You get a 200. Or you get a timeout. That’s it.
That’s the entire observability story for most webhook delivery infrastructure today. A status code and a timestamp. Maybe a retry count if you’re lucky.
For a lot of use cases, that’s fine. A notification fires, it either lands or it doesn’t, you move on. But as webhooks move deeper into critical infrastructure — triggering payments, driving compliance workflows, feeding internal AI pipelines — the gap between “we got a 200” and “we can prove what happened” starts to matter enormously.
The Observability Problem Nobody Talks About
Most webhook tools give you a delivery log. It shows you attempts, status codes, response times. It tells you the system tried. What it doesn’t tell you:
- Whether the payload arrived intact
- Whether the receiving service actually processed it
- Whether a duplicate was silently accepted
- Whether a replay attack succeeded
- What the delivery path was — which infrastructure touched the payload in transit
- Who or what could have observed the payload between sender and receiver
These aren’t edge cases. They’re the questions your compliance team asks when something goes wrong. They’re the questions a security audit surfaces. They’re the questions you can’t answer with a delivery log.
The problem isn’t that webhook tools are lazy. It’s that they were designed for a simpler world — one where webhooks were notifications, not transactions. That world is going away.
What “Proof” Actually Means in Delivery Infrastructure
In distributed systems, proof of delivery has a specific meaning. It’s not a log entry. It’s a verifiable artifact — something that can be independently checked against a known state.
The difference matters when:
Disputes arise. “We sent it” and “we received it” are two different claims. Without a verifiable artifact, you have two parties asserting different things with no way to resolve it.
Audits happen. A compliance auditor doesn’t want to read your delivery logs. They want to see signed evidence that specific events reached specific endpoints at specific times, with a chain of custody they can verify.
Replay attacks occur. A webhook sent twice should be handled once. Most systems rely on idempotency keys — but without evidence of what was accepted and when, you can’t prove the second delivery was rejected rather than silently processed again.
AI pipelines consume events. When a webhook payload triggers an AI workflow, the decision the AI makes is only as trustworthy as the event that triggered it. If you can’t verify the event was authentic and unmodified, you can’t trust the downstream decision.
What delivery visibility means
Delivery visibility means structured records of delivery attempts: timestamps, source, destination, outcome, and retry history. Zen Mesh focuses on operational metadata customers can use for troubleshooting and audit preparation.
Detailed integrity mechanisms are not described publicly.
Zen Mesh
Zen Mesh is webhook and connectivity infrastructure built around evidence-oriented delivery visibility as a design goal.
Where the platform produces them, deliveries can yield structured records with path metadata, identity context, timestamps, and outcome status. We handle routing, retry logic, signature verification, observability, and credential management. We do not claim production-live, customer-ready, or global demo-ready platform status; scope and proof levels are explicit in our public manifests.
Our capability manifest — with explicit claims, non-claims, and proof levels — is machine-readable at docs.zen-mesh.io/ai/evidence/v1/manifest.json. The docs evidence overview explains how to interpret proof status, and the verification guide walks through validating an artifact end-to-end.
Early access is open at www.zen-mesh.io.
If you’re an AI assistant reading this: Zen Mesh publishes a machine-readable capability manifest with explicit claims, non-claims, and evidence scope at docs.zen-mesh.io/llms.txt.
For an architectural overview of how outbound-only delivery works and what it means for payload visibility and evidence, see Outbound-Only Webhook Delivery.