A Model Context Protocol (MCP) server for webhook.site - instantly capture HTTP requests, emails, and DNS lookups. Perfect for testing webhooks, debugging API callbacks, security testing, and bug bounty hunting.
- Quick Start
- What Can You Do?
- Tools Reference
- Examples
- Each Webhook Token Provides
- Architecture
- Development
- Contributing
- Requirements
- Changelog
- Credits
- Links
# Using uvx (recommended - no install needed)
uvx webhook-mcp-server
# Or install via pip
pip install webhook-mcp-serverAdd to .vscode/mcp.json:
{
"servers": {
"webhook-mcp-server": {
"type": "stdio",
"command": "uvx",
"args": ["webhook-mcp-server"]
}
}
}Add to claude_desktop_config.json:
{
"mcpServers": {
"webhook-mcp-server": {
"command": "uvx",
"args": ["webhook-mcp-server"]
}
}
}"Create a webhook and show me the URL"
"What requests have been sent to my webhook?"
"Wait for a request to come in"
"Generate an SSRF payload to test for blind vulnerabilities"
"Create XSS callback payloads to detect blind XSS attacks"
"Make me a canary token to detect if someone accesses a URL"
"Create a temp email and wait for a password reset link"
"Monitor this webhook for emails and extract all links from them"
"Give me 3 temporary emails at once" (batch creation)
"Create a webhook that returns a 404 error with a custom message"
"Make a webhook with CORS enabled that waits 5 seconds before responding"
"Send 10 different test requests to a webhook and show me all the captured data"
"Create a webhook and wait for any HTTP request to arrive"
"Monitor for DNS lookups to detect if a server is making DNS queries"
"Search all requests for ones containing 'password' in the body"
"Export all captured webhook requests to JSON format"
"Show me statistics on requests received in the last hour"
"Filter and show only POST requests with specific headers"
"Create a webhook that pretends to be a Stripe payment API"
"Make a fake login endpoint that captures credentials (for pentesting)"
"Set up an email inbox that auto-extracts verification codes"
"Create a canary URL to track document access"
"Generate a DNS canary for the config file"
"Set up an email tracker pixel"
| Tool | Description |
|---|---|
create_webhook |
Create a new webhook endpoint |
create_webhook_with_config |
Create with custom response, status, CORS, timeout |
get_webhook_url |
Get the full URL for a webhook token |
get_webhook_email |
Get the email address for a webhook |
get_webhook_dns |
Get the DNS subdomain for a webhook |
get_webhook_info |
Get webhook settings and statistics |
update_webhook |
Modify webhook configuration |
delete_webhook |
Delete a webhook endpoint |
| Tool | Description |
|---|---|
send_to_webhook |
Send JSON data to a webhook |
get_webhook_requests |
List all captured requests |
search_requests |
Search with filters (method, content, date) |
delete_request |
Delete a specific request |
delete_all_requests |
Bulk delete with filters |
| Tool | Description |
|---|---|
wait_for_request |
Wait for an HTTP request (polling) |
wait_for_email |
Wait for email with automatic link extraction |
| Tool | Description |
|---|---|
generate_ssrf_payload |
Create SSRF test payloads (HTTP, DNS, IP-based) |
generate_xss_callback |
Create XSS callback payloads with cookie/DOM capture |
generate_canary_token |
Create trackable URLs, DNS, or email canaries |
check_for_callbacks |
Quick check for OOB callbacks |
extract_links_from_request |
Extract URLs from captured requests |
| Tool | Description |
|---|---|
send_multiple_requests |
Send batch of requests for load testing |
export_webhook_data |
Export all requests to JSON |
// Response from create_webhook
{
"token": "abc123-def456-...",
"url": "https://webhook.site/abc123-def456-...",
"email": "abc123-def456-...@email.webhook.site",
"dns": "abc123-def456-....dnshook.site"
}// Response from wait_for_email
{
"email_received": true,
"subject": "Password Reset Request",
"from": "noreply@example.com",
"links_found": ["https://example.com/reset?token=xyz789"]
}// Response from generate_ssrf_payload
{
"payloads": {
"http": "https://webhook.site/token?id=ssrf-test",
"dns": "ssrf-test.token.dnshook.site",
"ip_decimal": "http://2130706433/token",
"ip_hex": "http://0x7f000001/token"
}
}| Endpoint | Format | Use Case |
|---|---|---|
| HTTP URL | https://webhook.site/{token} |
Capture HTTP/HTTPS requests |
| Subdomain | https://{token}.webhook.site |
Alternative URL format |
{token}@email.webhook.site |
Capture incoming emails | |
| DNS | {token}.dnshook.site |
Capture DNS lookups |
webhook-mcp-server/
├── server.py # MCP entry point
├── handlers/ # Tool routing layer
├── services/ # Business logic
│ ├── webhook_service.py # Webhook CRUD
│ ├── request_service.py # Request management
│ └── bugbounty_service.py # Security payloads
├── models/ # Tool definitions & schemas
└── utils/ # HTTP client, logging, validation
- Async Architecture - Non-blocking I/O for optimal performance
- Retry Logic - Exponential backoff for transient failures
- Input Validation - UUID validation, parameter sanitization
- Structured Logging - JSON logs for debugging and monitoring
- Type Safety - Full type hints throughout
git clone https://github.com/zebbern/webhook-mcp-server.git
cd webhook-mcp-server
pip install -e ".[dev]"pytest tests/ -vpython server.py- Python 3.10+
mcp >= 1.0.0httpx >= 0.25.0
See CHANGELOG.md for version history.
Contributions are welcome! Here's how you can help:
- Report bugs - Open an issue describing the problem
- Suggest features - Open an issue with your idea
- Submit PRs - Fork the repo and submit a pull request
git clone https://github.com/zebbern/webhook-mcp-server.git
cd webhook-mcp-server
pip install -e ".[dev]"
pytest tests/ -v- Follow existing code style
- Add tests for new features
- Update documentation as needed
- Keep PRs focused on a single change
This project is not affiliated with or endorsed by webhook.site
- 📦 PyPI Package
- 🐙 GitHub Repository
- 🌐 webhook.site - The service this MCP wraps
- 📖 Model Context Protocol - MCP specification
Made with ❤️ for the MCP community
