Webhook ingestion endpoint monitoring for SaaS
Stripe, GitHub, and marketplace partners POST to /webhooks/stripe — not your public GET /api/v1/users. If ingestion returns 500 or times out, billing silently stalls while marketing /health stays green.
StillOnline runs external HTTP GET (or configured method) checks on URLs you register. Webhook routes are usually POST-only — this guide covers health patterns that prove ingestion works without exposing unsigned traffic.
Quick answer
Do not point StillOnline at a bare webhook URL that only accepts POST with a signed body — probes use GET by default and may see 405 or 401. Expose GET /webhooks/health or fold ingestion readiness into /api/health (queue depth, last successful webhook timestamp). Register the HTTPS URL in StillOnline; Free = one check every five minutes, two fails → DOWN and owner alert. For Stripe-specific flows see webhook platform guide. Pro adds up to 10 checks — split marketing vs webhook health.
2xx vs 401 vs 405 on webhook paths
| Response | Probe sees | Usually means |
|---|---|---|
| 200 on dedicated health | Green | Ingestion stack reachable |
401 on POST /webhooks/* without signature | Red if probed | Expected for unsigned GET — wrong URL for monitor |
| 405 Method Not Allowed | Red | GET not implemented — add health route |
| 500 | Red | Handler or DB broken — real incident |
Stripe webhooks require POST with Stripe-Signature — external uptime tools cannot forge events.
Pattern — dedicated ingestion health
GET /api/webhooks/health
{ "status": "ok", "last_event_at": "2026-06-08T12:00:00Z" }
Rules:
- No secrets in JSON.
- Return 503 if worker queue backlog exceeds threshold (optional).
- Document in runbook; register full URL in StillOnline.
Test:
curl -sS -o /dev/null -w "%{http_code}\n" https://api.yourproduct.com/api/webhooks/health
Pattern — synthetic POST (not StillOnline native)
Some teams run cron or GitHub Actions that POST a test event with a test signing secret. StillOnline does not execute that — use CI for signature path tests; use StillOnline for the health URL customers indirectly depend on.
Status page component
Label Webhooks or Integrations separately from API when partners report delivery failures but read APIs work — API-only monitoring.
StillOnline setup
- Create project.
- HTTP check →
https://api.yourproduct.com/api/webhooks/health→ expect 200. - Add Payments component text when Stripe ingestion fails — third-party status.
- Telegram alerts for DOWN.
Related guides
- Webhook platform status page
- API-only SaaS uptime checks
- Health endpoint design
- Third-party Stripe/Auth0 status
FAQ
Can StillOnline POST a test webhook with my signing secret?
No. StillOnline issues scheduled GET (unless you configure another method without custom signed bodies). Use a GET health route or external synthetic POST in CI.
Why does my webhook URL show down on StillOnline?
Likely 405 or 401 on GET. Add /webhooks/health or monitor /api/health that includes ingestion state.
Should I use the same check as public REST API?
On Free, one URL — combine in /health or upgrade Pro for separate API vs Webhooks checks.
Does StillOnline validate webhook payload bodies?
No. It checks HTTP status and timing on the URL you configure — same as any HTTP monitor per RFC 9110.