable, you can use Managed Public Delivery — zero customer-side runtime required. No Edge Lite, no Docker, no Kubernetes. Just configure your endpoint and target in the UI.

Edge Lite (Docker) or Kubernetes Edge Plane are only needed when your target is behind a firewall, NAT, or VPN.

Do I need to change my firewall?

No. Zen Mesh uses an outbound-only delivery model. Your private services connect out to our data plane — no inbound ports need to be opened. This eliminates a major attack surface.

How does Zen Mesh secure the delivery path?

The data-plane path between zen-ingester and zen-egress is protected with mTLS mutual TLS authentication between all components, SPIFFE/SPIRE workload identity for automated certificate management, and HMAC message authentication to detect tampering. These protections are mandatory and non-negotiable on the data-plane path. See the security docs for the full control matrix and claim maturity for per-control validation status.

Can Zen Mesh see my webhook payloads?

The architecture is designed so the control plane does not need to see customer payloads. Payloads flow through the data plane (ingester to egress) without being stored or processed by our SaaS control plane. Customers can optionally enable payload logging with sensitive field redaction for debugging and support.

What happens to my data when using Zen Mesh?

Zen Mesh processes webhook events as transient data in flight. Payloads are processed during delivery and cleared according to our retention schedule. We do not use customer payloads for training or profiling. For more details, see our Privacy Policy.

Is Zen Mesh SOC 2 certified?

Zen Mesh is not yet SOC 2 certified. We are currently building out our compliance program. For enterprise customers with specific compliance requirements, please contact us at enterprise@zen-mesh.io.

Which webhook providers are supported?

Zen Mesh works with any HTTP webhook provider. For providers with signature verification (HMAC), we support Stripe, GitHub, Twilio, Shopify, and custom signature schemes. For providers without built-in signatures, you can configure custom HMAC verification or use our basic security defaults.

Can I use Zen Mesh with my own custom webhook source?

Yes. You can configure any HTTP endpoint as a webhook source. Simply point your custom webhook emitter at the Zen Mesh endpoint URL we provide. We support custom headers and payload formats.

What are Provider Template Packs?

Provider Template Packs are reusable packages for common webhook sources that provide structured defaults for endpoint setup and configuration, provider-specific signature verification (HMAC), event classification and transformation, recommended flows and routing patterns, retry and dead-letter queue posture, and operational visibility and observability.

Are Provider Template Packs required?

No. Provider Template Packs are optional and designed to accelerate setup. You can use a pack for faster onboarding with sensible defaults, create custom endpoints without using any pack, or mix and match. Packs do not remove user control.

Can I use custom signed webhooks?

Yes. Zen Mesh supports custom signed webhooks through the base transform package which provides HMAC signature validation. You can configure custom header names and secrets for signature verification.

How much does Zen Mesh cost?

Zen Mesh has a Free Forever plan — no credit card required, with lower limits and best-effort support. Pro Early Bird is $29/month or $290/year with a 6-month free trial. Business and Enterprise plans with additional features are planned.

Is there a free trial for Pro features?

Yes. We offer a 6-month Pro trial for new accounts giving access to advanced features like multi-environment support and priority support. No credit card required to start the trial.

What runtime environments are supported?

Public target (no-install): No runtime needed — deliver to any public HTTP endpoint directly from the dashboard.

Private target: Edge Lite (Docker) for local development and evaluation, or Kubernetes via our Helm chart for teams moving beyond evaluation.

Production use requires an applicable plan and approved operational, trust, and legal controls.

What's the latency overhead?

Typical latency overhead is under 10ms for the Zen Mesh delivery path. The data-plane connection is kept warm via persistent connections, avoiding connection setup latency on each delivery.

Cloud benchmarking will publish measured p50, p95, and p99 Zen-added latency at launch. Benchmark evidence will identify region, payload size, topology, sample size, and image digest.

Does Zen Mesh support retries?

Yes. Zen Mesh implements automatic retry with exponential backoff for failed deliveries. You can configure maximum retry attempts, backoff schedule, and dead letter queue behavior. All retries are logged and visible in your dashboard.

Can I run Zen Mesh on-premise?

Yes. You can run the full Zen Mesh stack on your own infrastructure. Contact enterprise@zen-mesh.io for on-premise deployment options and pricing.

Why aren't my webhooks arriving?

Check these common issues: verify your provider is sending to the correct Zen Mesh endpoint URL, check that your delivery runtime (if any) is running and can reach the data plane, review delivery logs in your dashboard for specific error messages, and ensure your target service is reachable.

How do I debug delivery failures?

Use the dashboard to view delivery logs with timestamps and status codes, see retry history for failed attempts, and enable debug mode for scoped payload review. For advanced debugging, check the delivery runtime logs directly.

Where can I get help?

Documentation at docs.zen-mesh.io, community support via support@zen-mesh.io, and enterprise support via enterprise@zen-mesh.io for dedicated support.

Receive webhooks from providers you trust, delivered to public or private targets.

Start with the no-install public target path, then add Edge Lite or Kubernetes Edge Plane when your target is behind a firewall. Enterprise controls available when needed.