How It Works

Webhooks to Private Networks
Without Opening Firewall Ports

Choose your delivery mode based on your network setup. Your services always connect outbound.

Delivery Modes

Pick Your Path

Zen-Mesh supports three delivery topologies. Choose the one that matches your infrastructure.

Direct Public Target

Your target is publicly reachable. No egress needed.

Stripe zen-ingester Your Target
  • Free public endpoint
  • Simplest setup
  • Lowest latency
  • No agent required
Setup

Egress Direct

Your egress has a public IP. Direct mTLS connection.

Stripe zen-ingester zen-egress Your Service
  • Free public endpoint
  • Zero Trust delivery
  • Good for DMZ
  • Direct mTLS
Setup

Egress Relay

Your egress behind firewall. No inbound connections needed.

Stripe zen-ingester firewall zen-egress Your Service
  • Free public endpoint
  • No firewall config
  • Works behind NAT
  • No VPN needed
Setup

Direct Public Target

When your target is publicly reachable from the internet. Replaces Svix, Hook0, and old-generation webhook relays.

1

Create Endpoint

Sign up at app.zen-mesh.io and create a new webhook endpoint. Copy your endpoint URL.

Your endpoint:

https://ingest.zen-mesh.io/your-tenant/stripe
2

Configure Provider

Update your webhook provider (Stripe, GitHub, etc.) to send events to your Zen-Mesh endpoint.

3

Start Receiving

Webhooks flow directly from zen-ingester to your public target. Done.

Stripe zen-ingester Your Public Target

Egress (Direct or Relay)

When you need to deliver to your private infrastructure. Install zen-agent and adapters in your cluster.

1

Enroll Cluster

Get an enrollment bundle from the dashboard and install zen-agent in your cluster:

helm install zen-agent zen/zen-agent \
  --create-namespace \
  --set enrollmentBundle="$(cat bundle.yaml)"
2

Install Adapters

Install zen-ingester (intake) and zen-egress (delivery) in your cluster via Helm or the dashboard.

3

Configure Provider

Point your webhook provider to your Zen-Mesh endpoint.

4

Start Receiving

zen-egress maintains an outbound tunnel to zen-ingester. No firewall ports needed. NAT is not a problem.

Stripe zen-ingester zen-egress Your Service
Architecture

Three Planes, Zero Trust

Zen-Mesh separates concerns into three distinct planes. The control plane is never in the runtime event path.

1. Control Plane (SaaS)

Coordination, enrollment, policy, and identity. Never in the runtime event path.

  • zen-front — Web UI
  • zen-bff — Backend for frontend
  • zen-back — API server
  • Database — Tenants, clusters, policies

2. Data Plane

Public webhook intake and routing. Cross-region delivery to customer clusters.

  • zen-ingester — Event intake
  • zen-bridge — Cross-region forwarding
  • zen-egress — Delivery to customer
  • zen-agent — Cluster registration

3. Edge Plane

Customer-boundary delivery. Your services run here.

  • zen-ingester — Internal event intake
  • zen-egress — Delivery to internal targets
  • zen-agent — Prerequisite for all adapters

Key principle: External traffic never traverses the control plane. The SaaS provides coordination; data and edge planes handle all runtime delivery.

Integrations

Built-In Provider Templates

Pre-configured templates for popular webhook sources. Just copy the endpoint and configure your secret.

Stripe

  • Signature verification
  • Event deduplication
  • Pass-through delivery
  • Correlation ID tracking

GitHub

  • HMAC verification
  • Event filtering
  • Webhook secrets
  • Multi-event support

More Coming Soon

Slack, Linear, Intercom, and more.

Ready to try it?

Start receiving webhooks to your private network in minutes.

Start Free View Pricing