// getting started

Docs

req.is gives you a URL that captures any HTTP request. Point a webhook or API call at it, inspect the raw request as it lands, then replay or forward it to your own endpoint.

Quickstart

Create a bin, send it anything, and open the inspector from the returned bin id.

terminal
# 1. create a bin
curl -X POST https://req.is/api/bins \
  -H "Content-Type: application/json" \
  -d '{"name":"my-webhook-bin"}'

# 2. send it anything
curl -X POST https://req.is/b/my-webhook-bin \
  -H "Content-Type: application/json" \
  -d '{"event":"ping"}'

# 3. open /bins/<id> and watch it land

Creating a bin

A bin gets a readable capture URL under /b/<slug>. The slug comes from the name you provide; if it is already taken, req.is appends a short suffix. UUID capture URLs under /c/<id> continue to work for compatibility.

GETCaptured with full query string and headers.
POSTBody preserved raw; JSON and form data are readable in the inspector.
PUTSame as POST: full body capture.
PATCHSame as POST: full body capture.
DELETECaptured, including any body the sender provides.
HEADCaptured and returned without a response body.
OPTIONSCaptured for CORS and integration debugging.

Inspecting requests

The bin dashboard shows live request updates with method filters, path search, headers, query string, body, forwarding response data, and generated code snippets.

Replay and forwarding

Forwarding is asynchronous: capture succeeds first, then the worker delivers a copy to your target. Replay sends a stored request again to the forwarding URL or a supplied target_url.

note

Delivery attempts store response status, elapsed time, target URL, and any error summary.

Forwarding safety

Forwarding makes req.is an HTTP client, so production controls are enforced before every delivery.

Private and metadata IPs blockedTargets resolving to loopback, private, link-local, multicast, reserved, carrier-grade NAT, benchmarking, or cloud metadata ranges are refused.
Scheme allowlistOnly http:// and https:// destinations are accepted.
DNS checked per deliveryThe worker resolves the hostname and validates the resulting IP before each forwarding attempt.
Redirects not followedForwarding records 3xx responses but does not chase redirects to another host.
Signed deliveriesEach forwarded request includes X-Reqis-Signature with an HMAC-SHA256 signature over timestamp and raw body.
Timeout and body capsRequests use short timeouts, request body storage caps, and response body truncation for predictable resource usage.

Verify forwarded deliveries

The signature header uses t=<unix timestamp>,v1=<hex hmac>. Compute HMAC-SHA256 over timestamp + "." + rawBody with the bin signing secret shown in the forwarding modal.

X-Reqis-Signature: t=1699029871,v1=5a2f9c1e...

const expected = crypto
  .createHmac("sha256", REQIS_SECRET)
  .update(timestamp + "." + rawBody)
  .digest("hex");

API reference

Manage bins and captured requests programmatically.

POST/api/binsCreate a new bin
GET/api/bins/:idFetch bin settings
PATCH/api/bins/:idUpdate name or forwarding URL
DELETE/api/bins/:idDisable a bin
GET/api/bins/:id/requestsList captured requests
GET/api/requests/:idFetch one request
POST/api/requests/:id/replayReplay to the bin forwarding URL or a supplied target_url
DELETE/api/requests/:idDelete one captured request
// ready to try it?$ create your first bin