HTTP and DNS callback capture for authorized testing. Events are saved locally, sent to Discord, and signed with an HMAC proof.
curl -X POST https://hook.tcob.today/webhook/my-test \
-H 'Content-Type: application/json' \
-d '{"hello":"world"}'
dig my-test.dns.hook.tcob.today
Use any readable ID after the route. Extra path segments are kept as part of the ID.
| Route | Use |
|---|---|
/callback/<id> | general callback, relaxed rate limit |
/canary/<id> | canary token, relaxed rate limit |
/ssrf/<id> | SSRF callback |
/xss/<id> | browser/script callback |
/webhook/<id> | webhook request and body capture |
/email/<id> | email link or tracking callback |
/<category>/<id> | custom category |
| Route | Response |
|---|---|
/redirect/<id>?hops=3 | same-origin redirect chain, then /callback/<id> |
/status/404/<id> | capture, then return an allowlisted status |
/delay/2/<id> | capture, wait up to 5s, then return proof |
/pixel/<id> | capture, then return a transparent PNG |
/script/<id> | capture, then return JS that pings /callback/<id>/executed |
/cors/<id> | capture, then return proof with wildcard CORS |
/oauth/<id> | OAuth/OIDC redirect or form_post proof |
/dcr/<id> | dynamic client registration proof |
https://hook.tcob.today/oauth/test?code=abc123&state=xyz
curl -X POST https://hook.tcob.today/dcr/test \
-H 'Content-Type: application/json' \
-d '{"client_id":"client-123","client_secret":"secret-value"}'
/oauth and /dcr return the normal evidence receipt plus an
oauth.artifacts object. It detects common and vendor-prefixed OAuth/DCR field names,
including nested JSON keys containing token, secret, client,
registration, software, redirect_uri, code,
state, or error. Sensitive-looking values are returned as length, SHA-256,
and a short preview, not full secrets.
URL fragments never reach the server. For implicit/hybrid flows, use
response_mode=query, response_mode=form_post, or a target that sends the
token in a request body.
X-Hook-Id, X-Hook-Body-SHA256, X-Hook-Signature.curl -H 'Authorization: Bearer <token>' https://hook.tcob.today/admin/recent
curl -H 'Authorization: Bearer <token>' 'https://hook.tcob.today/admin/export?format=jsonl'
curl -H 'Authorization: Bearer <token>' https://hook.tcob.today/admin/lookup/test
Machine-readable route inventory: /docs.json.