API reference
FlurryPORT exposes one public API surface: the capture URL that webhook providers send to. Everything else is managed through the UI or the CLI.
Capture URL
The capture URL is the endpoint you register with your webhook provider. It accepts any HTTP method and stores the raw request — headers, body, query string — exactly as sent.
POST https://api.flurryport.io/api/v1/capture/{projectId}/{endpointSlug}| Parameter | Description |
|---|---|
projectId | Base62-encoded project ID (shown in the UI) |
endpointSlug | URL-safe endpoint slug (e.g., stripe-webhook) |
Quick test:
curl -X POST https://api.flurryport.io/api/v1/capture/{projectId}/{endpointSlug} \
-H "Content-Type: application/json" \
-d '{"event": "test.webhook", "data": {"id": "evt_123"}}'Provider detection
FlurryPORT automatically detects the webhook provider from request headers:
| Header | Provider |
|---|---|
Stripe-Signature | Stripe |
X-Hub-Signature-256 | GitHub |
X-Shopify-Hmac-Sha256 | Shopify |
X-Slack-Signature | Slack |
X-Twilio-Signature | Twilio |
The provider hint and event type (e.g.,
checkout.session.completed) are stored as metadata for filtering — they don’t affect how the payload is stored.
Payload limits
| Plan | Max payload | Retention |
|---|---|---|
| Deckhand (free) | 64 KB | 3 days |
| First Mate | 1 MB | 20 days |
| Captain | 10 MB | 45 days |
Authentication
Authenticated API operations (managing replay targets, triggering replays from the CLI, etc.) use a Personal Access Token (PAT). Generate one in Settings → Access Tokens.
# Generate in the UI, token shown once: fp_a1b2c3d4e5f6... # Use in requests: Authorization: Bearer fp_a1b2c3d4e5f6...
Tokens are SHA256-hashed at rest. Set an expiry when creating — expired tokens are automatically rejected. Revoke compromised tokens immediately in Settings.
Webhook replay compatibility
When replaying webhooks with HMAC signature verification (e.g., Stripe), keep in mind:
tolerance: 86400 (24 hours).throwOnApiVersionMismatch: false in your Stripe SDK.