{
  "admin": {
    "/admin/export?format=json|jsonl": "latest 5 full events",
    "/admin/recent": "latest 5 summaries",
    "authentication": "Authorization: Bearer <token>",
    "methods": [
      "GET",
      "HEAD"
    ]
  },
  "base_url": "https://hook.tcob.today",
  "capture": {
    "/<category>/<id>": "custom category; additional path segments are part of the ID",
    "/callback/<id>": "general-purpose callback; relaxed rate limit",
    "/canary/<id>": "canary-token callback; relaxed rate limit",
    "/email/<id>": "email link or resource callback",
    "/ssrf/<id>": "server-side request forgery callback",
    "/webhook/<id>": "webhook callback with request body capture",
    "/xss/<id>": "browser or script-execution callback"
  },
  "capture_methods": [
    "GET",
    "HEAD",
    "POST",
    "PUT",
    "PATCH",
    "DELETE",
    "OPTIONS"
  ],
  "dns": {
    "examples": [
      "case-123.dns.hook.tcob.today",
      "customer42.password-reset.dns.hook.tcob.today"
    ],
    "format": "<id>.dns.hook.tcob.today",
    "notes": [
      "Use the hostname in a DNS lookup; HTTPS is not required.",
      "The zone apex is not captured because it has no correlation ID.",
      "IDs may use multiple DNS labels; each label is limited to 63 characters.",
      "Use letters, numbers, and hyphens for broad client compatibility."
    ],
    "responses": {
      "A": "authoritative service IPv4 address",
      "ANY": "A response; zone apex also includes NS and SOA",
      "NS": "answered at the zone apex",
      "SOA": "answered at the zone apex",
      "other": "authoritative empty response; query is still captured",
      "outside_zone": "REFUSED"
    },
    "transports": [
      "UDP/53",
      "TCP/53"
    ]
  },
  "documentation": {
    "/": "HTML help",
    "/docs": "HTML help",
    "/docs.json": "this machine-readable endpoint inventory",
    "/help": "HTML help",
    "methods": [
      "GET",
      "HEAD"
    ]
  },
  "limits": {
    "captured_body_bytes": 2097152,
    "delay_seconds": 5,
    "redirect_hops": 5,
    "retained_events": 500
  },
  "path_aliases": {
    "/<route>": "preferred public form",
    "/hook/<route>": "equivalent compatibility form"
  },
  "profiles": {
    "/cors/<id>": "return the JSON receipt with wildcard CORS headers",
    "/delay/<seconds>/<id>": "delay the receipt by up to 5 seconds",
    "/pixel/<id>": "return a transparent 1x1 PNG",
    "/redirect/<id>?hops=<0-5>": "302 same-origin redirect chain ending at /callback/<id>",
    "/script/<id>": "return JavaScript that requests /callback/<id>/executed",
    "/status/<code>/<id>": "return an allowlisted HTTP status after capture"
  },
  "service": "tcob hook",
  "status_codes": [
    201,
    202,
    204,
    301,
    302,
    307,
    308,
    400,
    401,
    403,
    404,
    410,
    418,
    429,
    500,
    502,
    503
  ],
  "success_headers": [
    "X-Hook-Id",
    "X-Hook-Body-SHA256",
    "X-Hook-Signature"
  ]
}