Early Access

Webhooks to Private Networks
Without Opening Firewalls

Deliver webhooks to your internal services behind NAT, VPN, or corporate firewall. We are finishing the final validations before opening broader production access.

Early access is available now — talk to us to evaluate fit for your team.

Join early access Email us

Built with

SPIFFE/SPIRE mTLS HMAC-SHA256 RLS

AI & reviewer context · AI Context (llms.txt) · Evidence index · manifest.json

DEMO-scoped proof only — blogs are narrative, not accepted evidence. Not go-live or customer-ready as platform readiness.

Stripe

→

zen-ingester Event intake

→

Your Private Network

zen-egress deployed in your cluster

↓

Your Service

Outbound only. No firewall changes. No VPN. No inbound ports.

The Webhook Problem

🔥

Firewall Headaches

Opening ports for webhooks is a security nightmare. Every open port is a potential attack vector.

🔄

Reliability Issues

Direct connections fail behind NAT, VPNs, or when your team rotates IPs. Retries don't help if the path is broken.

🔐

Security Trade-offs

Tailscale requires UDP, WireGuard needs kernel modules. Sometimes you can't install anything on the target.

Zen-Mesh: Outbound-Only Delivery

Your internal services connect outbound only. No firewall changes needed. No UDP. No kernel modules.

Features

Enterprise-Grade Webhook Delivery

Everything you need to reliably receive webhooks in any environment.

Zero-Trust Security

mTLS on all internal paths. HMAC-SHA256 signature verification. SPIFFE/SPIRE workload identity.

Stripe → Your Private Network

Receive Stripe webhooks directly in your Kubernetes cluster. No firewall changes. No VPN. No second product needed.

Private Network Delivery

Deliver to services behind NAT, firewall, or VPN. Your internal endpoints stay hidden.

Instant Setup

Dynamic webhooks available in under 2 minutes. Configure in UI. Automatic TLS.

Outbound-Only Architecture

Unlike Tailscale (UDP) or WireGuard (kernel modules), Zen-Mesh works anywhere.

Stripe & GitHub Templates

Out-of-the-box support for Stripe and GitHub webhooks. Copy the endpoint, configure your secret, done.

Canary Certificate Rotation

Automatic certificate rotation with health checks. Auto-rollback if issues detected.

Delivery History & Replay

Full delivery audit trail. Inspect failures by correlation ID. Replay from dead letter queue.

Audit Logging

Comprehensive audit logging with tamper detection via hash-chain verification.

Architecture

Three-Plane Security Model

Strict separation between control, data, and edge planes ensures your data never crosses untrusted boundaries.

Control Plane

SaaS-only. Handles enrollment, policy, config, certificates, and audit. Never in runtime event path.

UI/API — Dashboard and REST API
Policy & Config — Tenant management
Certificates — Lifecycle management

Data Plane

Zen-owned public intake and routing layer. Events flow through but never touch SaaS.

zen-ingester — Event intake
zen-agent — Cluster registration & adapter sync (also participates in edge plane for enrollment)
zen-lock — Identity and access control (also manages secrets in edge plane)

Edge Plane

Customer-boundary delivery layer. zen-egress runs in your cluster and maintains an outbound-only connection to the data plane.

zen-egress — Delivery to internal services
zen-agent — Enrollment & flow configuration
zen-lock — Secrets & certificate custody

Why Zen-Mesh

How We Compare

See why engineering teams choose Zen-Mesh over alternatives.

Feature	Zen-Mesh	Hookdeck	Hook0	Svix	Tailscale	ngrok
CloudEvents format (CNCF standard)	Yes	No	No	No	No	No
Delivers to private networks	Yes	No	No	No	Yes	Limited
Outbound-only (no firewall changes)	Yes	No	No	No	UDP hole-punching	Yes
Webhooks bypass SaaS (direct delivery)	Yes	No	Self-hosted only	No	Tailscale network	No
Free Static IP for webhook sources	Yes	No	No	No	No	No
Dedicated Static IP for webhook sources	Included (paid plans)	+$100/mo (paid plans)	No	Paid (Enterprise)	No	$900/mo per region
mTLS on internal paths	Yes	No	No	Enterprise only	WireGuard	TLS
SPIFFE/SPIRE workload identity	Yes	No	No	No	No	No
HMAC signature verification	Yes	Yes	Yes	Yes	No	Limited
Database RLS (tenant isolation)	Yes	No	No	No	No	No
Built-in webhook templates	Stripe, GitHub (2)	120+ sources	No	No	No	No
Certificate rotation with canary	Yes	No	No	No	No	No
Dead letter queue & replay	Yes	Yes	Yes (3 days)	Yes	No	Limited
Self-hosted option	Yes	Yes	Yes	Yes	Yes	No
Multiple destinations (fan-out)	Yes	Yes	Labels	Yes	No	No

Transparency

Transparency for Humans & AI

Proof status, evidence artifacts, and explicit non-claims. Blogs are narrative context only — not manifest proof.

For AI agents and reviewers

Capability Manifest
Compliance Support Map
Non-Claims
AI Context (llms.txt)
Full AI Context (llms-full.txt)
Narrative context registry (not proof)
Blog: delivery evidence (narrative only)

Evidence status

Runtime proofs: 10/10 validated (local/mock or cloud-demo)
Trust lifecycle proofs: 10/10 with artifacts
Claims guard: 0 critical overclaims
Replay verifiers: 2, both PASS
State machines: 8, all validated
Full AI evidence docs →

What we do not claim

No PCI, HIPAA, FedRAMP, SOC 2, or ISO certification
No production zero-trust claim
No exactly-once or zero-loss delivery guarantee
No generic zero-trust claim
No Merkle auth/replay/identity/delivery
All proofs local/mock or cloud-demo (Stripe relay-path on GKE) unless stated

Ready to get started?

Try Zen Mesh for secure private delivery. Early access is open now.