Webhook Delivery to Private Networks
Services behind NAT, firewall, or VPN can receive webhooks from Stripe, GitHub, Shopify, Twilio, and any custom HTTP sender — without opening inbound ports or installing kernel modules.
The Problem
Webhook senders expect to reach a public HTTP endpoint. When your service runs behind a corporate firewall, NAT gateway, or VPN, it has no public address. Traditional solutions require opening inbound ports (a security risk), running a tunnel service (another service to manage), or polling — which adds latency and complexity.
Why This Is Hard
Most webhook infrastructure assumes the receiver has a public endpoint. Hookdeck, Svix, and similar tools expect you to provide a reachable URL. ngrok creates ephemeral tunnels but isn't designed for production webhook workloads. Tailscale gives you secure connectivity but requires a mesh network — every service must join the tailnet, and UDP must be open.
How Zen Mesh Helps
Zen Mesh uses an outbound-only Edge Plane. You deploy the zen-agent inside your network, which establishes a persistent outbound connection to Zen Mesh. Webhooks arrive at our public endpoint and are delivered through that tunnel — no inbound firewall rules, no VPN, no kernel modules.
Runtime Path
Select or create a provider template (Stripe, GitHub, custom) from the Zen Mesh Registry.
Apply template defaults — endpoint URL format, signature verification method, event type mapping.
Define your delivery blueprint: which events go to which target, retry policy, DLQ configuration.
Configure the public webhook endpoint URL that providers send events to.
Create a delivery flow binding the endpoint, blueprint, and target into a single route.
Point delivery at your private service — zen-agent routes via outbound tunnel, no open ingress.
Each delivery produces a tamper-evident receipt with hash-chain integrity for audit and verification.
Security & Evidence
Every data-plane delivery uses mTLS, SPIFFE/SPIRE workload identity, and HMAC payload verification — non-negotiable. Signature verification at ingress for supported provider templates. Hash-chain receipts provide tamper-evident delivery logs. See the Security and Evidence pages for scope and maturity.
Current Status
Individual capabilities carry per-item status documented in the Current Status page. Free Forever and Pro Early Bird tiers are available. Business and Enterprise tiers are in pilot and waitlist.
Ready to try it?
Free Forever tier available. No credit card required.