# Table of Contents - [Hook0](#hook0) - [Top Benefits of Using Hook0.com for Webhook Integration!](#top-benefits-of-using-hook0-com-for-webhook-integration-) - [Changelog](#changelog) - [Discussions](#discussions) - [Subscriptions](#subscriptions) - [Event Types](#event-types) - [Events](#events) - [Architecture](#architecture) - [What is Hook0?](#what-is-hook0-) - [Policies](#policies) - [Docker Compose](#docker-compose) - [Bare Metal](#bare-metal) - [Troubleshooting](#troubleshooting) - [REST API](#rest-api) - [Changelog](#changelog) - [Comparisons](#comparisons) - [Javascript / Typescript](#javascript-typescript) - [Security](#security) - [Getting Started](#getting-started) - [Rust](#rust) - [List application secrets](#list-application-secrets) - [Metadata](#metadata) - [Authentication](#authentication) - [Rate-limits](#rate-limits) - [Requests Limits](#requests-limits) - [Welcome to Hook0](#welcome-to-hook0) - [Consuming Webhooks](#consuming-webhooks) - [IP Whitelisting](#ip-whitelisting) - [Verifying Webhook Signatures](#verifying-webhook-signatures) - [Access control policy](#access-control-policy) - [Code of conduct](#code-of-conduct) - [Backup policy](#backup-policy) - [Cryptography policy](#cryptography-policy) - [Change Management Process](#change-management-process) - [SDK](#sdk) - [Secure engineering policy](#secure-engineering-policy) - [Testing policy](#testing-policy) - [Supplier policy](#supplier-policy) - [Secure development policy](#secure-development-policy) - [Privacy policy](#privacy-policy) - [Physical security policy](#physical-security-policy) - [Responsible disclosure policy](#responsible-disclosure-policy) - [Mobile device policy](#mobile-device-policy) - [Penetration testing policy](#penetration-testing-policy) - [Logging policy](#logging-policy) - [Password policy](#password-policy) - [Information classification policy](#information-classification-policy) - [Information retention policy](#information-retention-policy) - [Amazon Web Services (AWS)](#amazon-web-services-aws-) - [Svix vs Hook0](#svix-vs-hook0) - [Hostedhooks vs Hook0](#hostedhooks-vs-hook0) - [Business Continuity and Disaster Recovery](#business-continuity-and-disaster-recovery) - [Hookdeck vs Hook0](#hookdeck-vs-hook0) - [Kubernetes](#kubernetes) - [Master API key](#master-api-key) - [Support](#support) - [Support options](#support-options) - [Getting Started with Hook0](#getting-started-with-hook0) - [Free pricing plans and discounts](#free-pricing-plans-and-discounts) - [Statement of Applicability](#statement-of-applicability) - [Event type naming convention](#event-type-naming-convention) - [Headless deployment](#headless-deployment) - [I have deployed hook0 services at K8s but I am not able to generate application_secret. It thorws 404. Any idea?](#i-have-deployed-hook0-services-at-k8s-but-i-am-not-able-to-generate-application-secret-it-thorws-404-any-idea-) - [New Discussion](#new-discussion) - [Limit of Organizations & Subscriptions](#limit-of-organizations-subscriptions) - [FIFO guarantees of events sent to subscriber](#fifo-guarantees-of-events-sent-to-subscriber) - [While running it in my local system on kubernetes getting error.](#while-running-it-in-my-local-system-on-kubernetes-getting-error-) - [Metadata could be genrated at real-time](#metadata-could-be-genrated-at-real-time) - [Smart retry policy](#smart-retry-policy) - [Using Hook0 for a SaaS app](#using-hook0-for-a-saas-app) - [Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.](#unable-to-signin-not-receiving-mails-after-signup-not-getting-reset-password-email-) - [Discussions](#discussions) - [Discussions](#discussions) - [Discussions](#discussions) - [Discussions](#discussions) - [Create a new application secret](#create-a-new-application-secret) - [Update an application secret](#update-an-application-secret) - [Delete an application secret](#delete-an-application-secret) - [Create a new application](#create-a-new-application) - [Delete an application](#delete-an-application) - [Change password](#change-password) - [Check instance health](#check-instance-health) - [List errors](#list-errors) - [Get instance configuration](#get-instance-configuration) - [Get an application by its ID](#get-an-application-by-its-id) - [List event types](#list-event-types) - [Refresh access token](#refresh-access-token) - [List applications](#list-applications) - [Create a new event type](#create-a-new-event-type) - [Reset password](#reset-password) - [Get an event type by its name](#get-an-event-type-by-its-name) - [List organizations](#list-organizations) - [Get quotas](#get-quotas) - [Create an organization](#create-an-organization) - [Email verification](#email-verification) - [Get an event](#get-an-event) - [Delete an event type](#delete-an-event-type) - [List latest events](#list-latest-events) - [Delete an organization](#delete-an-organization) - [Edit an organization](#edit-an-organization) - [Get organization's info by its ID](#get-organization-s-info-by-its-id) - [Invite a user to an organization](#invite-a-user-to-an-organization) - [Begin reset password](#begin-reset-password) - [Edit a user's role in an organization](#edit-a-user-s-role-in-an-organization) - [Create a new subscription](#create-a-new-subscription) - [List supported event payload content types](#list-supported-event-payload-content-types) - [Replay an event](#replay-an-event) - [Login](#login) - [Update a subscription](#update-a-subscription) - [Revoke a user's access to an organization](#revoke-a-user-s-access-to-an-organization) - [Create a new user account and its own personal organization](#create-a-new-user-account-and-its-own-personal-organization) - [Create a new service token](#create-a-new-service-token) - [List subscriptions](#list-subscriptions) - [Get a service token](#get-a-service-token) - [List service tokens](#list-service-tokens) - [List request attempts](#list-request-attempts) - [Get a subscription by its id](#get-a-subscription-by-its-id) - [Edit a service token](#edit-a-service-token) - [Logout](#logout) - [Ingest an event](#ingest-an-event) - [Applications](#applications) - [Delete a service token](#delete-a-service-token) - [Edit an application](#edit-an-application) - [Delete a subscription](#delete-a-subscription) - [Get a response by its ID](#get-a-response-by-its-id) - [Sending Events](#sending-events) - [Pricing & Plans FAQ](#pricing-plans-faq) - [Discussions](#discussions) - [Docker compose](#docker-compose) - [Faulty admin dashboard](#faulty-admin-dashboard) - [Error testing sending an event](#error-testing-sending-an-event) - [Running Hook0 on Prem](#running-hook0-on-prem) - [Discussions](#discussions) - [Discussions](#discussions) --- # Hook0 ### Concepts * [Events](https://documentation.hook0.com/docs/events) * [Subscriptions](https://documentation.hook0.com/docs/subscriptions) * [Event Types](https://documentation.hook0.com/docs/event-types) * [View More…](https://documentation.hook0.com/docs/events) ### Using Hook0 * [What is Hook0?](https://documentation.hook0.com/docs/what-is-hook0) * [Top Benefits of Using Hook0.com for Webhook Integration!](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration) * [Getting Started](https://documentation.hook0.com/docs/getting-started) * [View More…](https://documentation.hook0.com/docs/what-is-hook0) ### Hook0 Cloud * [Policies](https://documentation.hook0.com/docs/information-security-policy) * [Supporting documents](https://documentation.hook0.com/docs/information-security-supporting-documents) ### Self-hosting * [Architecture](https://documentation.hook0.com/docs/architecture) * [Bare Metal](https://documentation.hook0.com/docs/manual-setup) * [Docker Compose](https://documentation.hook0.com/docs/docker-compose) * [View More…](https://documentation.hook0.com/docs/architecture) ### Reference * [REST API](https://documentation.hook0.com/docs/hook0-api) * [Troubleshooting](https://documentation.hook0.com/docs/troubleshooting) ### Resources * [Changelog](https://documentation.hook0.com/docs/changelog) * [Comparisons](https://documentation.hook0.com/docs/comparisons) * [Security](https://documentation.hook0.com/docs/security) * [View More…](https://documentation.hook0.com/docs/changelog) ### SDK * [Rust](https://documentation.hook0.com/docs/sdk-rust) * [Javascript / Typescript](https://documentation.hook0.com/docs/sdk-javascript-typescript) --- # Top Benefits of Using Hook0.com for Webhook Integration! As a developer, you know that integrating webhooks into your software system can be a daunting task. With so many aspects to consider, such as security, performance, and reliability, it's easy to get overwhelmed. But fear not! Hook0.com is here to make your life easier by providing a seamless and efficient solution for all your webhook integration needs. Let's dive into the top benefits of using Hook0 for webhook integration. Open-Source and Sustainable [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#open-source-and-sustainable) ----------------------------------------------------------------------------------------------------------------------------------------------------------- Hook0 is a fully open-source solution, which means you have complete access to the source code and the ability to modify it as needed. There's no vendor lock-in, and it's built on a sustainable foundation since day one, giving you peace of mind when incorporating it into your system. Easy Integration [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#easy-integration) ------------------------------------------------------------------------------------------------------------------------------------- Hook0's JSON REST API and integrations simplify the process of triggering webhook events from your application and connecting to every available SaaS. This means you can focus on your core product development while Hook0 takes care of webhook integration. Enterprise-Level Security [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#enterprise-level-security) ------------------------------------------------------------------------------------------------------------------------------------------------------- Security is a top concern when it comes to webhooks. Hook0 provides SSL-secured webhooks and Signing Secrets to prevent Replay, Forgery, and Man-in-the-middle attacks. You can trust that your data and webhook events are secure with Hook0. Smart Retries and Real-Time Monitoring [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#smart-retries-and-real-time-monitoring) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Managing webhook retries can be a headache. Hook0 offers exponential back-offs, endpoint monitoring, and notifications to handle retries for you. Additionally, Hook0 monitors your subscriber endpoints for SSL and uptime, notifying you of any non-responsive endpoints. Enhanced Developer Experience (DX) [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#enhanced-developer-experience-dx) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hook0 is designed to make the integration process easy and enjoyable for developers. With features like mock payloads, webhook logs, and a subscriber portal, you can provide a top-notch experience for your users. Transparent Webhooks [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#transparent-webhooks) --------------------------------------------------------------------------------------------------------------------------------------------- Hook0 logs all webhook attempts, allowing you and your subscribers to search, debug, and replay old events. This transparency ensures that you can identify and resolve any issues quickly and efficiently. Embeddable Portal and Customization [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#embeddable-portal-and-customization) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Offer your subscribers a branded experience with a custom subdomain and your logo uploaded to the subscriber portal. This creates a professional and cohesive look for your users. GDPR Compliance and Data Sovereignty [](https://documentation.hook0.com/docs/top-benefits-of-using-hook0com-for-webhook-integration#gdpr-compliance-and-data-sovereignty) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hook0 is fully GDPR compliant and can execute a data processor agreement with your company if needed. In a world where software systems need to communicate and interact efficiently, webhooks are essential for seamless integration. Hook0 offers a powerful and user-friendly solution for developers looking to integrate webhooks into their products. With features like easy integration, enterprise-level security, and an enhanced developer experience, Hook0 is the go-to choice for implementing webhook support in your software system. Give Hook0 a try today and experience the benefits for yourself! Updated over 2 years ago * * * * [Getting Started with Hook0](https://documentation.hook0.com/docs/getting-started-old) Did this page help you? Yes No --- # Changelog [Welcome to Hook0](https://documentation.hook0.com/changelog/welcome-to-hook0) =============================================================================== over 3 years ago by Francois-Guillaume Ribreau Welcome to the developer hub and documentation for Hook0! --- # Discussions [0 1\ \ Event type naming convention\ ----------------------------\ \ Hi,\ \ Posted by Romain about 1 month ago](https://documentation.hook0.com/discuss/68bb07f2b293e92c40af6096) [0 0\ \ Headless deployment\ -------------------\ \ We're trying to setup hook0 on-prem and deploy it in an automated, headless manner.\ \ Posted by Simon Hickling 7 months ago](https://documentation.hook0.com/discuss/67eec633130aff0024b1df9c) [0 1\ \ I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea?\ -----------------------------------------------------------------------------------------------------------------\ \ 404 \ Not Found\ \ Posted by Shashwat 8 months ago](https://documentation.hook0.com/discuss/67c00f1afeecb4002f3d2ab6) [0 1\ \ FIFO guarantees of events sent to subscriber\ --------------------------------------------\ \ Hi there!\ \ Posted by Matthew James 9 months ago](https://documentation.hook0.com/discuss/6791d4c9c86354000ffc76c4) [0 3\ \ Limit of Organizations & Subscriptions\ --------------------------------------\ \ Hello,\ \ Posted by Flávio Lourenço 11 months ago](https://documentation.hook0.com/discuss/673b620bebb1210043db4941) [0 1\ \ Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.\ -------------------------------------------------------------------------------------\ \ All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735d7d20d10a5001e0d9ea4) [0 2\ \ While running it in my local system on kubernetes getting error.\ ----------------------------------------------------------------\ \ Command executed- kubectl apply -f deployments.yaml -l kind=Namespace\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735a4d46c9417003cf7734a) [0 1\ \ Metadata could be genrated at real-time\ ---------------------------------------\ \ "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them."\ \ Posted by Shivangi about 1 year ago](https://documentation.hook0.com/discuss/66c44b74a0660800442b3b2e) [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) [0 3\ \ ANSWERED\ \ Using Hook0 for a SaaS app\ --------------------------\ \ Hi,\ \ Posted by Paul over 1 year ago](https://documentation.hook0.com/discuss/664216959c8d4000456769c7) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Subscriptions A subscription is a way to receive notifications from Hook0 about specific [events](https://documentation.hook0.com/docs/events) . For example, you could subscribe to [Hook0 REST API](https://documentation.hook0.com/docs/hook0-api) to receive notifications when a new customer is created, or when an order is placed. Benefits of Using Subscriptions [](https://documentation.hook0.com/docs/subscriptions#benefits-of-using-subscriptions) -------------------------------------------------------------------------------------------------------------------------- Leveraging subscriptions with webhooks presents multiple advantages: * **Real-Time Notifications:** * Immediate updates about events * Enhances responsiveness * **Decoupled Architecture:** * Simplifies maintenance * Facilitates scaling * **Automated Actions:** * Sends automated email notifications * Updates database records Security Considerations in Subscriptions [](https://documentation.hook0.com/docs/subscriptions#security-considerations-in-subscriptions) -------------------------------------------------------------------------------------------------------------------------------------------- Security is paramount when dealing with webhook subscriptions, as vulnerabilities can lead to unauthorized access to sensitive data. Here's an overview of essential security practices, including the implementation of signature verifications by Hook0: * **Endpoint Security:** * Secure your webhook endpoint to prevent unauthorized access with [IP Whitelisting](https://documentation.hook0.com/docs/ip-whitelisting) . * Implement proper authentication mechanisms with [signature verification](https://documentation.hook0.com/docs/verifying-webhook-signatures) . * **Data Encryption:** * Hook0 ensure that data in transit is encrypted using secure protocols and leverage TLS (Transport Layer Security) for secure communication. Learn more in [the security section](https://documentation.hook0.com/docs/security) . Usage examples [](https://documentation.hook0.com/docs/subscriptions#usage-examples) ---------------------------------------------------------------------------------------- Webhook subscriptions find utility in various domains, including: * **E-commerce:** * Receive order notifications * Manage inventory, initiate shipping, or confirm via email * **Customer Relationship Management (CRM):** * Notifications for new customer creation * Populate customer profiles in CRM * **Payment Processing:** * Notifications for payment success or decline * Update accounts or notify customers * **Healthcare:** * **Patient Appointments:** Notify medical staff when a new appointment is booked. * **Medical Records Update:** Alert when patient medical records are updated or altered. * **Education:** * **New Enrollment:** Notify administrators of a new student enrollment. * **Grades Posted:** Alert students when grades are posted or updated. * **Human Resources:** * **New Applicant:** Notify HR when a new job application is received. * **Employee Onboarding:** Trigger onboarding processes when a new employee joins. * **Finance and Banking:** * **Transaction Alert:** Notify account holders of new transactions. * **Fraud Detection:** Alert fraud management systems of suspicious activities. * **Supply Chain Management:** * **Inventory Update:** Notify when stock levels change. * **Shipping Status:** Alert customers or management when shipping status changes. * **Marketing:** * **Campaign Engagement:** Notify marketers when a user interacts with a campaign. * **Lead Generation:** Alert sales when a new lead is generated through marketing channels. * **Hospitality:** * **Booking Confirmation:** Send confirmation messages when a reservation is made. * **Guest Check-in:** Notify staff when guests check-in. * **Retail:** * **Price Changes:** Notify customers or internal teams of price changes. * **Product Availability:** Alert when an out-of-stock item is back in stock. * **Real Estate:** * **New Listing:** Notify agents and clients of new property listings. * **Open House Reminder:** Send reminders for upcoming open house events. * **Energy Management:** * **Consumption Alert:** Notify consumers when energy consumption exceeds set limits. * **Outage Notification:** Alert residents or businesses of power outages in the area. * **Government Services:** * **License Renewal:** Notify citizens when it's time to renew licenses. * **Public Service Announcements:** Distribute emergency alerts and announcements. * **Manufacturing:** * **Production Status:** Notify teams of production line statuses and changes. * **Quality Control Alerts:** Alert when a quality check fails or passes. * **Entertainment Industry:** * **New Release Notification:** Notify subscribers of new music, movie, or show releases. * **Event Ticket Availability:** Alert when tickets for popular events become available. * **Travel and Transportation:** * **Flight Status:** Notify passengers of flight delays, cancellations, or gate changes. * **Ride Booking Confirmation:** Send confirmation and details for booked rides. * **Telecommunications:** * **Network Outage:** Alert customers of network outages in their area. * **Plan Change Confirmation:** Notify customers when they change their service plan. * **Legal and Compliance:** * **Case Updates:** Notify clients of updates in their legal cases. * **Regulatory Alerts:** Alert organizations of new or updated regulations affecting them. * **Environmental Monitoring:** * **Weather Alerts:** Notify users of severe weather warnings in their location. * **Pollution Levels:** Alert residents of high pollution levels. * **Non-Profit Organizations:** * **Donation Received:** Notify when a new donation is received. * **Event Registration:** Alert organizers of new registrations for charitable events. * **Security and Surveillance:** * **Security Breach:** Alert security teams of potential breaches or unauthorized access. * **Equipment Failure:** Notify of security equipment failure or maintenance needs. * **Agriculture and Farming:** * **Crop Health Monitoring:** Alert farmers of changes in crop health. * **Equipment Status:** Notify of farming equipment status and maintenance needs. Updated about 2 years ago * * * * [Events](https://documentation.hook0.com/docs/events) * [Applications](https://documentation.hook0.com/docs/applications) * [Verifying Signatures](https://documentation.hook0.com/docs/verifying-webhook-signatures) * [IP Whitelisting](https://documentation.hook0.com/docs/ip-whitelisting) --- # Event Types Event types are a way to **categorize** the events you send to Hook0. An event type is basically a string composed of three dot-separated parts: * a service name * a resource type * a verb > 📘 > > Examples of event types > > > ----------------------------- > > * `iam.user.created` > * `storagre.file.removed` > * `api.application.created` Event types set an implicit contract on event payloads: events with the same event type are expected to have **the same payload structure**, and event types make it easy for webhooks receivers to analyze these payloads. Event types are also crucial for another reason: users that create a subscription can **choose which event types they want** to hear about! If a user subscribes to a given set of event types, Hook0 will only forward events that match these types for this particular subscription. Updated almost 3 years ago * * * --- # Events An event is a notification that is sent from your [applications](https://documentation.hook0.com/docs/applications) to Hook0 when a specific action occurs. This action can be anything from a new commit being pushed to a repository to a new user being created (it depends on what you application does!). Each event sent from your app to Hook0 have an associated [event type](https://documentation.hook0.com/docs/event-types) . Event types are identifiers denoting the type of message being sent and are the primary way for webhook consumers to configure through [subscriptions](https://documentation.hook0.com/docs/subscriptions) what events they are interested in receiving. Usage [](https://documentation.hook0.com/docs/events#usage) --------------------------------------------------------------- * Webhook events have a payload that must be in JSON, plain text or binary (base64-encoded). This payload is what your subscribers will receive as webhook request's body. * Webhook events can be used to trigger actions in your own application, such as sending an email or updating a database. Updated about 2 years ago * * * * [Applications](https://documentation.hook0.com/docs/applications) * [Event Types](https://documentation.hook0.com/docs/event-types) * [Subscriptions](https://documentation.hook0.com/docs/subscriptions) --- # Architecture A Hook0 instance is composed of multiple parts. Let's explain what they are used for! ### Hook0 API [](https://documentation.hook0.com/docs/architecture#hook0-api) Hook0 API is the central part of the system. It is a Rust web application. > 📘 > > Hook0 API dependencies > > > ---------------------------- > > * a [PostgreSQL](https://www.postgresql.org/) > database ### Hook0 UI [](https://documentation.hook0.com/docs/architecture#hook0-ui) Hook0 UI is a Vue.js front-end web application. > 📘 > > Hook0 UI dependencies > > > --------------------------- > > * Hook0 API ### Hook0 Output Worker [](https://documentation.hook0.com/docs/architecture#hook0-output-worker) Hook0 Output Worker is responsible of actually calling users' webhooks and gathering responses. It is a Rust application that does not need to accept incoming connections. > 📘 > > Hook0 Output Worker dependencies > > > -------------------------------------- > > * the PostgreSQL database used by Hook0 API There can be multiple instances of Hook0 Output Worker, work would be shared between each of them. Updated over 1 year ago * * * --- # What is Hook0? **Hook0** is a product that helps _any software system_ (such as Software-as-a-Service applications) to **expose webhooks** to their end users. About webhooks [](https://documentation.hook0.com/docs/what-is-hook0#about-webhooks) ---------------------------------------------------------------------------------------- Webhooks, as APIs, are a way to connect heterogeneous software systems together. With an API, you allow another software to interact with your system's data, but this other software has to pull everything it needs! If you want to react to some event, this other software would need to periodically call the API and compare the fetched data to the one fetched previously to determine if something new did happened. It works, but it is tedious to do for developers because they need to handle some sort of synchronization instead on focusing on bringing business value. With webhooks, the roles are inverted! One would need to create a subscription on your system, which is basically the list of events you are interested in and a target URL the system should call every time an event you subscribed to occurs. Then, you just have to write and host a web application to receive the events! This makes is really easy to create custom integrations or automation. Our vision with Hook0 [](https://documentation.hook0.com/docs/what-is-hook0#our-vision-with-hook0) ------------------------------------------------------------------------------------------------------ At Hook0, we believe that most software systems (especially SaaS) that reached product-market fit will need to offer to their users some ways to create integrations with other software (whether public or private/custom). Webhooks are a great way to achieve this, on their own or along with an API! Implementing webhooks support in an application can feel like an easy task, but we observe two things: * usually, webhooks become necessary at a stage where product developers still have a lot to do **and should focus on scaling up the value their product brings** * it is actually _not_ that easy to implement a **good** webhooks support, including good Developer eXperience (DX), security, performances, reliability, … As the webhooks-related features are product-agnostic, we see teams re-implementing the same basic webhooks support over and over. We believe that adding webhooks to a software system should be a convenience. We want to make it easier for developers to integrate their products to Hook0 than to build their own too basic webhooks system. > 👍 > -- > > We believe that adding webhooks to a software system should be a **convenience**. > We want to make it easier for developers to **integrate their products to Hook0** than to build their own too-basic webhooks system. Hook0's features [](https://documentation.hook0.com/docs/what-is-hook0#hook0s-features) ------------------------------------------------------------------------------------------- ### Current [](https://documentation.hook0.com/docs/what-is-hook0#current) * **Open-Source**: Try it, host it, but above all build on top of something that is not going to disappear. * **Fine-grained subscriptions**: Enable your users to subscribe to your events by setting up a webhook. They can choose which event types they want to receive. * **Multi subscriptions**: Your users can register several webhooks, we will send events to all of them! * **Event scoping**: Scope events to one or several levels of your application. Users, organizations, administrators, \[insert your own\], they can all handle subscriptions to their events. * **Auto-Retry**: If Hook0 can't reach a webhook, or if it does not respond with a success code, Hook0 will try again automatically. * **Events & responses persistence**: Hook0 can keep track of every event your application sent it and of every webhook call. This can helps you debug things or act as an audit log ! * **GDPR Compliance**: Hook0 is fully GDPR compliant and can easily execute a data processor agreement with your company if needed. ### Upcoming [](https://documentation.hook0.com/docs/what-is-hook0#upcoming) * **Dashboards**: Either use Hook0 out-of-the-box dashboards to let your users see events that went through their subscriptions, or build your own with the API. * **Failure notification**: If after several retries Hook0 still can't successfuly reach a webhook, your user is notified by email. * **High availability**: Hook0 won't miss the events you send it. > ❗️ > -- > > Need something that is not here? Reach [\[email protected\]](https://documentation.hook0.com/cdn-cgi/l/email-protection#fb888e8b8b94898fbb93949490cbd5989496) > and let us know! Updated almost 3 years ago * * * * [Getting Started](https://documentation.hook0.com/docs/getting-started-1) --- # Policies Summary [](https://documentation.hook0.com/docs/information-security-policy#summary) ---------------------------------------------------------------------------------------- We recognize the value of information and privacy and have therefore implemented an information security management system to control all our efforts towards information security. This policy applies to all individuals who have access to sensitive information, including employees, contractors, and third-party vendors. The Information security policy applies to all stakeholders of our organization at Hook0. Principles [](https://documentation.hook0.com/docs/information-security-policy#principles) ---------------------------------------------------------------------------------------------- * The responsibility for all information security efforts has been appointed to the Security officer * Policies and procedures documents will be kept up to date and made available to all relevant stakeholders Information security awareness training will be provided to all employees * Organizational and technical measures will be put into place to protect information assets * Procedures will be put into place to correct and prevent any deviations and incidents * We comply with all laws and regulations in our jurisdiction * To continuously improve ourselves, we review and define new Objectives * To provide assurance to our stakeholders, we seek compliance to ISO 27001 Scope [](https://documentation.hook0.com/docs/information-security-policy#scope) ------------------------------------------------------------------------------------ This policy applies to all information that is collected, stored, and processed by our organization. This includes customer data, access credentials, and other sensitive information. Roles and Responsibilities [](https://documentation.hook0.com/docs/information-security-policy#roles-and-responsibilities) ------------------------------------------------------------------------------------------------------------------------------ All individuals with access to sensitive information are responsible for protecting that information in accordance with this policy. This includes: * Ensuring that access to sensitive information is restricted to authorized individuals only * Protecting access credentials and other sensitive information from unauthorized access or disclosure * Reporting any potential security incidents or breaches to the Information Security team Information Security Measures [](https://documentation.hook0.com/docs/information-security-policy#information-security-measures) ------------------------------------------------------------------------------------------------------------------------------------ Our organization has implemented a number of measures to prevent, detect, and respond to security incidents. These measures include: * Implementing strong password policies and requiring the use of two-factor authentication * Regularly monitoring and auditing access to sensitive information * Conducting regular security assessments and vulnerability scans * Providing employees with training on information security best practices * Establishing incident response procedures to quickly and effectively address potential security incidents Policy Compliance [](https://documentation.hook0.com/docs/information-security-policy#policy-compliance) ------------------------------------------------------------------------------------------------------------ Individuals who do not comply with this policy may be subject to disciplinary action, up to and including termination of employment. Policy Review [](https://documentation.hook0.com/docs/information-security-policy#policy-review) ---------------------------------------------------------------------------------------------------- This policy will be reviewed and updated on an annual basis, or as needed to reflect changes in technology, business practices, and regulatory requirements. Updated about 2 years ago * * * --- # Docker Compose > 🚧 > > Do not run this in production! > > > ------------------------------------ > > This Docker Compose setup is provided for testing or development purposes. Most things in there are **not secure** and use default passwords. > > If you need to run Hook0 in production, you can subscribe to our managed SaaS instance on [https://www.hook0.com](https://www.hook0.com/) > , or do a [manual setup](https://documentation.hook0.com/docs/manual-setup) > . Run Docker Compose [](https://documentation.hook0.com/docs/docker-compose#run-docker-compose) ------------------------------------------------------------------------------------------------- Ensure you have cloned our repository and have a working Docker installation. Then, you just have to run: Shell `docker compose -f docker-compose.yaml up --build --detach` > 📘 > -- > > This will build a lot a things on the first launch, it can take a while! Create a User and an Organization [](https://documentation.hook0.com/docs/docker-compose#create-a-user-and-an-organization) ------------------------------------------------------------------------------------------------------------------------------- Once everything is up, the easiest way to get going is to hit the registration endpoint: Shell `curl http://localhost:8081/api/v1/register -XPOST -H 'Content-Type: application/json' -d '{ "email": "...", "first_name": "...", "last_name": "...", "password": "..." }'` Once this is done, you can open [http://localhost:8001](http://localhost:8001/) and login! Volumes [](https://documentation.hook0.com/docs/docker-compose#volumes) --------------------------------------------------------------------------- Our Docker Compose will create/use the following Docker volumes: * `postgres-data`: Hook0 database (`/var/lib/postgresql/data`) Updated about 1 year ago * * * --- # Bare Metal ### External Services [](https://documentation.hook0.com/docs/manual-setup#external-services) Make sure you have access to: * a PostgreSQL 15+ database (it might work with an early version) ### Clone the repository [](https://documentation.hook0.com/docs/manual-setup#clone-the-repository) Clone the repository `git clone https://gitlab.com/hook0/hook0 cd hook0` ### Build Hook0 UI [](https://documentation.hook0.com/docs/manual-setup#build-hook0-ui) You must to have [Node.js](https://nodejs.org/) LTS installed (and npm). Building Hook0 UI requires the following environment variables: | | | | --- | --- | | `API_ENDPOINT` | Base URL of the API (example: `https://app.hook0.com/api/v1`) | You need to define and export these variables in your shell before you continue. Shell `cd frontend npm ci npm run build cd ..` > 📘 > -- > > In this guide we will assume that the Hook0 API web sever is going to serve Hook0 UI (this is simpler), but you can serve it separately as it is just a static web application. ### Build Hook0 API [](https://documentation.hook0.com/docs/manual-setup#build-hook0-api) You need to have [Rust](https://www.rust-lang.org/) stable installed. Compiling Hook0 API `cd api SQLX_OFFLINE=true cargo build --release cd ..` This will create the `target/release/hook0-api` executable. This executable is a web server: when you run it, it will bind to an IP address and port (by default: `127.0.0.1:8080`). > 📘 > > Configuration > > > ------------------- > > A lot of configuration options are available, and some of them are mandatory. Each option can be set using either a CLI parameter or an environment variable. > > To see the list of options and their descriptions, run `./target/release/hook0-api --help`. #### Configuration options [](https://documentation.hook0.com/docs/manual-setup#configuration-options) * `--no-default-features --features reqwest-rustls-tls-native-roots`: ensure that all outgoing HTTPS requests are validated using your OS certificate store > ❗️ > -- > > Hook0 API uses [the `env_logger` crate](https://crates.io/crates/env_logger) > to manage its log output. You should make sure you have defined a `RUST_LOG=info,sqlx=warn,actix_governor=warn` environment variable before running it in order to see some log output. ### Build Hook0 Output Worker [](https://documentation.hook0.com/docs/manual-setup#build-hook0-output-worker) Prerequisites, building and configuration of Hook0 Output Worker are very similar to those of Hook0 API. Compiling Hook0 Output Worker `cd output-worker SQLX_OFFLINE=true cargo build --release cd ..` This will create the `target/release/hook0-output-worker` executable. You can run multiple workers so that they share the work. #### Configuration options [](https://documentation.hook0.com/docs/manual-setup#configuration-options-1) * `--no-default-features --features reqwest-rustls-tls-native-roots`: ensure that all outgoing HTTPS requests are validated using your OS certificate store. Updated about 1 year ago * * * --- # Troubleshooting This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. If you have additional issues, [contact support](https://documentation.hook0.com/cdn-cgi/l/email-protection#fe8d8b8e8e918c8abe96919195ced09d9193) . Updated about 2 years ago * * * --- # REST API Hook0 offers an application programming interface (API) to let you automate various aspects of your webhooks integration. You can find [documentation for the API here →](https://documentation.hook0.com/reference/) Updated about 2 years ago * * * --- # Changelog You can find [changelog here →](https://documentation.hook0.com/changelog) Updated about 2 years ago * * * --- # Comparisons Webhooks are a way for two applications to communicate with each other in real time. When an event happens in one application, a webhook is sent to the other application, which can then take some action based on the event. Webhooks were created to solve the problem of polling. Before webhooks, applications would have to poll each other regularly to see if anything had changed. This was inefficient and could lead to missed events. Webhooks solve this problem by allowing applications to be notified of events as soon as they happen. Webhooks were first implemented using HTTP POST requests. The application that wanted to be notified of events would provide a URL that the other application could POST to. When an event happened, the other application would POST a JSON payload to the URL. Hook0 is a fully open-source project also available as an hosted service that makes it easy to set up and manage webhooks. With Hook0, you don't have to worry about the details of implementing webhooks, managing and scaling your own webhook servers. Updated about 2 years ago * * * * [Hostedhooks vs Hook0](https://documentation.hook0.com/docs/hostedhooks-vs-hook0) * [Hookdeck vs Hook0](https://documentation.hook0.com/docs/hookdeck-vs-hook0) --- # Javascript / Typescript Hook0 Javascript / Typescript Client [](https://documentation.hook0.com/docs/sdk-javascript-typescript#hook0-javascript--typescript-client) =============================================================================================================================================== This is the Javascript / Typescript SDK for Hook0, an open-source webhooks-as-a-service platform designed for SaaS applications. Features [](https://documentation.hook0.com/docs/sdk-javascript-typescript#features) ---------------------------------------------------------------------------------------- * **Upsert Event Types**: Easily manage event types with upsert operations. * **Send Events**: Send events to Hook0. * **Verifying Webhook Signatures**: Ensure the authenticity and integrity of incoming webhooks. Getting Started [](https://documentation.hook0.com/docs/sdk-javascript-typescript#getting-started) ------------------------------------------------------------------------------------------------------ To use the Hook0 Javascript / Typescript client in your project, install it via npm: Bash `npm install hook0-client` Updated 8 months ago * * * --- # Security Communication Encryption [](https://documentation.hook0.com/docs/security#communication-encryption) ------------------------------------------------------------------------------------------------------- In order to secure the transmission of data between Hook0, customer's subscriptions and customer's applications, Hook0 use TLS (Transport Layer Security) versions 1.2 and 1.3 for both the API and web application. TLS is a cryptographic protocol that ensures the confidentiality and integrity of data as it is transmitted over the internet. Additionally, the HTTPS (Hypertext Transfer Protocol Secure) protocol is required to further protect against potential attacks. Rate-limiting [](https://documentation.hook0.com/docs/security#rate-limiting) --------------------------------------------------------------------------------- Hook0 implements three rate limiters to control the flow of incoming requests. These include the **global limiter**, which limits the total number of requests per second that an instance can handle, as well as the **per IP rate-limiter** and **per token rate-limiter**. > 📘 > > Per Token Rate-limiter > > > ---------------------------- > > The per token limiter is only applied to requests that are successfully authenticated. All incoming requests are processed by these three limiters. By default, the global limiter allows more requests per second than the per IP limiter, which, in turn, allows more requests per second than the per token limiter. > 👍 > > Rate-limit configuration options > > > -------------------------------------- > > All three limiters can be customized or disabled according to your specific needs. You can access the configuration variables by running the API with the "--help" option or by reading the source code. We recommend against disabling all three limiters, as this may pose a significant risk. However, depending on your system's characteristics, it may be acceptable to disable one or more of them, particularly if your instance is not publicly accessible. Protection against attacks [](https://documentation.hook0.com/docs/security#protection-against-attacks) ----------------------------------------------------------------------------------------------------------- Hook0 offers solutions to protect against various types of attacks that may attempt to compromise the security of communications between clients and servers. These solutions include protection against man-in-the-middle (MITM) attacks, in which an attacker intercepts and alters communications between two parties. Hook0 also protects against forged request attacks, in which an attacker attempts to send unauthorized requests to the server, and replay attacks, in which an attacker captures and resends valid requests to the server in an attempt to trick it into performing unintended actions. See more details in [Consuming Webhooks](https://documentation.hook0.com/docs/consuming-webhooks) . Webhook security [](https://documentation.hook0.com/docs/security#webhook-security) --------------------------------------------------------------------------------------- Webhooks are a way for a server to send real-time notifications to a client when certain events occur. To ensure the integrity of these notifications, Hook0 uses an HMAC (Hash-based Message Authentication Code) signed with the SHA-256 (Secure Hash Algorithm) algorithm. This helps to prevent an attacker from altering the content of the notification as it is transmitted over the internet. See more details in [Consuming Webhooks](https://documentation.hook0.com/docs/consuming-webhooks) . Event and webhook delivery storage [](https://documentation.hook0.com/docs/security#event-and-webhook-delivery-storage) --------------------------------------------------------------------------------------------------------------------------- Hook0 stores events and webhook deliveries with HTTP responses or errors in order to assist with audit processes and to help resolve any issues that may arise. This information can be useful for tracking the delivery of webhooks and for debugging any problems that may occur. This feature is particularly helpful for new users who may be unfamiliar with the system and may need assistance with troubleshooting. Updated over 2 years ago * * * --- # Getting Started Hook0 makes it easy for your software systems to [offer and distribute webhooks](https://www.hook0.com/) to your users. Your app + Hook0 = ♥ [](https://documentation.hook0.com/docs/getting-started#your-app--hook0--) --------------------------------------------------------------------------------------------------- Integrating Hook0 to your system will require you to interact with it in three different ways: 1. **Setup**: create your organization and application, declare your event types 2. **Subscribe**: manually create subscriptions to events (as an admin) or implement proxy endpoints in your app so that your users can create subscriptions to events that concern them 3. **Send events**: make you app send events to Hook0 whenever something interesting happens Setup [](https://documentation.hook0.com/docs/getting-started#setup) ------------------------------------------------------------------------ ### Organization & application [](https://documentation.hook0.com/docs/getting-started#organization--application) Head over to [https://www.hook0.com/](https://www.hook0.com/) and **register**. This will create an organization and a user that owns it. You can then log into [Hook0 UI](https://app.hook0.com/) and access your dashboard. Next thing is to **create an application** inside your organization. You can name it the way you want! > 📘 > > About organizations and applications > > > ------------------------------------------ > > An **organization** can have multiple users, with either _read-write_ or _read-only_ permissions. It is also linked to a pricing plan and its limitations. It can contain multiple applications. > > An **application** is a logical unit that acts as a scope to everything event-related: events, event types, subscriptions, … > > Having several applications can be useful if you want to manage different webhook systems that do not interact with each other. For example, it can be two independent SaaS apps, or your production and staging environments. ### Event types [](https://documentation.hook0.com/docs/getting-started#event-types) Then, you have a design task coming up: you need to **list and name every event type your app can emit**. You will be able to add or remove them afterwards, but it is easier to do this upfront, before you start sending events to Hook0. Use Hook0 UI to create your event types! > 👍 > -- > > In this tutorial we will only create one event type: `mycrm.customer.created`. ### Application secret [](https://documentation.hook0.com/docs/getting-started#application-secret) In order for our app to be able to use Hook0 API, we need to create an application secret. This can be done using Hook0 UI, and you will obtain a UUID token (such as `4f8d93f1-d8a1-4357-88ce-8dd029e99b4b`). Keep this token close, we will refer to it using `$APPLICATION_SECRET`. > 📘 > > About application secrets > > > ------------------------------- > > An application secret is basically an API token that is scoped to a given application. > > See the [API Authentication](https://documentation.hook0.com/docs/api-authentication) > page for more details. Subscribe [](https://documentation.hook0.com/docs/getting-started#subscribe) -------------------------------------------------------------------------------- ### Labels [](https://documentation.hook0.com/docs/getting-started#labels) Before making a subscription, we need to talk about **labels**. Let say an event of type `mycrm.customer.created` is to be emitted when some user create a new customer in your CRM app. Let also say that your CRM app is a multi tenant app, thus you have multiple organizations (let's go with `org1` and `org2` for the example). If `user1` (who belongs to `org1`) create a new customer, you do **not** want `user2` (from `org2`) to receive a webhook about it. In Hook0, we created the concept of labels in order to **scope events**. This works in two steps: 1. When your app send an event to Hook0, it has to specify **one or several labels**, which are a set of key/values strings. The keys would be scope names (`org_id` for example) and the values would indicate the specific entities (the actual ID of an organization for example). 2. When someone create a subscription in Hook0, one has to specify **one label**. This means that only events that are marked with this label should be dispatched to this subscription. In our previous example, we could mark our event with the following labels: `all → yes` and `org_id → 1`. If `user1` create a subscription, we would ensure it would be with the label `org_id → 1`, which means `user1` would only receive webhooks related to its organization. Adding the `all → yes` label to all our events could allow an instance administrator to create a subscription (with this same label) that would receive all webhooks without filtering by organization. > 📘 > > Labels are flexible > > > ------------------------- > > Depending on your system, you can use labels to mark your events in multiple ways. This allows multiple kinds of users to subscribe to events without receiving events that do not concern them. > > Ask yourself who you want to offer webhooks to and make a label for each! > ❗️ > > Labels in subscriptions must be enforced > > > ---------------------------------------------- > > Of course, your users should **not** send API call to Hook0, only your app should. This means you have to implement an endpoint/route in your app that allows your users to create a subscription. This endpoint would ensure that the subscription is created with the **right label** so that users cannot cheat! ### Creating a subscription [](https://documentation.hook0.com/docs/getting-started#creating-a-subscription) As we discussed in the previous section, it is important to ask yourself **which kind of users need to be offered webhooks**. This might require to implement an endpoint or a route in your app so that they can create subscriptions. In this tutorial, we will go with a simpler case: you, as an instance administrator of your app, want to receive webhooks for all events. To create a subscription, we need the following things: * The application ID * An optional description * Optional metadata in a key/value form (that would be the machine-readable version of the description) * A boolean to define whether or not the subscription is enabled * A list of event types to subscribe to * A label (a key and a value) * Information related to the target (where the webhook should be sent): * A target type (for now, we only support `http`) * A target URL * Optional HTTP headers that should be included in the webhook HTTP requests We will also need to authenticate our API call, so we will use our application secret. Working with cURL, the [API call to create a subscription](https://documentation.hook0.com/reference/subscriptionscreate) would look like this: Creating a subscription `curl --request POST \ --url 'https://app.hook0.com/api/v1/subscriptions/' \ --header "Authorization: Bearer $APPLICATION_SECRET" \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data ' { "application_id": "your_app_ID", "description": "This is the subscription from the tutorial", "metadata": { "tutorial": "true" }, "is_enabled": true, "event_types": [ "mycrm.customer.created" ], "label_key": "all", "label_value": "yes", "target": { "type": "http", "method": "POST", "url": "https://webhook.site/...", "headers": {} } } '` Send events [](https://documentation.hook0.com/docs/getting-started#send-events) ------------------------------------------------------------------------------------ Now you need to implement a few things in you app, so that it will send events to Hook0. ### Configuration [](https://documentation.hook0.com/docs/getting-started#configuration) Your app will need to know three things: * **Hook0 API URL**: the URL of Hook0's API; usually `https://app.hook0.com/api/v1` if you are using Hook0 SaaS * **your Hook0 application ID**: an UUID you can find in Hook0 UI * **your Hook0 application secret**: `$APPLICATION_SECRET` You should add these to the configuration system you use in your app so that these values can be easily obtained from anywhere in your code where you need to send events. ### Sending an event [](https://documentation.hook0.com/docs/getting-started#sending-an-event) Now we are ready to send an event to Hook0 using the [event ingestion endpoint](https://documentation.hook0.com/reference/eventsingest) . Here is an example of what we would send using cURL (but you need to implement that in your app): Sending an event `curl --request POST \ --url 'https://app.hook0.com/api/v1/event/' \ --header "Authorization: Bearer $APPLICATION_SECRET" \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data ' { "application_id": "your_app_ID", "event_id": "some_uuid_for_your_event", "event_type": "mycrm.customer.created", "metadata": {}, "labels": { "all": "yes" }, "occurred_at": "2022-11-04T16:12:58Z", "payload_content_type": "application/json", "payload": "{\"test\": true}" } '` It is important to mention that: * the event ID is an UUID that you need to generate * the `occurred_at` field is the date when the event occurred; it could be the current datetime, but it could a past date you already manipulate in your app * the `payload_content_type` field must be one of: `text/plain`, `application/json` or `application/octet-stream+base64` * the `payload` field **must always be a string**: * if `payload_content_type` is `text/plain`, it can contain any string * if `payload_content_type` is `application/json`, it must contain a JSON-encoded string (and not a JSON object/array directly, it must be a string from the event JSON perspective) * if `payload_content_type` is `application/octet-stream+base64`, it must contain a base64-encoded string ### Receiving a webhook [](https://documentation.hook0.com/docs/getting-started#receiving-a-webhook) At that point, your event should have been dispatched to the target you specified in the subscription! 🎉 > ❗️ > -- > > Before doing anything with this webhook, you should [verify](https://documentation.hook0.com/docs/verifying-webhook-signatures) > it to prevent yourself from malicious webhook calls and replay attacks. Updated almost 2 years ago * * * --- # Rust Features [](https://documentation.hook0.com/docs/sdk-rust#features) ----------------------------------------------------------------------- * **Upsert Event Types**: Easily manage event types with upsert operations. * **Send Events**: Send events to Hook0. * **Verifying Webhook Signatures**: Ensure the authenticity and integrity of incoming webhooks. Examples [](https://documentation.hook0.com/docs/sdk-rust#examples) ----------------------------------------------------------------------- ### Actix-web Example [](https://documentation.hook0.com/docs/sdk-rust#actix-web-example) The `examples/actix-web.rs` file demonstrates how to set up a simple Actix-web server to handle webhooks signature verification. Rust `use actix_web::{web, App, HttpServer}; #[actix_web::main] async fn main() -> std::io::Result<()> { HttpServer::new(|| App::new().route("/webhook", web::post().to(handle_webhook))) .bind("127.0.0.1:8081")? .run() .await }` This example sets up a server listening on `127.0.0.1:8081` and handles incoming POST requests to the `/webhook` route. Getting Started [](https://documentation.hook0.com/docs/sdk-rust#getting-started) ------------------------------------------------------------------------------------- To use the Hook0 Rust client in your project, make a `cargo add hook0-client` in your project. Or you can add the following to your `Cargo.toml`: TOML `[dependencies] hook0-client = "hook0-client-version"` ### Enabling Features [](https://documentation.hook0.com/docs/sdk-rust#enabling-features) The client supports several optional features: * `reqwest-rustls-tls-webpki-roots`: Use Rustls with WebPKI roots for TLS. * `consumer`: Enable webhook consumer functionality. Consumer features is for verifying and processing webhooks from Hook0. * `producer`: Enable webhook producer functionality. Producer features is for upsert event types and send events to Hook0. Updated 9 months ago * * * --- # List application secrets ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Metadata Most updatable Hook0 objects—including Events, Subscriptions, —have a metadata parameter. You can use this parameter to attach arbitrary key-value data to these Hook0 objects. You can specify up to 50 keys, with key names up to 50 characters long and values up to 50 characters long. Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them. Some of the objects listed above also support a description parameter. You can use the description parameter to annotate a subscription —with, for example, a human-readable description like "Receive new customer events and forward them to Slack channel General". Unlike metadata, description is a single string, and your users may see it (e.g., in subscription max retry alert email Hook0 sends on your behalf). Don't store any sensitive information (bank account numbers, card details, and so on) in metadata or in the description parameter. Updated over 2 years ago * * * * [Sending Events](https://documentation.hook0.com/docs/sending-events) * [Subscriptions](https://documentation.hook0.com/docs/subscriptions) --- # Authentication There are two ways to authenticate with Hook0's API: using a **JWT** or using an **application secret**. Both token are to be included in HTTP requests using a header: HTTP header `Authorization: Bearer [token]` **TL;DR** * **JWTs** are used by Hook0 UI and let you interact with the whole API as a human user * **Application secrets** allow any program to interact with the API but only for a given Hook0 application _When sending events from you application to Hook0, you should use an application secret!_ JWT [](https://documentation.hook0.com/docs/api-authentication#jwt) ----------------------------------------------------------------------- JWTs are emitted by the Keycloak instance that is connected to Hook0. Hook0 relies on Keycloak to handle users, login flows, … When you are logging into Hook0 UI, you are actually logging into Keycloak, which then gives a JWT to your web browser so that Hook0 UI uses it to communicate with Hook0's API. This JWT allows you to use the whole API. Of course, you can only interact with the organizations your user have access to, according to the roles you have. The main drawback of using JWT is that you need to use the login web page and renew your access token very often (using a refresh token provided by Keycloak). > 📘 > -- > > This makes it a good authentication method for **humans** or **one-off scripts**. Application secret [](https://documentation.hook0.com/docs/api-authentication#application-secret) ----------------------------------------------------------------------------------------------------- Application secrets are created by _you_, through Hook0's UI or API. They are simple _Bearer_ tokens stored in Hook0's database. The can be used to interact with the API, but as they are linked to applications, they can only be used with endpoints that are related to an applications. For example, you _cannot_ create an application or list every application that belong to your organization. But you _can_ list and edit event types or subscriptions, as long as your requests are targeting the same application your application secret belongs to. Application secrets are somewhat very similar to GitHub's or GitLab's deploy keys: they are linked to a repo (≅ an Hook0 application) and not to any user. > 📘 > -- > > This makes it a good authentication method for **programs** that interact with **a given Hook0 application**. Updated over 2 years ago * * * --- # Rate-limits Introduction [](https://documentation.hook0.com/docs/rate-limits#introduction) ---------------------------------------------------------------------------------- To ensure fair usage and maintain the performance of the system, rate-limits are implemented across all endpoints. This article will provide an overview of how rate-limits work in the Hook0 REST API, the specific rate-limit values, the consequences of hitting the rate-limits, and best practices for developers to handle rate-limits effectively. The Hook0 REST API uses Rust [actix\_governor](https://docs.rs/actix-governor/latest/actix_governor/) underneath to enforce rate-limits. Rate-Limit Basics [](https://documentation.hook0.com/docs/rate-limits#rate-limit-basics) -------------------------------------------------------------------------------------------- Every endpoint in the Hook0 REST API is subject to rate-limits. These limits apply to all users, regardless of whether they are on a free or paid plan. The rate-limits are as follows: * Global: 1000 requests per second (burst at 2000) * Per IP: 100 requests per second (burst at 200) * Per Token: 100 requests per second (burst at 200) The API will return a `429` HTTP status code when a user exceeds the allowed request rate. Handling Rate-Limits [](https://documentation.hook0.com/docs/rate-limits#handling-rate-limits) -------------------------------------------------------------------------------------------------- Developers need to be aware of rate-limits and account for them in their application's error handling. When the API returns a 429 HTTP status code, it indicates that the rate-limit has been exceeded. In such cases, developers should implement a back-off strategy, such as exponential back-off, to retry the request after a specified interval. Best Practices [](https://documentation.hook0.com/docs/rate-limits#best-practices) -------------------------------------------------------------------------------------- * Monitor usage: Keep track of the number of requests made to the API and adjust the request frequency to avoid hitting rate-limits. * Implement back-off strategies: When the API returns a 429 HTTP status code, implement a back-off strategy to pause and retry the request after a specified interval. * Optimize API calls: Wherever possible, optimize your application's use of the API by reducing the number of requests or batching requests together. * Graceful error handling: Ensure that your application can handle rate-limit errors gracefully, displaying appropriate messages to users and maintaining functionality where possible. * Stay informed: Keep up to date with any changes or updates to the Hook0 REST API rate-limits by monitoring the documentation and subscribing to relevant notifications. Future Updates [](https://documentation.hook0.com/docs/rate-limits#future-updates) -------------------------------------------------------------------------------------- At present, there is no difference in rate-limits between free and paid plans. However, this may change in the future. Be sure to stay informed of any updates to rate-limits by monitoring the Hook0 REST API documentation and subscribing to relevant notifications. Conclusion [](https://documentation.hook0.com/docs/rate-limits#conclusion) ------------------------------------------------------------------------------ Understanding and handling rate-limits is essential for developing robust and reliable applications using the Hook0 REST API. By adhering to best practices and monitoring your application's usage, you can ensure that your application remains performant and provides a great user experience. Updated almost 2 years ago * * * --- # Requests Limits General API Request Limit [](https://documentation.hook0.com/docs/payload-size-limit#general-api-request-limit) ------------------------------------------------------------------------------------------------------------------- **Max Request Body Size**: All API requests to Hook0 must not exceed **2 MiB**. > 📘 > > Why This Limit? > > > --------------------- > > Restricting the request size ensures optimal performance and prevents abuse of the system. Event Payload Limit [](https://documentation.hook0.com/docs/payload-size-limit#event-payload-limit) ------------------------------------------------------------------------------------------------------- ### Sending to the Ingestion Endpoint [](https://documentation.hook0.com/docs/payload-size-limit#sending-to-the-ingestion-endpoint) **Maximum "Payload" Property Size**: When sending an event to the [ingestion endpoint](https://documentation.hook0.com/reference/eventsingest) , the payload property must be 699 kiB or less. **Binary Data Equivalent**: This is roughly equivalent to 512 kiB of binary data, if transformed into a base64 string. ### Types of Payload [](https://documentation.hook0.com/docs/payload-size-limit#types-of-payload) **Binary Payload**: If sending binary data, ensure it is transformed into a base64 string. **Text/JSON Payload**: The 699 kiB limit applies to text or JSON payloads as well. Tips and Best Practices [](https://documentation.hook0.com/docs/payload-size-limit#tips-and-best-practices) --------------------------------------------------------------------------------------------------------------- * **Monitor Payload Size**: Be mindful of the payload size when constructing events, as exceeding the limits may lead to request failure. * **Utilize Compression**: Consider compressing large payloads to fit within the size constraints. * **Test Before Sending**: Validate the size of the payload before transmitting to avoid unexpected errors. By adhering to these guidelines and understanding the underlying limitations, developers can ensure smooth integration with Hook0's services and maintain a reliable connection. Updated about 2 years ago * * * * [Rate-limits](https://documentation.hook0.com/docs/rate-limits) --- # Welcome to Hook0 [Back to All](https://documentation.hook0.com/changelog) Welcome to the developer hub and documentation for Hook0! --- # Consuming Webhooks About webhooks security [](https://documentation.hook0.com/docs/consuming-webhooks#about-webhooks-security) --------------------------------------------------------------------------------------------------------------- Webhooks are just HTTP requests to your web server. Anyone could craft them and trick your systems to do something as if they had received a valid webhook. Hook0 provides solutions to protect you from several kinds of attacks: * Man-in-the-Middle (MITM) attacks * forged requests * replay attacks ### MITM attacks [](https://documentation.hook0.com/docs/consuming-webhooks#mitm-attacks) **Problem:** One could intercept network packets of a webhook call and gain access to your data. **Solution:** Always use a `https://` URL when specifying a webhook subscription target, so that data is encrypted using TLS. Also, double-check that this URL points to an app you own. ### Forged requests [](https://documentation.hook0.com/docs/consuming-webhooks#forged-requests) **Problem:** Knowing your subscription URL, anyone could sent it fake data as if it was coming from Hook0. **Solution:** Hook0 includes a signature header in every webhook call. This header is a _HMAC-SHA-256_ signature of the payload. It uses a secret key that was attributed to you when you created your webhook subscription. If you app [verifies webhook signatures](https://documentation.hook0.com/docs/verifying-webhook-signatures) before processing them, no one can forge fake webhooks anymore. ### Replay attacks [](https://documentation.hook0.com/docs/consuming-webhooks#replay-attacks) **Problem:** Even if you verify incoming webhooks, one could resend the exact same requests multiple times. This could generate functional issues or simply put a lot of useless load on you systems (denial of service). **Solution part 1:** The best solution to this is to ensure that the way you handle webhooks is **idempotent**. This means that receiving multiple times the same webhook will end up having the same result as receiving it once. For example, you could use a database to write down the event ID (provided by Hook0 in the `X-Event-Id` header) and only process requests that contain an event ID that is not in the database. **Solution part 2:** Hook0 includes a timestamp in the signature header, and the signature itself is computed from both the timestamp and the payload (so that the timestamp cannot be altered). Your app should check that this timestamp is not too old (allowing up to 5 minutes is a good idea). This way, you do not have to worry about anyone replaying old webhooks, which means you do not have to retain event IDs more that 5 minutes while enforcing idempotence. Updated 8 months ago * * * * [Verifying Webhook Signatures](https://documentation.hook0.com/docs/verifying-webhook-signatures) --- # IP Whitelisting > 👍 > > TL;DR > > > ----------- > > * We can ensure your webhooks are sent from a static IP (for you to whitelist) as an extra option of our Pro Plan. > * We advice you to implement proper [webhook's signature verification](https://documentation.hook0.com/docs/verifying-webhook-signatures) > anyway. This is the best way to authenticate webhooks and it combines well with IP whitelisting. The tradeoffs of IP Whitelisting for Outbound Webhooks [](https://documentation.hook0.com/docs/ip-whitelisting#the-tradeoffs-of-ip-whitelisting-for-outbound-webhooks) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Understanding Outbound Webhooks [](https://documentation.hook0.com/docs/ip-whitelisting#understanding-outbound-webhooks) Webhooks are automated messages sent from one application (Hook0) to another when a certain event happens. They are HTTP callbacks that provide real-time information, making them a crucial part of many modern applications. As explained more deeply in [Consuming Webhooks](https://documentation.hook0.com/docs/consuming-webhooks) , your target application should be able to differentiate genuine webhooks from forged webhooks and reject the latter. ### Understanding IP Whitelisting [](https://documentation.hook0.com/docs/ip-whitelisting#understanding-ip-whitelisting) IP whitelisting is a security measure where you specify a list of trusted IP addresses or IP ranges that can access your service. When it comes to webhooks, IP whitelisting allows you to specify the IP addresses that can send webhooks to your application (and reject the others). ### Benefits of IP Whitelisting [](https://documentation.hook0.com/docs/ip-whitelisting#benefits-of-ip-whitelisting) * **Enhanced Security:** IP whitelisting adds an additional layer of security by ensuring that only trusted sources can send webhooks to your application. * **Simplicity:** Because this "authentication" happens at the network level, it does not add complexity your application's code. ### Limitations of IP Whitelisting [](https://documentation.hook0.com/docs/ip-whitelisting#limitations-of-ip-whitelisting) Despite its benefits, IP whitelisting should not be the sole method of authentication due to the following limitations: * **Shared IPs:** Depending on our/your cloud provider, you could be sharing your IP address with other users of said cloud provider. This can potentially lead to security issues if those users send malicious requests. * **IP Address Reuse:** There's a possibility that you might accidentally release your IP address back to the cloud provider, which can then be used to send malicious requests. * **Inter-Customer Interference:** If different Hook0 customers are using the same set of IP addresses, one customer could send whitelisted webhooks to another customer's target application. * **IP Spoofing:** in some cases, source IP addresses can be spoofed at the network-level, which could allow untrusted sources to by-pass whitelisting. * **Webhook Alteration:** IP whitelisting does not prevent the contents of webhooks for being modified in a MITM attack scenario. How Hook0 Implements IP Whitelisting [](https://documentation.hook0.com/docs/ip-whitelisting#how-hook0-implements-ip-whitelisting) -------------------------------------------------------------------------------------------------------------------------------------- By default, Hook0 does **not** send webhooks using a custom IP address. Webhooks are sent from multiple IPs which can vary from one webhook to another. If you need the webhooks of your organization to be sent from a static IP, this is something we can provide as an extra option of our Pro Plan. [Contact support](https://documentation.hook0.com/cdn-cgi/l/email-protection#7704020707180503371f18181c475914181a) to ask for this feature or if you have any question! For the record, here is a list of static IP addresses we may be using: * `51.15.106.174` * `151.115.75.197` _Note that our support will tell you which one(s) will be attached to your organization upon enabling the option._ Updated 7 months ago * * * --- # Verifying Webhook Signatures For the reasons explained in [Consuming Webhooks](https://documentation.hook0.com/docs/consuming-webhooks) , Hook0 includes a signature with each sent webhook. This signature is a cryptographically secure hash of the payload, created using a secret key that only you and Hook0 know (it is associated with the subscription that sends the webhook). By comparing the signature included in the webhook with the one you compute yourself when receiving it, you can verify the authenticity of the webhook. How It Works [](https://documentation.hook0.com/docs/verifying-webhook-signatures#how-it-works) --------------------------------------------------------------------------------------------------- 1. When we send a webhook, we generate a signature. This signature is computed by taking a hash (HMAC-SHA-256 in our case) of the event payload (and a few metadata), using a secret key that only you and Hook0 know. 2. This signature is included in a `X-Hook0-Signature` header of the webhook. 3. When you receive a webhook, before processing it, you should compute the signature on your side. To do this, see the next section. 4. Then, you compare the signature you computed with the signature included with the webhook. If they match, you can be sure that the webhook is authentic and was sent by Hook0. If they don't match, you should reject the event. 5. Now that your have established that the webhook you received was sent by Hook0 and was not altered, you should also compare the timestamp included in the `X-Hook0-Signature` header with the current timestamp and reject the webhook if it is too old. This helps mitigate replay attacks. A tolerance of 5 minutes is a good default value. > 📘 > > Our SDKs can verify incoming webhooks for you! > > > ---------------------------------------------------- > > You can use [one of our SDKs](https://documentation.hook0.com/docs/sdk) > to verify the signature of incoming webhooks so you don't have to implement the whole verification algorithm yourself. Verifying Webhook Signatures v1 (recommended) [](https://documentation.hook0.com/docs/verifying-webhook-signatures#verifying-webhook-signatures-v1-recommended) ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Here are the steps to verify webhook signatures: ### Step 1: Extract the timestamp and signature from the header [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-1-extract-the-timestamp-and-signature-from-the-header) First, split the `X-Hook0-Signature` header value using the `,` character as the separator to get a list of elements. Then split each element using the `=` character as the separator to get a key-value pair. The `t` field corresponds to the timestamp, the `h` field to the list of headers included in the signature and the `v1` field corresponds to the signature. You can ignore all other elements. ### Step 2: Prepare the `signed_payload` string [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-2-prepare-the-signed_payload-string) Prepare a `header_values` string by: * Splitting the `h` field using the (space) character * Replacing each header name by its value, taken from the incoming HTTP request * Joining them (in the same order) using a `.` character as separator Then, the `signed_payload` string is created by concatenating the following: * The timestamp (as a string) * The character `.` * The content of the `h` field * The character `.` * `header_values` * The character `.` * The actual payload (that is, the request body) ### Step 3: Determine the expected signature [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-3-determine-the-expected-signature) Compute a HMAC-SHA-256 signature. Use the subscription’s signing secret as the key (you can get it from Hook's API or UI), and the `signed_payload` string as the message. ### Step 4: Compare the signatures [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-4-compare-the-signatures) Compare the signature provided in the `v1` field of the header to the `signed_payload` string. If the signatures match, compute the difference between the current timestamp and the received timestamp (`t` field). Decide if this difference falls within your acceptable limits. To safeguard against timing attacks, use a constant-time string comparison to compare the computed and expected signatures. Limitations and Considerations [](https://documentation.hook0.com/docs/verifying-webhook-signatures#limitations-and-considerations) --------------------------------------------------------------------------------------------------------------------------------------- * The security of this method hinges on the secrecy of the secret key. If a malicious actor gains access to your secret key, they could create valid signatures and send fake events that would pass verification. * Supplement with other security measures: * use HTTPS for your subscription's target URL to secure data transmission * if you can, avoid transmitting personal or sensible information in the webhook's payload > 🚧 > > About v0 and v1 signatures > > > -------------------------------- > > We recently introduced v1 signatures in order to increase security (basically, include some other header values such as `X-Event-Id` and `X-Event-Type` in the signature). As such, `h` and `v1` fields were introduced in the value of the `X-Hook0-Signature` header. v0 signatures are still provided in that same header to ensure compatibility: > > * old verification code will find `t` and `v0` fields and ignore new fields; verification will continue to work > * new verification code will find `t`, `h` and `v1` fields and perform a better verification process while the `v0` is ignored > > We advice users to switch to the v1 signature verification process as it is more secure and more future-proof. Verifying Webhook Signatures v0 (deprecated) [](https://documentation.hook0.com/docs/verifying-webhook-signatures#verifying-webhook-signatures-v0-deprecated) ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Here are the steps to verify webhook signatures: ### Step 1: Extract the timestamp and signature from the header [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-1-extract-the-timestamp-and-signature-from-the-header-1) First, split the `X-Hook0-Signature` header value using the `,` character as the separator to get a list of elements. Then split each element using the `=` character as the separator to get a key-value pair. The `t` field corresponds to the timestamp and the `v0` field corresponds to the signature. You can ignore all other elements. ### Step 2: Prepare the `signed_payload` string [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-2-prepare-the-signed_payload-string-1) The `signed_payload` string is created by concatenating the following: * The timestamp (as a string) * The character `.` * The actual payload (that is, the request body) ### Step 3: Determine the expected signature [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-3-determine-the-expected-signature-1) Compute a HMAC-SHA-256 signature. Use the subscription’s signing secret as the key (you can get it from Hook's API or UI), and the `signed_payload` string as the message. ### Step 4: Compare the signatures [](https://documentation.hook0.com/docs/verifying-webhook-signatures#step-4-compare-the-signatures-1) Compare the signature provided in the `v0` field of the header to the `signed_payload` string. If the signatures match, compute the difference between the current timestamp and the received timestamp (`t` field). Decide if this difference falls within your acceptable limits. To safeguard against timing attacks, use a constant-time string comparison to compare the computed and expected signatures. Updated 7 months ago * * * --- # Access control policy Summary [](https://documentation.hook0.com/docs/access-control-policy#summary) ---------------------------------------------------------------------------------- The access control policy defines rules and principles upon which access rights and restrictions are configured. The policy is applicable to all internal and external personnel. Principles [](https://documentation.hook0.com/docs/access-control-policy#principles) ---------------------------------------------------------------------------------------- * Access is granted based upon the need-to-know/need-to-use principle. * Based on the person's role, access to information/assets is granted. * Access is granted/revoked upon management request. The user can request access himself, but then the request has to be approved by his/her manager first. * As part of the HR on boarding process and HR off boarding process, access rights will be granted/revoked as well. * Logical access lists should be reviewed by the system owner as defined in the Systems and (cloud) services overview, the frequency depends on the classification of the information: * Sensitive or Confidential: 3 months * Internal: 6 months * Public: 12 months * 2FA (Two Factor Authentication) must be used for systems holding Sensitive information Requirements for user ID's [](https://documentation.hook0.com/docs/access-control-policy#requirements-for-user-ids) ======================================================================================================================= * User names are created by concatenating the user's first and last name, separated by a period, all in lower case (e.g. maurice.pasman) * User names may not be shared or reused for systems holding Confidential or Sensitive information Requirements for password systems [](https://documentation.hook0.com/docs/access-control-policy#requirements-for-password-systems) -------------------------------------------------------------------------------------------------------------------------------------- * If the password was manually set by an administrator/system owner, the user must be required to change the password at first login * The user should be enforced to use quality passwords (as per Password policy) * The reuse of the last three passwords should be prevented * The passwords should be stored in a secure way (encrypted/hashed and separated from other data) Login information should be transmitted encrypted (using TLS) Updated about 2 years ago * * * --- # Code of conduct Summary [](https://documentation.hook0.com/docs/code-of-conduct#summary) ---------------------------------------------------------------------------- The code of conduct describes a set of information security principles, applicable to all employees, internal and external. Principles [](https://documentation.hook0.com/docs/code-of-conduct#principles) ---------------------------------------------------------------------------------- ### Remote working [](https://documentation.hook0.com/docs/code-of-conduct#remote-working) * You are not allowed to leave the laptop unattended in car or hotel unless properly secured, e.g. using a cable lock * Be aware of people peeking over your shoulder. If this cannot be avoided, use a privacy screen * Avoid the use of public Wi-Fi networks. If you must, use a VPN client ### Protection [](https://documentation.hook0.com/docs/code-of-conduct#protection) For mobile devices that are used to store or process information classified as Confidential or Sensitive: * Full disk encryption (BitLocker, FileVault or Veracrypt) must be enabled * The device must be protected using a password, pin code and/or bio metrics * Only authorized repair shops may be used * Unlock codes or passwords may not be shared * Remote device wipe is enabled ### Usage of own devices [](https://documentation.hook0.com/docs/code-of-conduct#usage-of-own-devices) It is allowed to use own mobile devices ("BYOD") for work-related tasks (e.g. accessing email) only if they submit to the terms in this policy. ### Reporting incidents [](https://documentation.hook0.com/docs/code-of-conduct#reporting-incidents) You have the responsibility to report a (suspected) information security incident as soon as possible to the Incident manager, following the Incident management process. Examples of information security incidents include: * Loss of a (mobile) device or data carrier; * Malfunctioning security measure (such as a lock or alarm); * Malfunctioning hardware or software; * Data leak or breach of confidentiality; * Breach of Policies or guidelines; * Access violations ### Clean desk and clear screen policy [](https://documentation.hook0.com/docs/code-of-conduct#clean-desk-and-clear-screen-policy) * Do not leave Confidential or Sensitive information unsupervised; * Always lock your session (or log off) when you leave your desk; * When printing Confidential or Sensitive information, immediately pick them up from the printer. ### The use of Internet and social media [](https://documentation.hook0.com/docs/code-of-conduct#the-use-of-internet-and-social-media) * You are free to use Internet for private matters during work time, within reasonable limits and as long as it does not violate any laws or company policies; * You are allowed to use social media, as long as you realize you are speaking on behalf of our organization; * You are not allowed to use file sharing tools to share confidential or sensitive information. ### The use of software and tools [](https://documentation.hook0.com/docs/code-of-conduct#the-use-of-software-and-tools) * The use/abuse of tools that are able to override security controls is prohibited; * For all software (components) and media files (image, audio and video clips) you download, you must check the copyright/license agreement to make sure: * Are you allowed to use it? * Are you allowed to redistribute it? * Always use trustworthy sources for downloads; * When in doubt, contact the Security officer. Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Backup policy Summary [](https://documentation.hook0.com/docs/backup-policy#summary) -------------------------------------------------------------------------- The backup policy defines rules and principles on how backups are configured. The system administrator is responsible for implementing the policy. Principles [](https://documentation.hook0.com/docs/backup-policy#principles) -------------------------------------------------------------------------------- Hook0 backup strategy is based on the 7 principles: * Coverage: all data is recorded * Frequency: backup are run each day * Separation: backups are stored in multi-region distributed system (S3-like) on CleverCloud fr-par (European Cloud Provider Company) * History: each backup is persisted for 30 days * Testing: backup are automatically and manually tested * Security: backup are encrypted * Integrity : backup integrity is ensured (e.g. an attacker can't change its content) Each backup has: * A name describing data contents * A date of the data backup * Storage location Data restoration using data backups is tested every month to ensure that complete data restoration on a system separated from the test network (to avoid exposition of production data) is possible to ensure whether: * Data restoration is possible * Hook0 Internal Data backup procedure is practicable * Hook0 Data backup procedures are documented properly * Time required for data restoration meets the availability requirements Backup and recovery documentation is reviewed and updated regularly to account for new technology, business changes, and migration of applications to alternative platforms. Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Cryptography policy Summary [](https://documentation.hook0.com/docs/cryptography-policy#summary) -------------------------------------------------------------------------------- This defines when, where and how cryptography is used in our organization, and how key management is done. Technical staff is responsible for implementing the policy. Principles [](https://documentation.hook0.com/docs/cryptography-policy#principles) -------------------------------------------------------------------------------------- Following the Information classification policy, encryption must be used to protect information classified as Confidential or Sensitive, at rest or in motion. ### Requirements for certificates [](https://documentation.hook0.com/docs/cryptography-policy#requirements-for-certificates) * The maximum duration for all certificates (signing, SSL/TLS) is 1 year * The use of wildcard certificates is not allowed * All certificates should have a key length of at least 2048 bits * Certificates should be configured to be automatically renewed ### Requirements for keys [](https://documentation.hook0.com/docs/cryptography-policy#requirements-for-keys) * Encryption keys (e.g. for encryption of backups or workstations) should be stored centrally ### Requirements for web services [](https://documentation.hook0.com/docs/cryptography-policy#requirements-for-web-services) * All public facing web sites are scanned each quarter using ssllabs.com, a score of "A" is considered minimum ### Requirements for email [](https://documentation.hook0.com/docs/cryptography-policy#requirements-for-email) * All email domains are scanned each quarter using mxtoolbox.com or internet.nl, critical problems must be resolved Updated about 2 years ago * * * --- # Change Management Process Hook0 has a formal change management process for systems that process and store customer information. This process is designed to ensure that all changes to these systems are carefully planned, tested, and documented, in order to minimize the risk of disruption or data compromise. Process [](https://documentation.hook0.com/docs/change-management-process#process) -------------------------------------------------------------------------------------- The change management process includes the following steps: 1. **Change Request (Pull Request):** Any change to a system that processes or stores customer information must be submitted by a Pull Request (PR). The PR must include the following information: * **Reason for change**: The purpose of the change. * **Scope of change**: The impact of the change on the system. * **Steps to implement the change**: The steps that will be taken to implement the change. * **Risks associated with the change**: The potential risks of the change. * **Risk mitigation measures**: The measures that will be taken to mitigate the risks of the change. 2. **Change Evaluation:** The PR is evaluated by a Change Manager who ensures that the change is necessary, feasible, and safe. The Change Manager may request additional information or changes to the PR before approving the change. 3. **Change Implementation:** Once the change has been approved, it is implemented by a member of the development team. The development team member must follow the steps outlined in the PR and test the change to ensure that it works properly. 4. **Change Validation:** Once the change has been implemented, it is validated by a system user. The system user must test the change to ensure that it works as expected and does not pose any security risks. 5. **Change Documentation:** Once the change has been validated, it is documented in the configuration repository. The configuration repository contains information about all changes made to systems that process or store customer information. This information is used to monitor systems, identify problems, and plan future changes. Security considerations [](https://documentation.hook0.com/docs/change-management-process#security-considerations) ---------------------------------------------------------------------------------------------------------------------- Hook0's change management process is designed to incorporate security best practices into the change process. These best practices include: * **Requiring a business justification for all changes**: All changes must have a business justification that outlines the purpose of the change and the benefits that it will provide. This helps to ensure that changes are not made without a clear understanding of the need for the change. * **Performing a risk assessment for all changes**: A risk assessment is performed for all changes to identify the potential risks associated with the change. This helps to ensure that changes are not made that could introduce new security risks. * **Implementing risk mitigation measures**: Risk mitigation measures are implemented for all changes to reduce the likelihood and impact of any risks that are identified. This helps to ensure that changes are made in a safe and secure manner. Benefits [](https://documentation.hook0.com/docs/change-management-process#benefits) ---------------------------------------------------------------------------------------- A formal change management process provides a number of benefits, including: * Reduced risk of disruption or data compromise * Increased confidence in the security of systems and data * Improved system and data availability * Increased efficiency of change management Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # SDK Hook0 provides SDKs to help developers integrate webhook functionality into their applications easily. Our SDKs simplify event management, webhook handling, and signature verification, allowing for seamless integration with Hook0. Available SDKs [](https://documentation.hook0.com/docs/sdk#available-sdks) ------------------------------------------------------------------------------ * **Rust SDK**: A fully featured Rust SDK for managing webhooks and events. [Read the documentation](https://documentation.hook0.com/docs/sdk-rust) * **Typescript SDK**: A fully featured Typescript SDK for managing webhooks and events. [Read the documentation](https://documentation.hook0.com/docs/sdk-typescript) More SDKs may be added in the future to support additional languages and development environments. Contribute [](https://documentation.hook0.com/docs/sdk#contribute) ---------------------------------------------------------------------- We welcome contributions! If you want to create an SDK for another language or propose new features, we’d love to hear from you. Feel free to submit a pull request or contact us at [\[email protected\]](https://documentation.hook0.com/cdn-cgi/l/email-protection#added8ddddc2dfd9edc5c2c2c69d83cec2c0) . Updated 9 months ago * * * --- # Secure engineering policy Summary [](https://documentation.hook0.com/docs/secure-engineering-policy#summary) -------------------------------------------------------------------------------------- The secure engineering policy defines rules and principles applied in design and engineering of systems, networks and infrastructure. The policy applies to all network engineers, internal and external. Principles [](https://documentation.hook0.com/docs/secure-engineering-policy#principles) -------------------------------------------------------------------------------------------- * Network architecture and designs should always be peer reviewed * The four eyes-principle should be applied when medium and high impact network changes take place * Engineers should stay up-to-date of vulnerabilities in used networking technology (firewalls, routers, ...) * Engineers should not have access to Sensitive data * Software versions that no longer have security patches released are prohibited Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Testing policy Summary [](https://documentation.hook0.com/docs/testing-policy#summary) --------------------------------------------------------------------------- The testing policy describes rules and principles on how testing is applied in our organization. The policy applies to all developers, internal and external, and outsourced development. Principles [](https://documentation.hook0.com/docs/testing-policy#principles) --------------------------------------------------------------------------------- * The definition of done contains a test plan/script * Regression test should be done after each change or update * There will be no testing with production data: * Test data on local laptops and in Test environment is created by developers using fake data * Test data on Acceptance is produced by anonymizing the data from Production (replacing all confidential and personally identifiable information by random values) Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Supplier policy Summary [](https://documentation.hook0.com/docs/supplier-policy#summary) ---------------------------------------------------------------------------- This policy describes rules and principles on how we manage supplier relationships in our organization. The service manager and office manager are responsible to implement the policy. Principles [](https://documentation.hook0.com/docs/supplier-policy#principles) ---------------------------------------------------------------------------------- * The contract should contain our requirements for information security * Access to data and conditions * Service level agreement * Compliance to relevant Policies * KPIs should be added to Suppliers * If the supplier will process PII (personally identifiable information) on our behalf: * A data processing agreement (DPA) must be signed * The data should be located within the EU * There should have a privacy policy in which they adhere to GDPR * Suppliers should be assessed periodically, taking into account * Performance (are we happy with them?) * KPI performance (are they living up to the expectations?) * Recent incidents (where they a party in a recent information security incident?) Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Secure development policy Alias: Application Security Policy Summary [](https://documentation.hook0.com/docs/secure-development-policy#summary) -------------------------------------------------------------------------------------- The secure development policy defines rules and principles applied in software development. The policy applies to all developers, internal and external. Secure development practices will be established, implemented, and documented for all applications developed or purchased to include appropriate security controls to prevent unauthorized access or modification of the system or information coded or stored. Principles [](https://documentation.hook0.com/docs/secure-development-policy#principles) -------------------------------------------------------------------------------------------- ### Source control [](https://documentation.hook0.com/docs/secure-development-policy#source-control) * All source code is stored in a code repository * All checked in source code must compile without warnings * Code should be reviewed by a peer before it can be committed to Acceptance ### Development [](https://documentation.hook0.com/docs/secure-development-policy#development) * Developing a test plan/script is part of all user stories * Privacy and security are part of any design * Developers should be aware of common threats and vulnerabilities (through initiatives as [https://www.owasp.org/index.php/Main\_Page](https://www.owasp.org/index.php/Main_Page) ) ### Libraries and frameworks [](https://documentation.hook0.com/docs/secure-development-policy#libraries-and-frameworks) The use of libraries and frameworks is encouraged, but * The versions should be periodically assessed for vulnerabilities * Use the library or framework as-is, refrain from making changes (this makes updating a lot more complicated, and it may pose licensing problems) Updated about 2 years ago * * * --- # Privacy policy Principles [](https://documentation.hook0.com/docs/privacy-policy#principles) --------------------------------------------------------------------------------- * We acknowledge the importance of information security and the protection of privacy; * We adhere to the principles of _privacy by design_ and _privacy by default_; * To demonstrate compliance to the latest regulations, such as GDPR, we have implemented ISO 27001 and set up an information security management system (ISMS); * A risk assessment has shown how your data is being used in our processes; * We have implemented measures to ensure adequate protection of data, both in transit and at rest; * Processes have been adjusted to make sure data is never stored longer than necessary to perform our services; Updated about 2 years ago * * * --- # Physical security policy Summary [](https://documentation.hook0.com/docs/physical-security-policy#summary) ------------------------------------------------------------------------------------- The physical security policy defines rules and principles on the protection of information in (semi) public spaces. The office manager is responsible for implementing this policy. Principles [](https://documentation.hook0.com/docs/physical-security-policy#principles) ------------------------------------------------------------------------------------------- ### Physical protection [](https://documentation.hook0.com/docs/physical-security-policy#physical-protection) * Fire alarm and extinguishers should be checked at regular intervals * Their access should not be blocked In case a (home) office contains digital or printed information classified as Confidential or Sensitive: * Hard copies (such as contracts, HR files or customer records) must be stored in a cabinet; this cabinet should be locked when unsupervised * Office locks should be controlled (e.g. with numbered keys, cards or fobs, of which an inventory is kept under Assets) * Electronic access rights should be checked periodically * Alarm codes must not be shared with other tenants * In case alarm codes are shared internally, they should be changed at regular intervals, at least as part of the HR off boarding process * Visitors should not be left unattended ### Server rooms [](https://documentation.hook0.com/docs/physical-security-policy#server-rooms) * Server rooms should only be accessible to authorized personnel * HVAC equipment (heating, ventilation and airconditioning) should be regularly maintained ### Network protection [](https://documentation.hook0.com/docs/physical-security-policy#network-protection) * In case the internet connection is shared with other tenants, or when patch panels, switches or routes are accessible from outside the office, the office network is considered insecure and a VPN must be used * UTP cables should be shielded from power cables to prevent interference Updated about 2 years ago * * * * [Code of conduct](https://documentation.hook0.com/docs/code-of-conduct) --- # Responsible disclosure policy Alias: Vulnerability and threat management scan policy Principles [](https://documentation.hook0.com/docs/responsible-disclosure-policy#principles) ------------------------------------------------------------------------------------------------ We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. Please do the following: * E-mail your findings to [\[email protected\]](https://documentation.hook0.com/cdn-cgi/l/email-protection#b4c7d1d7c1c6ddc0cdf4dcdbdbdf849ad7dbd9) Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands; * Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data; * Do not reveal the problem to others until it has been resolved; * Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties; and Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation. What we promise: * We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date; * If you have followed the instructions above, we will not take any legal action against you in regard to the report; * We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission; * We will keep you informed of the progress towards resolving the problem; * In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise) We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved. [Source](https://www.responsibledisclosure.nl/en/) Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) --- # Mobile device policy Summary [](https://documentation.hook0.com/docs/mobile-device-policy#summary) --------------------------------------------------------------------------------- The mobile device policy defines rules and principles for the use of mobile devices, such as laptops, tablets and mobile phones. The policy is applicable to all internal and external personnel. Principles [](https://documentation.hook0.com/docs/mobile-device-policy#principles) --------------------------------------------------------------------------------------- ### Remote working [](https://documentation.hook0.com/docs/mobile-device-policy#remote-working) * You are not allowed to leave the laptop unattended in car or hotel unless properly secured, e.g. using a cable lock * Be aware of people peeking over your shoulder. If this cannot be avoided, use a privacy screen * Avoid the use of public Wi-Fi networks. If you must, use a VPN client ### Protection [](https://documentation.hook0.com/docs/mobile-device-policy#protection) For mobile devices that are used to store or process information classified as Confidential or Sensitive: * Full disk encryption (BitLocker, FileVault or Veracrypt) must be enabled * The device must be protected using a password, pin code and/or bio metrics * Only authorized repair shops may be used * Unlock codes or passwords may not be shared Remote device wipe is enabled ### Usage of own devices [](https://documentation.hook0.com/docs/mobile-device-policy#usage-of-own-devices) It is allowed to use own mobile devices ("BYOD") for work-related tasks (e.g. accessing email) only if they submit to the terms in this policy. Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Cryptography policy](https://documentation.hook0.com/docs/cryptography-policy) --- # Penetration testing policy Summary [](https://documentation.hook0.com/docs/penetration-testing-policy#summary) --------------------------------------------------------------------------------------- The penetration testing policy describes rules and principles on how vulnerability testing is applied in our organization. Principles [](https://documentation.hook0.com/docs/penetration-testing-policy#principles) --------------------------------------------------------------------------------------------- * Penetration tests should occur once per year, or after a major change to the architecture/infrastructure * We are open to any customer initiated penetration test, providing * It is announced and dates are agreed upon * We receive an integral copy of the test report * In case we initiate the penetration test, the tester should meet the competence requirements as defined on Security tester * We have published a Responsible disclosure policy on our website Scoring [](https://documentation.hook0.com/docs/penetration-testing-policy#scoring) --------------------------------------------------------------------------------------- * Vulnerabilities should be scored according to the Common Vulnerability Scoring System (CVSS), version 2 or 3 * Exceptions to the CVSS score (e.g. related to impact calculation) should be agreed upon with the penetration tester involved * If arbitration is needed, a second opinion can be obtained from another penetration testing company Treatment [](https://documentation.hook0.com/docs/penetration-testing-policy#treatment) ------------------------------------------------------------------------------------------- Vulnerabilities are treated based on the CVSS score, as follows: * **Severity: None**: CVSS2: - CVSS3: 0.0 Treatment: None * **Severity:Low**: CVSS2: 0.0-3.9 CVSS3: 0.1-3.9 Treatment: Added to the backlog for the next version * **Severity:Medium**: CVSS2: 4.0-6.9 CVSS3: 4.0-6.9 Treatment: Following the Incident management process, should be fixed within 1 month * **Severity:High**: CVSS2: 7.0-10.0 CVSS3: 7.0-8.9 Treatment: Following the Incident management process, should be fixed within 1 week * **Severity:Critical**: CVSS2: - CVSS3: 9.0-10 Treatment: Following the Incident management process, should be fixed immediately Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Secure development policy](https://documentation.hook0.com/docs/secure-development-policy) * [Secure engineering policy](https://documentation.hook0.com/docs/secure-engineering-policy) --- # Logging policy Summary [](https://documentation.hook0.com/docs/logging-policy#summary) --------------------------------------------------------------------------- The logging policy defines requirements for logging and monitoring. The policy is applicable to all internal Systems and (cloud) services. Principles [](https://documentation.hook0.com/docs/logging-policy#principles) --------------------------------------------------------------------------------- ### Logging [](https://documentation.hook0.com/docs/logging-policy#logging) * Recording (special) PII in log files should be avoided * Access to special PII should be logged * Log files should be protected from deletion or modification * All logging systems should be synchronized with the same NTP source * Log files are kept at least 30 days ### Monitoring [](https://documentation.hook0.com/docs/logging-policy#monitoring) Usage logs of access to special PII should be monitored by the respective system owner Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Access control policy](https://documentation.hook0.com/docs/access-control-policy) --- # Password policy Summary [](https://documentation.hook0.com/docs/password-policy#summary) ---------------------------------------------------------------------------- The password policy defines requirements for passwords. The policy is applicable to all internal and external personnel and Systems and (cloud) services holding information classified as Confidential or Sensitive. Principles [](https://documentation.hook0.com/docs/password-policy#principles) ---------------------------------------------------------------------------------- * Passwords should be strong (at least 8 characters, usage of lowercase/uppercase/numbers/symbols) * Do not use the same password for more than one service or system * Change the password at least twice per year * Do not use variants of the old password (e.g. adding a number to the old password) * The use of **Bitwarden password manager is mandatory**. Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Access control policy](https://documentation.hook0.com/docs/access-control-policy) --- # Information classification policy Summary [](https://documentation.hook0.com/docs/information-classification-policy#summary) ---------------------------------------------------------------------------------------------- The information treatment policy defines the information classification and sets out rules how information must be treated. The policy is applicable to all internal and external personnel. Principles [](https://documentation.hook0.com/docs/information-classification-policy#principles) ---------------------------------------------------------------------------------------------------- Our organization distinguishes the following levels of information classification: * **Public** * **Description**: Information of this kind can be freely distributed to anyone. * **Examples**: * Information on our public web site * Brochures and leaflets * **Treatment**: No special measures need to be taken to protect this information. * **Internal** * **Description**: Information of this kind is meant to be kept internally at Hook0, but no harm would be done if it would fall into wrong hands. This information can be shared with all Stakeholders when deemed necessary. * **Examples**: * Policies and Procedures * Assets * Statement of Applicability * **Treatment**: No special measures need to be taken to protect this information. * **Confidential** * **Description**: The loss of confidential information can pose a threat to the Hook0 organization. * **Examples**: * Personally Identifiable Information * Financial information * Audit reports * Risk assessment * Assurance statement * **Treatment**: * Information can only be shared or distributed with permission from the owner, and when an NDA is in place. * Transmission or storage should be encrypted. * **Sensitive** * **Description**: The loss of sensitive information can pose a threat to the persons involved. Theft or loss should be reported with the authorities. * **Examples**: Special categories of personal information, such as: * Racial or ethnic origin * Political opinions * Religious or philosophical beliefs * Trade union membership * Personal health data * Biometric data * Sex life or sexual orientation Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Information retention policy](https://documentation.hook0.com/docs/information-retention-policy) * [Access control policy](https://documentation.hook0.com/docs/access-control-policy) * [Cryptography policy](https://documentation.hook0.com/docs/cryptography-policy) --- # Information retention policy Summary [](https://documentation.hook0.com/docs/information-retention-policy#summary) ----------------------------------------------------------------------------------------- The information retention policy defines the retention periods for all information in our organization. The policy is applicable to all internal and external personnel. Principles [](https://documentation.hook0.com/docs/information-retention-policy#principles) ----------------------------------------------------------------------------------------------- Refer to the table below for relevant retention periods and disposal instructions for all data types: ### Applicant data [](https://documentation.hook0.com/docs/information-retention-policy#applicant-data) * Retention period: 1 year after application, only if applicant agrees to be kept on file * Location: Digitally on file server * Disposal instructions: Delete ### Personnel records (review forms, ...) [](https://documentation.hook0.com/docs/information-retention-policy#personnel-records-review-forms-) * Retention period: 1 year after termination * Location: Digitally on file server * Disposal instructions: Delete ### Customer records [](https://documentation.hook0.com/docs/information-retention-policy#customer-records) * Retention period: 7 years after last transaction * Location: Digitally in CRM system * Disposal instructions: Delete ### Email [](https://documentation.hook0.com/docs/information-retention-policy#email) * Retention period: unlimited, unless it contains any of the data types above * Location: Digitally on mail server * Disposal instructions: Delete ### Source code [](https://documentation.hook0.com/docs/information-retention-policy#source-code) * Retention period: unlimited * Location: Digitally on file server(s) * Disposal instructions: Delete ### Financial records (invoices, tax, records) [](https://documentation.hook0.com/docs/information-retention-policy#financial-records-invoices-tax-records) * Retention period: 7 years * Location: Digitally on file server(s) and payment system * Disposal instructions: Delete Updated about 2 years ago * * * * [Information security policy](https://documentation.hook0.com/docs/information-security-policy) * [Cryptography policy](https://documentation.hook0.com/docs/cryptography-policy) --- # Amazon Web Services (AWS) (content coming soon...) Updated about 2 years ago * * * * [Docker-Compose](https://documentation.hook0.com/docs/docker-compose) --- # Svix vs Hook0 Why Use Hook0 Instead of Svix? [](https://documentation.hook0.com/docs/svix-vs-hook0#why-use-hook0-instead-of-svix) ======================================================================================================================= | | Svix | Hook0 | | --- | --- | --- | | SaaS | ✅ | ✅ | | Advanced Filtering (multi-tenant) | ⚠️ Basic filtering options | ✅ Robust filtering capabilities through labels | | Fully reversible | ❌ cannot fully self-host Svix (see below why) | ✅ you can leave us anytime (but will stay for our SLA!) | | Open-Source | ⚠️ Open-core (**most features are not available in open-source version**) | ✅ | | Self-funded | ❌ Svix raised $13M million | ✅ Fully self-funded, here to stay | Updated over 1 year ago * * * --- # Hostedhooks vs Hook0 Why Use Hook0 Instead of Hostedhooks? [](https://documentation.hook0.com/docs/hostedhooks-vs-hook0#why-use-hook0-instead-of-hostedhooks) ============================================================================================================================================ HostedHooks, is a proprietary platform for hosting webhooks that allows developers to deploy and manage webhooks in the cloud. | | Hostedhooks | Hook0 | | --- | --- | --- | | SaaS | ✅ | ✅ | | Fully reversible | ❌ cannot self-host Hostedhooks | ✅ you can leave us anytime (but will stay for our SLA!) | | Open-Source | ❌ proprietary | ✅ | Updated about 2 years ago * * * --- # Business Continuity and Disaster Recovery This Business Continuity and Disaster Recovery (BCDR) plan outlines the steps that Hook0 will take to resume critical business operations in the event of a disaster. The document includes procedures for identifying, preventing, and mitigating risks; recovering from disruptions; and restoring normal operations. Since Hook0 is mainly hosted on CleverCloud some steps are directly related to CleverCloud own Disaster Recovery and Business Continuity plan. Scope [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#scope) -------------------------------------------------------------------------------------------------- This BCDR applies to all Hook0 employees and contractors. It covers all aspects of Hook0's business, including information technology, facilities, and operations. Risks [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#risks) -------------------------------------------------------------------------------------------------- Hook0 faces a number of risks that could disrupt its business operations. These risks include: 1. **Natural disasters** (earthquakes, floods, fires) 2. **Cyber-attacks** 3. **Data corruption or loss** 4. **Infrastructure failures** 5. **Human errors** Risk Mitigation [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#risk-mitigation) ---------------------------------------------------------------------------------------------------------------------- Hook0 has implemented a number of controls to mitigate the risks identified above. These controls include: 1. **Data backups**: Regular and encrypted backups with off-site storage from CleverCloud managed PostgreSQL database. 2. **Infrastructure redundancy**: Multiple server locations and cloud-based failover provided by CleverCloud PaaS. 3. **Regular security audits through Bug Bounties**: To identify and fix vulnerabilities. 4. **Employee training**: To reduce human errors and phishing risks. Response Strategy [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#response-strategy) -------------------------------------------------------------------------------------------------------------------------- 1. **Incident Identification**: Detect and classify the severity of the incident. 2. **Initial Communication**: Notify stakeholders and form a response team. 3. **Incident Isolation**: Prevent the incident from causing more damage. 4. **Service Restoration**: Restore critical services first. 1. Restore critical systems and data from CleverCloud's backups. 2. Relocate operations to an alternate site, if necessary, as determined by CleverCloud. 5. **Recovery**: Bring all systems back to normal. Restoration Procedures [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#restoration-procedures) ------------------------------------------------------------------------------------------------------------------------------------ Once Hook0 has restored critical systems and data, it will begin the process of restoring normal operations. This process will include: * Restoring employees to their workstations. * Restoring business processes. * Restoring customer relationships. Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO) [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#recovery-time-objectives-rto--recovery-point-objectives-rpo) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Every customers has the default RTO and REPO | Service | RTO | RPO | | --- | --- | --- | | IT Infrastructure | 3 hours | N/A | | Customer Support | 2 hours | N/A | | Data Restoration | 1 hour | 1 day | For customers with dedicated custom subscription plans please look at your contract if you asked for lower RPO and RTO. Communication Plan [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#communication-plan) ---------------------------------------------------------------------------------------------------------------------------- * **Internal Communication**: Use internal chat tools and backup communication tools (e.g., cell phones). * **External Communication**: Update customers via the website, emails, and social media channels. Testing and Maintenance [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#testing-and-maintenance) -------------------------------------------------------------------------------------------------------------------------------------- Hook0 will test and maintain its BCDR on a regular basis to ensure that it is effective. Testing will include: * Simulation exercises conducted by CleverCloud * Tabletop exercises conducted by Hook0 Maintenance will include: * Reviewing and updating the plan * Training employees on the plan Conclusion [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#conclusion) ------------------------------------------------------------------------------------------------------------ This BCDR provides Hook0 with a roadmap for resuming critical business operations in the event of a disaster. By following the procedures outlined in this BCDR, Hook0 can minimize the impact of a disaster and ensure that it can continue to serve its customers. ### Additional Information [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#additional-information) #### CleverCloud BCDR [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#clevercloud-bcdr) CleverCloud has a comprehensive disaster recovery plan that is designed to ensure the continuity of service for its customers. The plan includes the following key elements: * Daily backups of all customer data * Multiple data centers in different geographic locations * The ability to rapidly restore services from backup * A team of experts dedicated to disaster recovery In the event of a disaster, CleverCloud will activate its disaster recovery plan and work to restore services as quickly as possible. Customers will be kept informed of the status of the recovery effort and will be provided with updates as they become available. For more information on CleverCloud's disaster recovery plan, please visit the [CleverCloud website](https://www.clever-cloud.com/fr/) . #### CleverCloud PostgreSQL Backup Policy [](https://documentation.hook0.com/docs/business-continuity-and-disaster-recovery#clevercloud-postgresql-backup-policy) CleverCloud automatically backs up all PostgreSQL databases on a daily basis. The backups are stored in multiple data centers in different geographic locations. In the event of a disaster, CleverCloud can restore a database from backup in a matter of minutes. For more information on CleverCloud's PostgreSQL backup policy, please visit the [https://www.clever-cloud.com/fr/CleverCloud website](https://www.clever-cloud.com/fr/) . Updated about 2 years ago * * * --- # Hookdeck vs Hook0 Why Use Hook0 Instead of Hookdeck? [](https://documentation.hook0.com/docs/hookdeck-vs-hook0#why-use-hook0-instead-of-hookdeck) =================================================================================================================================== | | HookDeck | Hook0 | | --- | --- | --- | | SaaS | ✅ | ✅ | | Fully reversible | ❌ cannot self-host HookDeck | ✅ you can leave us anytime (but will stay for our SLA!) | | Open-Source | ❌ | ✅ | | Self-funded | ❌ Hookdeck raised $2.65 million | ✅ Fully self-funded, here to stay | Updated about 2 years ago * * * --- # Kubernetes Hook0 Self-Hosting Guide on Kubernetes [](https://documentation.hook0.com/docs/kubernetes#hook0-self-hosting-guide-on-kubernetes) ===================================================================================================================================== This guide will help you self-host Hook0 on your Kubernetes cluster using the provided [deployments.yaml](https://gitlab.com/hook0/hook0/-/blob/master/self-hosting/kubernetes/README.md?ref_type=heads) file. Follow these steps to get your Hook0 instance up and running. Prerequisites [](https://documentation.hook0.com/docs/kubernetes#prerequisites) ----------------------------------------------------------------------------------- Before you begin, ensure you have the following prerequisites: * A Kubernetes cluster up and running. * `kubectl` command-line tool configured to interact with your Kubernetes cluster. * Persistent storage available for PostgreSQL and Mailpit. Deployment Overview [](https://documentation.hook0.com/docs/kubernetes#deployment-overview) ----------------------------------------------------------------------------------------------- The provided [deployments.yaml](https://gitlab.com/hook0/hook0/-/blob/master/self-hosting/kubernetes/README.md?ref_type=heads) file sets up the following components: * **API Service**: Exposes the Hook0 API. * **Frontend Service**: Hosts the Hook0 frontend. * **Mailpit Service**: Manages outgoing emails. * **PostgreSQL Service**: Database for storing Hook0 data. * **Output Worker**: Processes webhook calls for Hook0. Steps to Deploy [](https://documentation.hook0.com/docs/kubernetes#steps-to-deploy) --------------------------------------------------------------------------------------- ### 1\. Create the Namespace [](https://documentation.hook0.com/docs/kubernetes#1-create-the-namespace) First, create a dedicated `Hook0` namespace for Hook0 to keep everything organized. sh `kubectl apply -f deployments.yaml -l kind=Namespace` This command applies only the `Namespace` section of the `deployments.yaml`. ### 2\. Deploy the Services [](https://documentation.hook0.com/docs/kubernetes#2-deploy-the-services) Next, deploy all the services and deployments defined in the `deployments.yaml`. Bash `kubectl apply -f deployments.yaml` This will create all the necessary services, deployments, and persistent volume claims for Hook0. ### 3\. Verify Deployments [](https://documentation.hook0.com/docs/kubernetes#3-verify-deployments) After applying the `deployments.yaml`, verify that all pods are running: Bash `kubectl get pods -n hook0` All pods should be in the `Running` state. If any pods are not running, use the following command to debug: Bash `kubectl describe pod -n hook0` ### 4\. Access the Hook0 Services [](https://documentation.hook0.com/docs/kubernetes#4-access-the-hook0-services) #### Frontend [](https://documentation.hook0.com/docs/kubernetes#frontend) * Access the frontend service using the following command to get the service details: Bash `kubectl get svc frontend -n hook0` * Use the external IP or NodePort displayed to access the frontend in your browser. #### API [](https://documentation.hook0.com/docs/kubernetes#api) * Similarly, to access the API service, use: Bash `kubectl get svc api -n hook0` ### 5\. Persistent Data Storage [](https://documentation.hook0.com/docs/kubernetes#5-persistent-data-storage) The PostgreSQL and Mailpit services require persistent data storage, which is managed through Persistent Volume Claims ( PVCs). Ensure that your cluster has sufficient storage for these claims. The provided `deployments.yaml` requests 100Mi of storage for each service. ### 6\. Customize Your Deployment (Optional) [](https://documentation.hook0.com/docs/kubernetes#6-customize-your-deployment-optional) You may want to adjust the environment variables in the `deployments.yaml` for your specific use case. For example, you can update the `DATABASE_URL`, `APP_URL`, or any other environment variable to fit your infrastructure. ### 7\. Troubleshooting [](https://documentation.hook0.com/docs/kubernetes#7-troubleshooting) * **Pods not starting**: Check if the images are available and correct. * **Persistent Volume issues**: Ensure your storage class supports the requested resources. * **Service access issues**: Confirm that your Kubernetes network configuration allows external access. Cleanup [](https://documentation.hook0.com/docs/kubernetes#cleanup) ----------------------------------------------------------------------- To delete the Hook0 deployment, run: Bash `kubectl delete namespace hook0` This command will remove all resources associated with Hook0 from your cluster. Conclusion [](https://documentation.hook0.com/docs/kubernetes#conclusion) ----------------------------------------------------------------------------- Following these steps, you should have a fully functional Hook0 instance running on your Kubernetes cluster. For further customization and scaling, refer to the Kubernetes and Hook0 documentation. If you encounter any issues or have questions, feel free to reach out to the Hook0 community or check the official documentation. Updated about 1 year ago * * * * [Docker Compose](https://documentation.hook0.com/docs/docker-compose) --- # Master API key When hosting your own instance, it is possible to setup a **master API key**. This is a special token that can be used to authenticate **almost any API call** instance-wide, unlike [JWTs and application secrets](https://documentation.hook0.com/docs/api-authentication) that are scoped respectively to an organization and to an application. > 📘 > > Events ingestion requires an application secret > > > ----------------------------------------------------- > > The only endpoint that **cannot** be used with the master API key is the [events ingestion endpoint](https://documentation.hook0.com/reference/eventsingest) > which only works with application secrets. > > You can of course use the master API to create everything including an application secret, and then use this application secret to send events. Enabling the master API key on your instance [](https://documentation.hook0.com/docs/master-api-key#enabling-the-master-api-key-on-your-instance) ----------------------------------------------------------------------------------------------------------------------------------------------------- By default, this feature is disabled. If you want to enable it, you need to define the `MASTER_API_KEY` environment variable with a UUID value when running Hook0's API. > 🚧 > -- > > Please note that the master API is basically a huge backdoor. Anyone that have access to it can have full control of your Hook0 instance, regardless of internal organizations/permissions. > > We provide this feature to help you setup your instance more easily in some scenarios. You should disable it as soon as it is not needed anymore by restarting Hook0's API with the `MASTER_API_KEY` environment variable unset. Using the master API key to authenticate API calls [](https://documentation.hook0.com/docs/master-api-key#using-the-master-api-key-to-authenticate-api-calls) ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Like any other authentication method, the master API key must be included in HTTP requests using a header: HTTP Header `Authorization: Bearer [token]` Updated almost 2 years ago * * * --- # Support Contact our support team [](https://documentation.hook0.com/docs/support#contact-our-support-team) ------------------------------------------------------------------------------------------------------ Experiencing an issue with Hook0? Let us help you. > 📚 > > [Common Issues](https://documentation.hook0.com/docs/troubleshooting) > > > > ---------------------------------------------------------------------------- > > See the troubleshooting guide for how to address common issues. > 🐛 > > [Existing bugs](https://gitlab.com/hook0/hook0/-/issues/) > > > > ---------------------------------------------------------------- > > See existing public bug reports or create your own. > 😍 > > [Feature requests](https://gitlab.com/hook0/hook0/-/issues/new) > > > > ---------------------------------------------------------------------- > > File your feature request. > ⚪ > > [Hook0 status](https://status.hook0.com/) > > > > ----------------------------------------------- > > Check status of Hook0 services. You can also reach out to our community on non-official channels: * On Twitter, by tagging [@Hook0\_](https://twitter.com/hook0_) * On Stack Overflow, with the tag [hook0](https://stackoverflow.com/questions/tagged/hook0) * On Discord, in the [#help channel](https://www.hook0.com/community) Still need help? [](https://documentation.hook0.com/docs/support#still-need-help) ------------------------------------------------------------------------------------- Contact us via [email](https://documentation.hook0.com/cdn-cgi/l/email-protection#74070104041b0600341c1b1b1f445a171b19) . Updated about 2 years ago * * * * [Support options](https://documentation.hook0.com/docs/support-options) --- # Support options Immediate Assistance [](https://documentation.hook0.com/docs/support-options#immediate-assistance) ------------------------------------------------------------------------------------------------------ Hitting an issue with Hook0? We’re here and ready to help! Day or night, browse or search our [Knowledge Base](https://documentation.hook0.com/) to find the fastest answers. Enter a term or browse by topic—we most likely have an article for you. Email Support [](https://documentation.hook0.com/docs/support-options#email-support) ---------------------------------------------------------------------------------------- We offer [email support](https://documentation.hook0.com/docs/support) in English for all customers between 9am-6pm Central European Time (CET). Submit requests using your account’s email address. If you contact us from an email address that is not associated with your account, we may not be able to verify and identify your associated account and will only be able to share generalized information. If you don’t see any response from us, be sure to check your spam and junk folders. Priority Support [](https://documentation.hook0.com/docs/support-options#priority-support) ---------------------------------------------------------------------------------------------- > Priority support is included in all [Pro and Enterprise plans](https://www.hook0.com/?pricing.destination=cloud#pricing) > . We offer reduced time to first response based on issue severity. If you’re eligible for Priority Support, your support request needs to come from your account’s email address to route correctly. We using your account's email address and [send us an email](https://documentation.hook0.com/cdn-cgi/l/email-protection#87f4f2f7f7e8f5f3c7efe8e8ecb7a9e4e8ea) . | | Pro | Enterprise | | --- | --- | --- | | Available hours | 9am-6pm
Monday to Friday
Central European Time (CET) | [Contact sales](https://documentation.hook0.com/cdn-cgi/l/email-protection#daa9bbb6bfa99ab2b5b5b1eaf4b9b5b7)
for details | Initial response time [](https://documentation.hook0.com/docs/support-options#initial-response-time) -------------------------------------------------------------------------------------------------------- The following table shows our initial response time. | Severity | Pro | Enterprise | | --- | --- | --- | | **Sev 1
Critical** | 4 business hours | [Contact sales](https://documentation.hook0.com/cdn-cgi/l/email-protection#aeddcfc2cbddeec6c1c1c59e80cdc1c3)
for details | | **Sev 2
High** | 1 business day | [Contact sales](https://documentation.hook0.com/cdn-cgi/l/email-protection#047765686177446c6b6b6f342a676b69)
for details | | **Sev 3
Normal** | 2 business days | [Contact sales](https://documentation.hook0.com/cdn-cgi/l/email-protection#aeddcfc2cbddeec6c1c1c59e80cdc1c3)
for details | | **Sev 4
Low** | 2 business days | [Contact sales](https://documentation.hook0.com/cdn-cgi/l/email-protection#0675676a6375466e69696d362865696b)
for details | Severity Definitions [](https://documentation.hook0.com/docs/support-options#severity-definitions) ------------------------------------------------------------------------------------------------------ We know how important it is to resolve issues quickly, and that’s why we make all reasonable efforts to meet or exceed the stated response and resolution times for issues within our scope of support. We use the following definitions of severity. | Severity | Definition | Example | | --- | --- | --- | | **Sev 1
Critical** | Critical impact/complete outage
Majority of users are impacted
There is no workaround
Customer’s business is dramatically impacted | Hook0 is inaccessible for the entire company applications. | | **Sev 2
High** | Severe impact or downgrade of services
Majority of users are impacted
A workaround may be available, but performance is degraded | Large number of users can’t access Hook0 services. | | **Sev 3
Normal** | Restricted impact, most of the system is functioning properly
Something is not functioning as expected | An application, a subscription or subset of users are experiencing poor latency when using Hook0 API. | | **Sev 4
Low** | Low impact or informational request
Feature requests | Product usability issues or use case inquiries. | Updated about 2 years ago * * * * [Support](https://documentation.hook0.com/docs/support) --- # Getting Started with Hook0 Welcome to ReadMe! ![:owlbert:](https://documentation.hook0.com/public/img/emojis/owlbert.png ":owlbert:") You're on your way to building an awesome Developer Hub! Here's some of the things you'll want to check out. 📝 Customize your docs [](https://documentation.hook0.com/docs/getting-started-old#-customize-your-docs) ============================================================================================================ What you're looking at right now is what we call our **Guides**. Basically, a free-form place to write to your heart's content! And the best part is... you aren't alone! Your users can contribute (with your approval, of course!) using the **[Suggested Edits](https://docs.readme.com/docs/suggested-edits) ** feature on every page. It's like GitHub Pull Requests, but for text! Want to ease your users into it with some fancy marketing pages? You can enable a **[Landing Page](https://docs.readme.com/docs/landing-page) **, and write as much HTML as you want to make it look just like your brand. 🚦 Interactive API Docs [](https://documentation.hook0.com/docs/getting-started-old#-interactive-api-docs) ============================================================================================================== If you don't have an API, then no worries! ReadMe is great for any sort of documentation. But if you have an API, we make it really easy to get started. * **Upload your OpenAPI file:** First step is to describe your API to us! If you already have an OpenAPI file, there's lots of ways to upload it in the _API Reference_ section. Our favorite is the GitHub Action, but you can use our CLI or just upload it directly to the UI! * **Add API Keys:** Don't make your users hunt around for API keys. It's easy to show their API key [right in the docs](https://docs.readme.com/docs/custom-login-with-readme) , so they can play around with your API right inside ReadMe. * **Add Logs:** The coolest thing about ReadMe is you can add [real-time API Logs](https://docs.readme.com/docs/api-metrics-in-readme) right to your docs, so you and your users can both see what's going on with their API. Trust us, it's magical! 📈 Know your users [](https://documentation.hook0.com/docs/getting-started-old#-know-your-users) ==================================================================================================== One of the best ways to know if you're nailing the dev experience is checking out how your users are interacting with both your docs and API. * **Documentation Metrics** let you see who's using your docs, what your best and worst pages are, what people are searching for and more! * **API Metrics** are a bit harder to set up (I promise we do our best to make it painless!), but once you set this up you'll know _everything_ that's going on with your users! 💬 We're here to help! [](https://documentation.hook0.com/docs/getting-started-old#-were-here-to-help) ========================================================================================================== ReadMe has a _ton_ of ways to make your docs the envy of any parliament (like that mouseover!). If you get stuck, [shoot us an email](https://documentation.hook0.com/cdn-cgi/l/email-protection#05767075756a7771457760646168602b6c6a) or use the Intercom widget on the bottom right of any page. We're excited you're here! 💙 ![This won't be fun to clean up...](https://owlbert.io/images/popper.gif) Updated over 3 years ago * * * --- # Free pricing plans and discounts For an overview of Hook0's Cloud pricing plans, including paid plans, see [Pricing](https://www.hook0.com/?pricing.destination=cloud#pricing) . Free plan [](https://documentation.hook0.com/docs/free-pricing-plans-and-discounts#free-plan) ------------------------------------------------------------------------------------------------- The Free plan allows for 1 developer and 1 application that can send webhook through [Hook0 API](https://documentation.hook0.com/docs/hook0-api) . For more information on what is included in the Free plan, see [Pricing](https://www.hook0.com/?pricing.destination=cloud#pricing) . Charities, not-for-profit organizations, and educational institutions [](https://documentation.hook0.com/docs/free-pricing-plans-and-discounts#charities-not-for-profit-organizations-and-educational-institutions) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Charities, not-for-profit organizations, and educational institutions receive a 25% discount off of list prices. First, choose a plan in the Organization page of the [Hook0 app](https://app.hook0.com/) , then [contact support](https://documentation.hook0.com/docs/support) to get this discount. Unsure? Feel free to reach out and ask. Updated about 2 years ago * * * * [Pricing & Plans FAQ](https://documentation.hook0.com/docs/pricing-plans-faq) --- # Statement of Applicability Scope description [](https://documentation.hook0.com/docs/statement-of-applicability#scope-description) ----------------------------------------------------------------------------------------------------------- Information security regarding development, sales and hosting of Hook0 software solutions. We process and protect the following data: * Customer data * Financial and HR data The following processes are (partially) outsourced, but fall within the scope of the ISMS: * Hosting * Software development (DCVS) Controls [](https://documentation.hook0.com/docs/statement-of-applicability#controls) ----------------------------------------------------------------------------------------- | Control | Requirement | Applicable | Reason | Status | | --- | --- | --- | --- | --- | | A.10.1.1 Policy on the use of cryptographic controls | A policy on the use of cryptographic controls for protection of information shall be developed and implemented. | YES | Risk assessment | Implemented | | A.10.1.2 Key management | A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. | YES | Risk assessment | Implemented | | A.11.1.1 Physical security perimeter | Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. | YES | Risk assessment | Implemented | | A.11.1.2 Physical entry controls | Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | NO | We do not own any datacenters and rely on external Cloud-Providers | Not Implemented | | A.11.1.3 Securing offices, rooms and facilities | Physical security for offices, rooms and facilities shall be designed and applied. | NO | We do not own any datacenters and rely on external Cloud-Providers | Not Implemented | | A.11.1.4 Protecting against external and environmental threats | Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. | YES | Best practice | Implemented | | A.11.1.5 Working in secure areas | Procedures for working in secure areas shall be designed and applied. | YES | Best practice | Implemented | | A.11.1.6 Delivery and loading areas | Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | NO | We have no delivery and loading areas. | N/A | | A.11.2.1 Equipment siting and protection | Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | NO | We do not own any datacenters and rely on external Cloud-Providers | N/A | | A.11.2.2 Supporting utilities | Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. | NO | We do not own any datacenters and rely on external Cloud-Providers | N/A | | A.11.2.3 Cabling security | Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. | YES | Best practice | Implemented | | A.11.2.4 Equipment maintenance | Equipment shall be correctly maintained to ensure its continued availability and integrity. | YES | Risk assessment | Implemented | | A.11.2.5 Removal of assets | Equipment, information or software shall not be taken off-site without prior authorization. | YES | Best practice | Implemented | | A.11.2.6 Security of equipment and assets off-premises | Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. | YES | Best practice | Implemented | | A.11.2.7 Secure disposal or re-use of equipment | All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior or re-use. | YES | Risk assessment | Implemented | | A.11.2.8 Unattended user equipment | Users shall ensure that unattended equipment has appropriate protection. | YES | Best practice | Implemented | | A.11.2.9 Clear desk and clear screen policy | A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. | YES | Best practice | Implemented | | A.12.1.1 Documented operating procedures | Operating procedures shall be documented and made available to all users who need them. | YES | Risk assessment | Implemented | | A.12.1.2 Change management | Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. | YES | Risk assessment | Implemented | | A.12.1.3 Capacity management | The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. | YES | Risk assessment | Implemented | | A.12.1.4 Separation of development, testing and operational environments | Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environmental. | YES | Risk assessment | Implemented | | A.12.2.1 Controls against malware | Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. | YES | Risk assessment | Implemented | | A.12.3.1 Information backup | Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. | YES | Risk assessment | Implemented | | A.12.4.1 Event logging | Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. | YES | Risk assessment | Implemented | | A.12.4.2 Protection of log information | Logging facilities and log information shall be protected against tampering and unauthorized access. | YES | Risk assessment | Implemented | | A.12.4.3 Administrator and operator logs | System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. | YES | Risk assessment | Implemented | | A.12.4.4 Clock synchronization | The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source. | YES | Risk assessment | Implemented | | A.12.5.1 Installation of software on operational systems | Procedures shall be implemented to control the installation of software on operational systems. | YES | Risk assessment | Implemented | | A.12.6.1 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. | YES | Risk assessment | Implemented | | A.12.6.2 Restrictions on software installation | Rules governing the installation of software by users shall be established and implemented. | YES | Risk assessment | Implemented | | A.12.7.1 Information system audit controls | Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. | YES | Best practice | Implemented | | A.13.1.1 Network controls | Networks shall be managed and controlled to protect information in systems and applications. | YES | Best practice | Implemented | | A.13.1.2 Security of network services | Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. | YES | Best practice | Implemented | | A.13.1.3 Segregation in networks | Groups of information services, users and information systems shall be segregated on networks. | YES | Risk assessment | Implemented | | A.13.2.1 Information transfer policies and procedures | Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. | YES | Risk assessment | Implemented | | A.13.2.2 Agreements on information transfer | Agreements shall address the secure transfer of business information between the organization and external parties. | YES | Risk assessment | Implemented | | A.13.2.3 Electronic messaging | Information involved in electronic messaging shall be appropriately protected. | YES | Risk assessment | Implemented | | A.13.2.4 Confidentiality or non-disclosure agreements | Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. | YES | Risk assessment | Implemented | | A.14.1.1 Security requirements of information systems | The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. | YES | Risk assessment | Implemented | | A.14.1.2 Securing application services on public networks | Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. | YES | Risk assessment | Implemented | | A.14.1.3 Protecting application services transactions | Information involved in applications service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. | YES | Risk assessment | Implemented | | A.14.2.1 Secure development policy | Rules for the development of software and systems shall be established and applied to developments within the organization. | YES | Risk assessment | Implemented | | A.14.2.2 System change control procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. | YES | Risk assessment | Implemented | | A.14.2.3 Technical review of applications after operating platform changes | When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. | YES | Risk assessment | Implemented | | A.14.2.4 Restrictions on changes to software packages | Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. | YES | Risk assessment | Implemented | | A.14.2.5 Secure system engineering principles | Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. | YES | Risk assessment | Implemented | | A.14.2.6 Secure development environment | Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. | YES | Risk assessment | Implemented | | A.14.2.7 Outsourced development | The organization shall supervise and monitor the activity of outsourced system development. | NO | Hook0 does not do outsourcing. External pull-requests are reviewed and always integrated back into our Secure Development LifeCycle | N/A | | A.14.2.8 System security testing | Testing of security functionality shall be carried out during development. | YES | Risk assessment | Implemented | | A.14.2.9 System acceptance testing | Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. | YES | Risk assessment | Implemented | | A.14.3.1 Protection of test data | Test data shall be selected carefully, protected and controlled. | YES | Risk assessment | Implemented | | A.15.1.1 Information security policy for supplier relationships | Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. | YES | Risk assessment | Implemented | | A.15.1.2 Addressing security within supplier agreements | All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. | YES | Risk assessment | Implemented | | A.15.1.3 Information and communication technology supply chain | Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. | YES | Risk assessment | Implemented | | A.15.2.1 Monitoring and review of supplier services | Organizations shall regularly monitor, review and audit supplier service delivery. | YES | Risk assessment | Implemented | | A.15.2.2 Managing changes to supplier services | Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. | YES | Best practice | Implemented | | A.16.1.1 Responsibilities and procedures | Management responsibilities and procedure shall be established to ensure a quick, effective and orderly response to information security incidents. | YES | Risk assessment | Implemented | | A.16.1.2 Reporting information security events | Information security events shall be reported through appropriate management channels as quickly as possible. | YES | Risk assessment | Implemented | | A.16.1.3 Reporting information security weaknesses | Employees and contractors using the organization's information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. | YES | Risk assessment | Implemented | | A.16.1.4 Assessment of and decision on information security events | Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. | YES | Risk assessment | Implemented | | A.16.1.5 Response to information security incidents | Information security incidents shall be responded to in accordance with the documented procedures. | YES | Risk assessment | Implemented | | A.16.1.6 Learning from information security incidents | Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. | YES | Risk assessment | Implemented | | A.16.1.7 Collection of evidence | The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. | YES | Risk assessment | Implemented | | A.17.1.1 Planning information security continuity | The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. | YES | Risk assessment | Implemented | | A.17.1.2 Implementing information security continuity | The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. | YES | Risk assessment | Implemented | | A.17.1.3 Verify, review and evaluate information security continuity | The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. | YES | Risk assessment | Implemented | | A.17.2.1 Availability of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. | YES | Risk assessment | Implemented | | A.18.1.1 Identification of applicable legislation and contractual requirements | All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. | YES | Legal and contractual requirements | Implemented | | A.18.1.2 Intellectual property rights | Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. | YES | Legal and contractual requirements | Implemented | | A.18.1.3 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. | YES | Legal and contractual requirements | Implemented | | A.18.1.4 Privacy and protection of personally identifiable information | Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. | YES | Legal and contractual requirements | Implemented | | A.18.1.5 Regulation of cryptographic controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. | YES | Legal and contractual requirements | Implemented | | A.18.2.1 Independent review of information security | The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. | YES | Best practice | Implemented | | A.18.2.2 Compliance with security policies and standards | Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. | YES | Best practice | Implemented | | A.18.2.3 Technical compliance review | Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. | YES | Risk assessment | Implemented | | A. 5.1.1 Policies for information security | A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. | YES | Risk assessment | Implemented | | A. 5.1.2 Review of the policies for information security | The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. | YES | Best practice | Implemented | | A. 6.1.1 Information security roles and responsibilities | All information security responsibilities shall be defined and allocated. | YES | Best practice | Implemented | | A. 6.1.2 Segregation of duties | Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. | YES | Risk assessment | Implemented | | A. 6.1.3 Contact with authorities | Appropriate contacts with relevant authorities shall be maintained. | YES | Risk assessment | Implemented | | A. 6.1.4 Contact with special interest groups | Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. | YES | Risk assessment | Implemented | | A. 6.1.5 Information security in project management | Information security shall be addressed in project management, regardless of the type of the project. | YES | Best practice | Implemented | | A. 6.2.1 Mobile device policy | A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. | YES | Risk assessment | Implemented | | A. 6.2.2 Teleworking | A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking. | YES | Risk assessment | Implemented | | A. 7.1.1 Screening | Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. | YES | Risk assessment | Implemented | | A. 7.1.2 Terms and conditions of employment | The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. | YES | Risk assessment | Implemented | | A. 7.2.1 Management responsibilities | Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. | YES | Best practice | Implemented | | A. 7.2.2 Information security awareness, education and training | All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. | YES | Risk assessment | Implemented | | A. 7.2.3 Disciplinary process | There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. | YES | Risk assessment | Implemented | | A. 7.3.1 Termination or change of employment responsibilities | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. | YES | Risk assessment | Implemented | | A. 8.1.1 Inventory of assets | Information, assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. | YES | Risk assessment | Implemented | | A. 8.1.2 Ownership of assets | Assets maintained in the inventory shall be owned. | YES | Risk assessment | Implemented | | A. 8.1.3 Acceptable use of assets | Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. | YES | Risk assessment | Implemented | | A. 8.1.4 Return of assets | All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. | YES | Risk assessment | Implemented | | A. 8.2.1 Classification of information | Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. | YES | Risk assessment | Implementing | | A. 8.2.2 Labelling of information | An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. | YES | Risk assessment | Implemented | | A. 8.2.3 Handling of assets | Procedures for handling assets shall be developed and implemented in accordance with the classification scheme adopted by the organization. | YES | Risk assessment | Implemented | | A. 8.3.1 Management of removable media | Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. | YES | Risk assessment | Implemented | | A. 8.3.2 Disposal of media | Media shall be disposed of securely when no longer required, using formal procedures. | YES | Risk assessment | Implemented | | A. 8.3.3 Physical media transfer | Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. | YES | Risk assessment | Implemented | | A. 9.1.1 Access control policy | An access control policy shall be established, documented and reviewed based on business and information security requirements. | YES | Risk assessment | Implemented | | A. 9.1.2 Access to networks and network services | Users shall only be provided with access to the network and network services that they have been specifically authorized to use. | YES | Risk assessment | Implemented | | A. 9.2.1 User registration and de-registration | A formal user registration and de-registration process shall be implemented to enable assignment of access rights. | YES | Risk assessment | Implemented | | A. 9.2.2 User access provisioning | A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. | YES | Risk assessment | Implemented | | A. 9.2.3 Management of privileged access rights | The allocation and use of privileged access rights shall be restricted and controlled. | YES | Risk assessment | Implemented | | A. 9.2.4 Management of secret authentication information of users | The allocation of secret authentication information shall be controlled through a formal management process. | YES | Risk assessment | Implemented | | A. 9.2.5 Review of user access rights | Asset owners shall review users' access rights at regular intervals. | YES | Risk assessment | Implemented | | A. 9.2.6 Removal or adjustment of access rights | The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. | YES | Risk assessment | Implemented | | A. 9.3.1 Use of secret authentication information of users | Users shall be required to follow the organization's practices in the use of secret authentication information. | YES | Risk assessment | Implemented | | A. 9.4.1 Information access restriction | Access to information and application system functions shall be restricted in accordance with the access control policy. | YES | Risk assessment | Implemented | | A. 9.4.2 Secure log-on procedures | Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. | YES | Risk assessment | Implemented | | A. 9.4.3 Password management system | Password management systems shall be interactive and shall ensure quality passwords. | YES | Risk assessment | Implemented | | A. 9.4.4 Use of privileged utility programs | The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. | YES | Risk assessment | Implemented | | A. 9.4.5 Access control to program source code | Access to program source code shall be restricted. | YES | Risk assessment | Implemented | Updated about 2 years ago * * * --- # Event type naming convention 0 Event type naming convention ---------------------------- about 1 month ago by Romain Hi, Wanted to know wether the 3-part naming convention for event type name was mandatory or only strongly recommanded? ex: can I name an event type like schedule.meeting.participantsList.updated cheers, Add Comment --- # Headless deployment 0 Headless deployment ------------------- 7 months ago by Simon Hickling We're trying to setup hook0 on-prem and deploy it in an automated, headless manner. We've setup a `MASTER_API_KEY` and while it allows most things, it does not allow us to create an organization. How can we set up from scratch without having to register a user and receive an email? We'd hoped that the `MASTER_API_KEY` would be the silver bullet, but alas it appears not Add Comment --- # I have deployed hook0 services at K8s but I am not able to generate application_secret. It thorws 404. Any idea? 0 I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea? ----------------------------------------------------------------------------------------------------------------- 8 months ago by Shashwat 404 Not Found Add Comment --- # New Discussion Post Question[Cancel](https://documentation.hook0.com/discuss) --- # Limit of Organizations & Subscriptions 0 Limit of Organizations & Subscriptions -------------------------------------- 11 months ago by Flávio Lourenço Hello, I was trying to find the documentation stating the limit on the number of organizations and subscriptions for the Free tier plan. Is there any limit? Regards. Add Comment --- # FIFO guarantees of events sent to subscriber 0 FIFO guarantees of events sent to subscriber -------------------------------------------- 9 months ago by Matthew James Hi there! We have a SaaS application that needs to emit events via webhooks to external organisations. I see that we can target those orgs using labels, but I was wondering then what FIFO guarantees (including when retrying messages) Hook0 maintains. For example, given `org0` and `org1`: 1. If our app has quickly sent events `e0`, `e1` and `e2` for `org0` to Hook0, is there any chance those events will be sent to `org0` by Hook0 either concurrently or out-of-order? Is the situation different if `org0` has created multiple subscriptions? 2. If sending events to `org0` is failing because the subscriber is failing to receive them, does Hook0 wait before sending any events it has queued for `org1` or does it only wait before retrying events for `org0`? Thanks! Add Comment --- # While running it in my local system on kubernetes getting error. 0 While running it in my local system on kubernetes getting error. ---------------------------------------------------------------- 11 months ago by Sanidhya Pawar Command executed- kubectl apply -f deployments.yaml -l kind=Namespace Error- error: no objects passed to apply Add Comment --- # Metadata could be genrated at real-time 0 Metadata could be genrated at real-time --------------------------------------- about 1 year ago by Shivangi "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them." If the metadata is stored on an object, then loading is required, and that would again depend on internet bandwidth and many factors.Can we use another way to handle this like Example: If you need to use an IP address or a unique identifier for a specific transaction, you could generate and use this metadata temporarily during the transaction and then discard it once the process is complete. This would help with metadata generation in real-time and also remove security risks that would come from storing additional, structured information on an object. It would be great getting a reply from and clear my understanding. Thanks Add Comment --- # Smart retry policy 0 Smart retry policy ------------------ over 1 year ago by Heath Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable? Add Comment --- # Using Hook0 for a SaaS app 0 Using Hook0 for a SaaS app -------------------------- over 1 year ago by Paul Hi, Wondering how one would dealt with a SaaS setup hosting multiple tenants. A 3rd party that wants to get notified about for example new orders being created, they need to create a subscription to an event and specify their applicationId. However, they likely might be interested in only new orders for a single or subset of the tenants. Is the idea to then namespace the events with some tenant identifier? If so, does that mean we need to add all the available events on a tenant-by-tenant basis? Or are there other mechanisms available to deal with tenant-namespacing in Hook0? Regards, Paul Add Comment --- # Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email. 0 Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email. ------------------------------------------------------------------------------------- 11 months ago by Sanidhya Pawar All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure Add Comment --- # Discussions [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Discussions [0 1\ \ Event type naming convention\ ----------------------------\ \ Hi,\ \ Posted by Romain about 1 month ago](https://documentation.hook0.com/discuss/68bb07f2b293e92c40af6096) [0 0\ \ Headless deployment\ -------------------\ \ We're trying to setup hook0 on-prem and deploy it in an automated, headless manner.\ \ Posted by Simon Hickling 7 months ago](https://documentation.hook0.com/discuss/67eec633130aff0024b1df9c) [0 1\ \ I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea?\ -----------------------------------------------------------------------------------------------------------------\ \ 404 \ Not Found\ \ Posted by Shashwat 8 months ago](https://documentation.hook0.com/discuss/67c00f1afeecb4002f3d2ab6) [0 1\ \ FIFO guarantees of events sent to subscriber\ --------------------------------------------\ \ Hi there!\ \ Posted by Matthew James 9 months ago](https://documentation.hook0.com/discuss/6791d4c9c86354000ffc76c4) [0 3\ \ Limit of Organizations & Subscriptions\ --------------------------------------\ \ Hello,\ \ Posted by Flávio Lourenço 11 months ago](https://documentation.hook0.com/discuss/673b620bebb1210043db4941) [0 1\ \ Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.\ -------------------------------------------------------------------------------------\ \ All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735d7d20d10a5001e0d9ea4) [0 2\ \ While running it in my local system on kubernetes getting error.\ ----------------------------------------------------------------\ \ Command executed- kubectl apply -f deployments.yaml -l kind=Namespace\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735a4d46c9417003cf7734a) [0 1\ \ Metadata could be genrated at real-time\ ---------------------------------------\ \ "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them."\ \ Posted by Shivangi about 1 year ago](https://documentation.hook0.com/discuss/66c44b74a0660800442b3b2e) [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) [0 3\ \ ANSWERED\ \ Using Hook0 for a SaaS app\ --------------------------\ \ Hi,\ \ Posted by Paul over 1 year ago](https://documentation.hook0.com/discuss/664216959c8d4000456769c7) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Discussions [0 1\ \ Event type naming convention\ ----------------------------\ \ Hi,\ \ Posted by Romain about 1 month ago](https://documentation.hook0.com/discuss/68bb07f2b293e92c40af6096) [0 0\ \ Headless deployment\ -------------------\ \ We're trying to setup hook0 on-prem and deploy it in an automated, headless manner.\ \ Posted by Simon Hickling 7 months ago](https://documentation.hook0.com/discuss/67eec633130aff0024b1df9c) [0 1\ \ I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea?\ -----------------------------------------------------------------------------------------------------------------\ \ 404 \ Not Found\ \ Posted by Shashwat 8 months ago](https://documentation.hook0.com/discuss/67c00f1afeecb4002f3d2ab6) [0 1\ \ FIFO guarantees of events sent to subscriber\ --------------------------------------------\ \ Hi there!\ \ Posted by Matthew James 9 months ago](https://documentation.hook0.com/discuss/6791d4c9c86354000ffc76c4) [0 3\ \ Limit of Organizations & Subscriptions\ --------------------------------------\ \ Hello,\ \ Posted by Flávio Lourenço 11 months ago](https://documentation.hook0.com/discuss/673b620bebb1210043db4941) [0 1\ \ Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.\ -------------------------------------------------------------------------------------\ \ All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735d7d20d10a5001e0d9ea4) [0 2\ \ While running it in my local system on kubernetes getting error.\ ----------------------------------------------------------------\ \ Command executed- kubectl apply -f deployments.yaml -l kind=Namespace\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735a4d46c9417003cf7734a) [0 1\ \ Metadata could be genrated at real-time\ ---------------------------------------\ \ "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them."\ \ Posted by Shivangi about 1 year ago](https://documentation.hook0.com/discuss/66c44b74a0660800442b3b2e) [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Discussions [0 2\ \ ANSWERED\ \ Faulty admin dashboard\ ----------------------\ \ ![](https://files.readme.io/5778a25-image.png)\ \ Posted by Looz over 1 year ago](https://documentation.hook0.com/discuss/65b9e5db8ce2ab001cc4ceb0) [0 2\ \ ANSWERED\ \ Docker compose\ --------------\ \ Hello,\ \ Posted by Karla almost 2 years ago](https://documentation.hook0.com/discuss/656db8188dbcaf0531fd81ac) [0 3\ \ ANSWERED\ \ Error testing sending an event\ ------------------------------\ \ Getting a 404 not found error when sending an event to the API\ \ Posted by Will over 2 years ago](https://documentation.hook0.com/discuss/64382c4253649200f10f9079) [0 1\ \ ANSWERED\ \ Running Hook0 on Prem\ ---------------------\ \ I see instructions to run with docker-compose, but after cloning the repository, I do not see a `docker` directory. Any ideas on if this is out of date?\ \ Posted by noah kreiger almost 3 years ago](https://documentation.hook0.com/discuss/63746a2bf30e6d001e1f7699) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Create a new application secret ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Update an application secret ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Delete an application secret ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create a new application ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Delete an application ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Change password ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Check instance health ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List errors ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get instance configuration ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get an application by its ID ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List event types ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Refresh access token ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List applications ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create a new event type ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Reset password ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get an event type by its name ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List organizations ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get quotas ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Email verification ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get an event ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Delete an event type ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List latest events ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Delete an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Edit an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get organization's info by its ID ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Invite a user to an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Begin reset password ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Edit a user's role in an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create a new subscription ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List supported event payload content types ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Replay an event ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Login ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Update a subscription ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Revoke a user's access to an organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create a new user account and its own personal organization ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Create a new service token ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List subscriptions ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get a service token ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List service tokens ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # List request attempts ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get a subscription by its id ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Edit a service token ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Logout ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Ingest an event ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Applications Updated about 2 years ago * * * --- # Delete a service token ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Edit an application ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Delete a subscription ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Get a response by its ID ShellNodeRubyPHPPython Click `Try It!` to start a request and see the response here! --- # Sending Events Updated almost 3 years ago * * * --- # Pricing & Plans FAQ General questions [](https://documentation.hook0.com/docs/pricing-plans-faq#general-questions) -------------------------------------------------------------------------------------------------- ### What is usage-based billing? [](https://documentation.hook0.com/docs/pricing-plans-faq#what-is-usage-based-billing) Usage-based billing is an evolution of subscription billing where customers pay for their active use, or consumption, of a product or service over a given time period. This model is applied to feature, service, and/or user activity. We think of it as a better way to align the value of Hook0 with how much customers pay for it. Updated 22 days ago * * * --- # Discussions [0 2\ \ ANSWERED\ \ Faulty admin dashboard\ ----------------------\ \ ![](https://files.readme.io/5778a25-image.png)\ \ Posted by Looz over 1 year ago](https://documentation.hook0.com/discuss/65b9e5db8ce2ab001cc4ceb0) [0 2\ \ ANSWERED\ \ Docker compose\ --------------\ \ Hello,\ \ Posted by Karla almost 2 years ago](https://documentation.hook0.com/discuss/656db8188dbcaf0531fd81ac) [0 3\ \ ANSWERED\ \ Error testing sending an event\ ------------------------------\ \ Getting a 404 not found error when sending an event to the API\ \ Posted by Will over 2 years ago](https://documentation.hook0.com/discuss/64382c4253649200f10f9079) [0 1\ \ ANSWERED\ \ Running Hook0 on Prem\ ---------------------\ \ I see instructions to run with docker-compose, but after cloning the repository, I do not see a `docker` directory. Any ideas on if this is out of date?\ \ Posted by noah kreiger almost 3 years ago](https://documentation.hook0.com/discuss/63746a2bf30e6d001e1f7699) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Docker compose 0 Docker compose -------------- almost 2 years ago by Karla Hello, Using the on-prem version, when I do docker compose like the guide said, I'm getting this error in many files: "error Delete `␍` prettier-vue/prettier". I tried everything on the internet but nothing worked. Can you help me please? Thank you Add Comment --- # Faulty admin dashboard 0 Faulty admin dashboard ---------------------- over 1 year ago by Looz ![](https://files.readme.io/5778a25-image.png) ![](https://files.readme.io/f44e3bd-image.png) Unable to access projects in the sidebar Add Comment --- # Error testing sending an event 0 Error testing sending an event ------------------------------ over 2 years ago by Will Getting a 404 not found error when sending an event to the API I created a application (I'm using the token as the application Id Created an event type I have tried the sample code and also ran the generated sample code locally same response. Add Comment --- # Running Hook0 on Prem 0 Running Hook0 on Prem --------------------- almost 3 years ago by noah kreiger I see instructions to run with docker-compose, but after cloning the repository, I do not see a `docker` directory. Any ideas on if this is out of date? Add Comment --- # Discussions [0 1\ \ Event type naming convention\ ----------------------------\ \ Hi,\ \ Posted by Romain about 1 month ago](https://documentation.hook0.com/discuss/68bb07f2b293e92c40af6096) [0 0\ \ Headless deployment\ -------------------\ \ We're trying to setup hook0 on-prem and deploy it in an automated, headless manner.\ \ Posted by Simon Hickling 7 months ago](https://documentation.hook0.com/discuss/67eec633130aff0024b1df9c) [0 1\ \ I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea?\ -----------------------------------------------------------------------------------------------------------------\ \ 404 \ Not Found\ \ Posted by Shashwat 8 months ago](https://documentation.hook0.com/discuss/67c00f1afeecb4002f3d2ab6) [0 1\ \ FIFO guarantees of events sent to subscriber\ --------------------------------------------\ \ Hi there!\ \ Posted by Matthew James 9 months ago](https://documentation.hook0.com/discuss/6791d4c9c86354000ffc76c4) [0 3\ \ Limit of Organizations & Subscriptions\ --------------------------------------\ \ Hello,\ \ Posted by Flávio Lourenço 11 months ago](https://documentation.hook0.com/discuss/673b620bebb1210043db4941) [0 1\ \ Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.\ -------------------------------------------------------------------------------------\ \ All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735d7d20d10a5001e0d9ea4) [0 2\ \ While running it in my local system on kubernetes getting error.\ ----------------------------------------------------------------\ \ Command executed- kubectl apply -f deployments.yaml -l kind=Namespace\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735a4d46c9417003cf7734a) [0 1\ \ Metadata could be genrated at real-time\ ---------------------------------------\ \ "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them."\ \ Posted by Shivangi about 1 year ago](https://documentation.hook0.com/discuss/66c44b74a0660800442b3b2e) [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) [0 3\ \ ANSWERED\ \ Using Hook0 for a SaaS app\ --------------------------\ \ Hi,\ \ Posted by Paul over 1 year ago](https://documentation.hook0.com/discuss/664216959c8d4000456769c7) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) --- # Discussions [0 1\ \ Event type naming convention\ ----------------------------\ \ Hi,\ \ Posted by Romain about 1 month ago](https://documentation.hook0.com/discuss/68bb07f2b293e92c40af6096) [0 0\ \ Headless deployment\ -------------------\ \ We're trying to setup hook0 on-prem and deploy it in an automated, headless manner.\ \ Posted by Simon Hickling 7 months ago](https://documentation.hook0.com/discuss/67eec633130aff0024b1df9c) [0 1\ \ I have deployed hook0 services at K8s but I am not able to generate application\_secret. It thorws 404. Any idea?\ -----------------------------------------------------------------------------------------------------------------\ \ 404 \ Not Found\ \ Posted by Shashwat 8 months ago](https://documentation.hook0.com/discuss/67c00f1afeecb4002f3d2ab6) [0 1\ \ FIFO guarantees of events sent to subscriber\ --------------------------------------------\ \ Hi there!\ \ Posted by Matthew James 9 months ago](https://documentation.hook0.com/discuss/6791d4c9c86354000ffc76c4) [0 3\ \ Limit of Organizations & Subscriptions\ --------------------------------------\ \ Hello,\ \ Posted by Flávio Lourenço 11 months ago](https://documentation.hook0.com/discuss/673b620bebb1210043db4941) [0 1\ \ Unable to SignIn, Not receiving Mails after SignUp, Not getting reset password email.\ -------------------------------------------------------------------------------------\ \ All the dockers are up and running, but I am not able to create Users or signin or even reset password. There are not logs also about failure\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735d7d20d10a5001e0d9ea4) [0 2\ \ While running it in my local system on kubernetes getting error.\ ----------------------------------------------------------------\ \ Command executed- kubectl apply -f deployments.yaml -l kind=Namespace\ \ Posted by Sanidhya Pawar 11 months ago](https://documentation.hook0.com/discuss/6735a4d46c9417003cf7734a) [0 1\ \ Metadata could be genrated at real-time\ ---------------------------------------\ \ "Metadata is useful for storing additional, structured information on an object. For example, you could store your user's corresponding unique identifier from your system on a Hook0 Customer object. By default, metadata isn't used by Hook0—for example, it's not used when forwarding events to subscriptions —but metadata is supported by the Search API. Your users won't see metadata unless you show it to them."\ \ Posted by Shivangi about 1 year ago](https://documentation.hook0.com/discuss/66c44b74a0660800442b3b2e) [0 1\ \ Smart retry policy\ ------------------\ \ Hi, I cannot find anywhere in the documentation where it indicates the actual smart-retry policy timings. How often will it retry and for how long, also is there any chance that could be configurable?\ \ Posted by Heath over 1 year ago](https://documentation.hook0.com/discuss/66582479038d640025dc14f3) [0 3\ \ ANSWERED\ \ Using Hook0 for a SaaS app\ --------------------------\ \ Hi,\ \ Posted by Paul over 1 year ago](https://documentation.hook0.com/discuss/664216959c8d4000456769c7) * [FAQs](https://documentation.hook0.com/discuss?isFAQ=true) * [Recent](https://documentation.hook0.com/discuss?sorting=recent) * [Unanswered](https://documentation.hook0.com/discuss?sorting=open) ---