Webhooks to Private Networks
Without Opening Firewalls
Enterprise-grade zero-trust webhook delivery to your private networks.
The Webhook Problem
Firewall Headaches
Opening ports for webhooks is a security nightmare. Every open port is a potential attack vector.
Reliability Issues
Direct connections fail behind NAT, VPNs, or when your team rotates IPs. Retries don't help if the path is broken.
Security Trade-offs
Tailscale requires UDP, WireGuard needs kernel modules. Sometimes you can't install anything on the target.
Zen-Mesh: Outbound-Only Delivery
Your internal services connect outbound only. No firewall changes needed. No UDP. No kernel modules.
Enterprise-Grade Webhook Delivery
Everything you need to reliably receive webhooks in any environment.
Zero-Trust Security
mTLS on all internal paths. HMAC-SHA256 signature verification. SPIFFE/SPIRE workload identity.
Stripe → Your Private Network
Receive Stripe webhooks directly in your Kubernetes cluster. No firewall changes. No VPN. No second product needed.
Private Network Delivery
Deliver to services behind NAT, firewall, or VPN. Your internal endpoints stay hidden.
Instant Setup
Dynamic webhooks available in under 2 minutes. Configure in UI. Automatic TLS.
Outbound-Only Architecture
Unlike Tailscale (UDP) or WireGuard (kernel modules), Zen-Mesh works anywhere.
Stripe & GitHub Templates
Out-of-the-box support for Stripe and GitHub webhooks. Copy the endpoint, configure your secret, done.
Canary Certificate Rotation
Automatic certificate rotation with health checks. Auto-rollback if issues detected.
Delivery History & Replay
Full delivery audit trail. Inspect failures by correlation ID. Replay from dead letter queue.
Automatic Retries
Jittered exponential backoff. At-least-once delivery guaranteed.
Rate Limiting
IP-based rate limiting to absorb traffic spikes. Protects your services.
Audit Logging
Comprehensive audit logging with tamper detection via hash-chain verification.
Three-Plane Security Model
Strict separation between control, data, and edge planes ensures your data never crosses untrusted boundaries.
Control Plane
SaaS-only. Handles enrollment, policy, config, certificates, and audit. Never in runtime event path.
- UI/API — Dashboard and REST API
- Policy & Config — Tenant management
- Certificates — Lifecycle management
Data Plane
Zen-owned public intake and routing layer. Events flow through but never touch SaaS.
- zen-ingester — Event intake & processing
- zen-bridge — Message routing
- zen-egress — Event dispatch
Edge Plane
Customer-boundary delivery layer. zen-agent runs in your cluster, maintains outbound connection.
- zen-ingester — Event intake
- zen-agent — Cluster enrollment
- zen-egress — Delivery to internal services
How We Compare
See why engineering teams choose Zen-Mesh over alternatives.
| Feature | Zen-Mesh | Hookdeck | Hook0 | Svix | Tailscale | ngrok |
|---|---|---|---|---|---|---|
| CloudEvents format (CNCF standard) | Yes | No | No | No | No | No |
| Delivers to private networks | Yes | No | No | No | Yes | Limited |
| Outbound-only (no firewall changes) | Yes | No | No | No | UDP hole-punching | Yes |
| Webhooks bypass SaaS (direct delivery) | Yes | No | Self-hosted only | No | Tailscale network | No |
| Free Static IP for webhook sources | Yes | No | No | No | No | No |
| Dedicated Static IP for webhook sources | Included (paid plans) | +$100/mo (paid plans) | No | Paid (Enterprise) | No | $900/mo per region |
| mTLS on internal paths | Yes | No | No | Enterprise only | WireGuard | TLS |
| SPIFFE/SPIRE workload identity | Yes | No | No | No | No | No |
| HMAC signature verification | Yes | Yes | Yes | Yes | No | Limited |
| Database RLS (tenant isolation) | Yes | No | No | No | No | No |
| Built-in webhook templates | Stripe, GitHub (2) | 120+ sources | No | No | No | No |
| Certificate rotation with canary | Yes | No | No | No | No | No |
| Dead letter queue & replay | Yes | Yes | Yes (3 days) | Yes | No | Limited |
| Self-hosted option | Yes | Yes | Yes | Yes | Yes | No |
| Multiple destinations (fan-out) | Yes | Yes | Labels | Yes | No | No |
Ready to get started?
Deploy secure webhook delivery to your private network in minutes.