New — webhooks your AI agents can wait on. Hook & Sense opening to early access.

Glossary

Mutual TLS (mTLS)

TLS where both sides present certificates — the receiver proves its identity and the webhook sender proves theirs. The strongest transport-level webhook authentication, and the most operationally expensive.

In ordinary TLS only the server presents a certificate; the client stays anonymous at the transport layer. Mutual TLS adds a client certificate: the webhook sender presents one when connecting, and your edge rejects the handshake unless it chains to a trusted CA. A forged request never even completes a connection.

It's the norm in banking and healthcare webhook APIs (open banking standards mandate it) and available from a few mainstream providers — but rare elsewhere, because the cost is real: issuing and rotating client certs, configuring termination at your load balancer (which must *not* strip the client cert before your app can check it), and debugging failed handshakes that produce no application-level logs.

mTLS and HMAC solve overlapping but different problems: mTLS authenticates the connection, HMAC authenticates the message. mTLS can't detect a payload modified by a compromised sender-side process, and HMAC can't stop an attacker from probing your endpoint. High-security setups run both.

How HookSense helps

Most SaaS providers you'll debug sign with HMAC rather than mTLS — which is exactly what HookSense's `verify_signature` settles per callback. For custom domains, HookSense provisions and renews TLS automatically, so the transport layer is handled before your agent sees the payload.

Get a free webhook URL

Related terms