{
  "admin": {
    "/admin/export?format=json|jsonl": "latest 5 full raw events; sensitive admin-only export",
    "/admin/lookup/<id>": "latest retained event matching correlation_id",
    "/admin/lookup/<id>?full=1": "same receipt plus content.full base64 raw body",
    "/admin/recent": "latest 5 summaries",
    "authentication": "Authorization: Bearer <token>",
    "methods": [
      "GET",
      "HEAD"
    ],
    "sensitivity": "admin full responses and exports may contain real credentials"
  },
  "base_url": "https://hook.tcob.today",
  "capture": {
    "/<category>/<id>": "custom category; additional path segments are part of the ID",
    "/callback/<id>": "general-purpose callback; relaxed rate limit",
    "/canary/<id>": "canary-token callback; relaxed rate limit",
    "/email/<id>": "email link or resource callback",
    "/ssrf/<id>": "server-side request forgery callback",
    "/webhook/<id>": "webhook callback with request body capture",
    "/xss/<id>": "browser or script-execution callback"
  },
  "capture_methods": [
    "GET",
    "HEAD",
    "POST",
    "PUT",
    "PATCH",
    "DELETE",
    "OPTIONS"
  ],
  "dns": {
    "examples": [
      "case-123.dns.hook.tcob.today",
      "customer42.password-reset.dns.hook.tcob.today",
      "case-123.dns.041700.xyz"
    ],
    "formats": [
      "<id>.dns.hook.tcob.today",
      "<id>.dns.041700.xyz"
    ],
    "notes": [
      "Use the hostname in a DNS lookup; HTTPS is not required.",
      "The zone apex is not captured because it has no correlation ID.",
      "dns.041700.xyz requires provider-side NS delegation to ns1.tcob.today before external lookups work.",
      "IDs may use multiple DNS labels; each label is limited to 63 characters.",
      "Use letters, numbers, and hyphens for broad client compatibility."
    ],
    "responses": {
      "A": "authoritative service IPv4 address",
      "ANY": "A response; zone apex also includes NS and SOA",
      "NS": "answered at the zone apex",
      "SOA": "answered at the zone apex",
      "other": "authoritative empty response; query is still captured",
      "outside_zone": "REFUSED"
    },
    "transports": [
      "UDP/53",
      "TCP/53"
    ]
  },
  "documentation": {
    "/": "HTML help",
    "/docs": "HTML help",
    "/docs.json": "this machine-readable endpoint inventory",
    "/help": "HTML help",
    "methods": [
      "GET",
      "HEAD"
    ]
  },
  "limits": {
    "captured_body_bytes": 2097152,
    "delay_seconds": 5,
    "min_free_bytes": 2147483648,
    "redirect_hops": 5,
    "retained_events": 5000
  },
  "path_aliases": {
    "/<route>": "preferred public form",
    "/hook/<route>": "equivalent compatibility form"
  },
  "profiles": {
    "/cors/<id>": "return proof with wildcard CORS headers",
    "/dcr/<id>": "dynamic client registration proof with client credential previews",
    "/delay/<seconds>/<id>": "delay for up to 5 seconds, then return proof",
    "/oauth/<id>": "OAuth/OIDC redirect proof with code/state/token previews",
    "/pixel/<id>": "return a transparent 1x1 PNG",
    "/redirect/<id>?hops=<0-5>": "redirect chain ending at /callback/<id>",
    "/script/<id>": "return JavaScript that pings /callback/<id>/executed",
    "/status/<code>/<id>": "return an allowlisted HTTP status after capture"
  },
  "service": "tcob hook",
  "status_codes": [
    201,
    202,
    204,
    301,
    302,
    307,
    308,
    400,
    401,
    403,
    404,
    410,
    418,
    429,
    500,
    502,
    503
  ],
  "success_headers": [
    "X-Hook-Id",
    "X-Hook-Body-SHA256",
    "X-Hook-Signature"
  ]
}
