Webhook with a thin payload

Receivers want fast notifications, not megabytes. Senders sometimes have large or sensitive data to deliver. The common workaround is "thin webhooks": send an ID, let the receiver call back for the actual data. kubbi productizes that pattern with encryption, TTL, and burn semantics baked in.

How it works

1. The producer creates a kubbi with the payload. Receives a claim URL.
2. The webhook POST body carries only the claim URL (plus event metadata).
3. The receiver decides whether to claim. If yes, it follows the claim URL and retrieves the payload server-side.

The payload doesn't sit in webhook delivery logs, gateway logs, or the receiver's request logs. No size limit on what the webhook can effectively carry.

Examples

Security analyst → automated triage agent

A human security analyst's tool creates a kubbi containing a decrypted incident report with IOCs (20-minute TTL, single-read) and sends only the claim URL to the triage platform's inbound API. The triage agent claims the report, processes the IOCs, and the report is burned.

Mobile app → backend verification service

A mobile app creates a kubbi with a signed biometric attestation token (90-second TTL, single-read) and sends only the claim URL in its request to the backend identity verification microservice. The short TTL makes replay attacks impractical.

Related

• The mental model: side-channel pattern
• Lifecycle controls: TTL and retrievals