← All Use Cases

Webhook Delivery to Private Networks

Services behind NAT, firewall, or VPN can receive webhooks from Stripe, GitHub, Shopify, Twilio, and any custom HTTP sender — without opening inbound ports or installing kernel modules.

The Problem

Webhook senders expect to reach a public HTTP endpoint. When your service runs behind a corporate firewall, NAT gateway, or VPN, it has no public address. Traditional solutions require opening inbound ports (a security risk), running a tunnel service (another service to manage), or polling — which adds latency and complexity.

Why This Is Hard

Most webhook infrastructure assumes the receiver has a public endpoint. Hookdeck, Svix, and similar tools expect you to provide a reachable URL. ngrok creates ephemeral tunnels but isn't designed for production webhook workloads. Tailscale gives you secure connectivity but requires a mesh network — every service must join the tailnet, and UDP must be open.

How Zen Mesh Helps

Zen Mesh uses an outbound-only Edge Plane. You deploy the zen-agent inside your network, which establishes a persistent outbound connection to Zen Mesh. Webhooks arrive at our public endpoint and are delivered through that tunnel — no inbound firewall rules, no VPN, no kernel modules.

Runtime Path

1
Registry

Select or create a provider template (Stripe, GitHub, custom) from the Zen Mesh Registry.

2
Template

Apply template defaults — endpoint URL format, signature verification method, event type mapping.

3
Blueprint

Define your delivery blueprint: which events go to which target, retry policy, DLQ configuration.

4
Endpoint

Configure the public webhook endpoint URL that providers send events to.

5
Flow

Create a delivery flow binding the endpoint, blueprint, and target into a single route.

6
Target

Point delivery at your private service — zen-agent routes via outbound tunnel, no open ingress.

7
Evidence

Each delivery produces a tamper-evident receipt with hash-chain integrity for audit and verification.

Security & Evidence

Every data-plane delivery uses mTLS, SPIFFE/SPIRE workload identity, and HMAC payload verification — non-negotiable. Signature verification at ingress for supported provider templates. Hash-chain receipts provide tamper-evident delivery logs. See the Security and Evidence pages for scope and maturity.

Current Status

Individual capabilities carry per-item status documented in the Current Status page. Free Forever and Pro Early Bird tiers are available. Business and Enterprise tiers are in pilot and waitlist.

Ready to try it?

Free Forever tier available. No credit card required.