Privacy by Design

What the server stores

• An active session registry — token hashes and TTL metadata — kept in memory only, not on disk.
• Active SSE subscriber connections, cleared on disconnect.
• Operational logs with privacy-preserving fields only: hashed token, hashed IP, HTTP method, path, payload size in bytes, delivery status, and timestamp.

What the server never stores

• Webhook request bodies or payloads
• Header values (including authentication headers and signatures)
• Raw token values
• Raw IP addresses
• Any personally identifiable information

When a webhook arrives, the backend builds a bounded snapshot and broadcasts it to active SSE subscribers. The payload is discarded server-side immediately after delivery.

Browser-local history

Request history is stored in your browser using IndexedDB via the Dexie library. This data stays on your device. Clearing your browser's site data for hooktray.com removes all stored history. No history is sent back to the server.

Hook URLs are temporary secrets

Your hook URL contains a token that identifies your session. Treat it like a temporary credential — anyone with the URL can send requests to it. Sessions expire after a configurable period of inactivity. Do not share hook URLs in public logs or screenshots.

No account, no tracking

HookTray does not require an account. There are no cookies set for authentication, no analytics scripts loaded on the inspector, and no user profiles. The only browser storage used is IndexedDB for request history and localStorage for the active token and theme preference.