tcob hook

Create memorable HTTP or DNS callback addresses, send them through an authorized test, and receive the complete interaction in Discord and SQLite.

Quick start

Choose a descriptive identifier such as information123example.
Place it in an HTTP path or before .dns.hook.tcob.today.
Use that address in your authorized test and inspect the resulting Discord evidence.

curl -X POST https://hook.tcob.today/webhook/my-test   -H 'Content-Type: application/json'   -d '{"hello":"world"}'

dig information123example.dns.hook.tcob.today

Replace my-test or information123example with your correlation ID. Arbitrary HTTP categories also work at /<category>/<id>.

HTTPhook.tcob.today

DNS zonedns.hook.tcob.today

RetentionLatest 500 events

Body captureUp to 2.00 MiB

HTTP callbacks

Use a named route to keep Discord events recognizable. Everything after the category becomes the correlation ID, including additional path segments.

Callback/callback/demogeneral-purpose callback; relaxed rate limit Canary/canary/democanary-token callback; relaxed rate limit Ssrf/ssrf/demoserver-side request forgery callback Xss/xss/demobrowser or script-execution callback Webhook/webhook/demowebhook callback with request body capture Email/email/demoemail link or resource callback Custom/custom-check/democustom category; additional path segments are part of the ID

Every capture and response-profile route accepts GET, HEAD, POST, PUT, PATCH, DELETE, and OPTIONS. The public /<route> form and compatibility /hook/<route> form are equivalent.

Successful capture responses include X-Hook-Id, X-Hook-Body-SHA256, and X-Hook-Signature. Ordinary capture routes return a JSON evidence receipt.

DNS callbacks

Put your identifying information directly before .dns.hook.tcob.today. Descriptive labels and multiple labels are supported.

Single label

information123example.dns.hook.tcob.today

Captured correlation ID: information123example

Multiple labels

customer42.password-reset.dns.hook.tcob.today

Captured correlation ID: customer42.password-reset

dig A information123example.dns.hook.tcob.today
dig TXT customer42.password-reset.dns.hook.tcob.today
nslookup information123example.dns.hook.tcob.today

UDP and TCP queries are accepted. The event records the complete queried name, correlation ID, query type, source address, source port, transport, timestamp, and DNS question data.

A and ANY queries return the service IPv4 address. The zone apex answers NS and SOA; other query types return an authoritative empty response and are still captured. Names outside the zone are refused, and the bare zone apex is not captured because it contains no correlation ID.

Use these hostnames in DNS lookups or target fields. Do not browse to arbitrary subdomains: DNS capture does not require HTTPS, and the web certificate does not cover every possible callback label.

DNS labels may contain letters, numbers, and hyphens. Each label is limited to 63 characters; use dots to split longer identifiers.

Response profiles

These routes capture the request and then return a controlled response useful for callback testing.

Redirect/redirect/demo?hops=3302 same-origin redirect chain ending at /callback/Status/status/404/demoreturn an allowlisted HTTP status after capture Delay/delay/2/demodelay the receipt by up to 5 seconds Pixel/pixel/demoreturn a transparent 1x1 PNG Script/script/demoreturn JavaScript that requests /callback//executed Cors/cors/demoreturn the JSON receipt with wildcard CORS headers

Opening a route link creates a real captured event and Discord notification.

Status responses support 201, 202, 204, 301, 302, 307, 308, 400, 401, 403, 404, 410, 418, 429, 500, 502, and 503.

Redirect chains use hops=0 through hops=5 and finish at /callback/<id>. Invalid profile parameters return 400 after the request is captured.

Captured evidence

GET, HEAD, POST, PUT, PATCH, DELETE, and OPTIONS are accepted.
Headers, cookies, query parameters, source details, TLS metadata, and bodies are recorded.
Bodies are capped at 2.00 MiB; nginx accepts requests up to 3 MiB.
The JSON receipt includes the event ID, body SHA-256, and HMAC-SHA256 integrity signature.
The newest 500 events are retained in SQLite and Discord delivery is asynchronous.
Discord receives one expandable JSON evidence file containing metadata and the body as base64.

The service listens privately on 127.0.0.1:8099. nginx terminates HTTPS, adds connection and TLS metadata, and forwards requests to the collector.

Admin API

curl -H 'Authorization: Bearer <token>'   https://hook.tcob.today/admin/recent

curl -H 'Authorization: Bearer <token>'   'https://hook.tcob.today/admin/export?format=jsonl'

/admin/recent returns five summaries. /admin/export returns the five latest complete events as JSON or JSONL. See /docs.json for machine-readable route documentation.

Admin endpoints accept only GET and HEAD. The HTML help is available at /, /help, and /docs; JSON help is at /docs.json. Documentation requests are not captured.

Admin routes require the private bearer token. Do not place it in callback URLs, browser history, source code, or screenshots.