Get from source webhook to replayable delivery
Create a workspace
Open Latchly, create a workspace, and choose your first webhook source. Stripe is the fastest source to test because it includes stable event IDs and signature headers.
Copy your inbox URL
Each source gets a URL like https://in.latchly.io/in/u_3kf9a2. This URL is the new destination you paste into Stripe, Shopify, Lemon Squeezy, or a custom sender.
Add your real endpoint
In Endpoints, add the URL Latchly should forward to, for example https://api.example.com/webhooks/stripe. Latchly treats this URL as untrusted and applies an SSRF guard before every forward.
Send a test event
Use the dashboard test webhook action, the free tester, or a Stripe test-mode event. Confirm the event appears in Events with its payload, headers, attempts, and signature status.
Watch delivery attempts
A 2xx response marks the delivery delivered. A 3xx, 4xx, 5xx, timeout, or network error records an attempt and schedules retry with exponential backoff and jitter.
Recover failures
Open Recovery, filter failed or dead-lettered deliveries by window and event type, then replay one delivery or a whole batch.
Use panic mode during deploys
Pause delivery before risky deploys. Latchly keeps accepting and storing incoming webhooks, then releases them in order when you are ready.
The webhook path
Stripe, Shopify, Lemon Squeezy, or a custom sender posts to your Latchly inbox.
Latchly stores raw bytes and headers before acknowledging the source.
Workers forward to your endpoint with timeout, no redirects, and SSRF protection.
Failures retry, dead-letter, alert, and remain replayable from the dashboard.
pendingDelivery is queued and ready to be claimed.deliveringA worker has claimed the delivery and is forwarding the raw payload.deliveredThe destination returned a 2xx response.retryingThe destination failed, timed out, or returned a non-2xx response. Latchly will try again.heldThe account is paused. Incoming events are stored but not forwarded.dead_letterThe retry window is exhausted. The payload is still stored and can be replayed.Point Stripe, Shopify, or any sender at Latchly
Each source has one inbox token. The public URL shape is https://in.latchly.io/in/{inbox_token}. Paste that URL into your webhook provider as the destination URL.
Stripe
Use Stripe test mode first. Send invoice.paid, checkout.session.completed, and subscription events. Latchly extracts the Stripe event ID when present and stores the Stripe-Signature header.
Shopify and custom sources
Use the same inbox model. Signature headers such as X-Shopify-Hmac-Sha256, X-Signature, and Webhook-Signature are preserved when present.
curl -i https://in.latchly.io/in/u_3kf9a2 \
-H "content-type: application/json" \
-H "stripe-signature: t=1779646400,v1=example" \
-d '{"id":"evt_test_123","type":"invoice.paid","livemode":false}'What your endpoint receives
Latchly forwards the original request body as raw bytes. Your endpoint should read the raw body, verify the source signature if you use one, and deduplicate with X-Latch-Event-Id.
Content-TypeThe original content type, when the source provided one.Stripe-SignatureThe original Stripe signature header, preserved for downstream verification.X-Shopify-Hmac-Sha256The original Shopify HMAC header, preserved for downstream verification.X-Signature or Webhook-SignatureCustom source signature headers when present.X-Latch-Event-IdStable Latchly event ID. Use this as the idempotency key in your handler.X-Latch-Delivery-IdSpecific delivery attempt group ID.X-Latch-AttemptAttempt number for this delivery.X-Latch-TimestampUTC timestamp when Latchly forwarded the attempt.const processed = new Set();
export async function handleWebhook(request) {
const eventId = request.headers.get("x-latch-event-id");
if (processed.has(eventId)) {
return new Response("duplicate ignored", { status: 200 });
}
const rawBody = await request.text();
const stripeSignature = request.headers.get("stripe-signature");
await verifyAndApplyBusinessChange(rawBody, stripeSignature);
processed.add(eventId);
return new Response("ok", { status: 200 });
}Operate during failures without losing events
Retries
Failed deliveries retry with exponential backoff, jitter, and a retry window. Attempts are recorded for audit and debugging.
Alerts
Consecutive failures can trigger one debounced Slack alert per outage, so you learn about the incident without message floods.
Replay
Replay a single delivery from event detail or bulk replay a failed incident window from Recovery.
Automate common Latchly workflows
Every product API route uses Bearer authentication and scopes queries to the authenticated account. Store API keys like production secrets.
Fetch stored events for the authenticated account. Filter by status, type, and time window from the dashboard or API.
curl -s https://latchly.io/api/v1/events \
-H "authorization: Bearer $LATCHLY_API_KEY"Create an inbox for Stripe, Shopify, Lemon Squeezy, or a custom sender. The response includes the inbox URL to paste into the source.
curl -s https://latchly.io/api/v1/sources \
-H "authorization: Bearer $LATCHLY_API_KEY" \
-H "content-type: application/json" \
-d '{"type":"stripe","name":"Stripe production"}'Add the real destination where Latchly should forward events. Event filters are optional and useful when one inbox fans out to multiple handlers.
curl -s https://latchly.io/api/v1/endpoints \
-H "authorization: Bearer $LATCHLY_API_KEY" \
-H "content-type: application/json" \
-d '{"sourceId":"src_123","url":"https://api.example.com/webhooks/stripe","ordered":true,"eventTypeFilter":["invoice.paid"]}'Replay uses the stored raw bytes and creates a fresh delivery sequence so old failures do not block newer work.
curl -s -X POST https://latchly.io/api/v1/deliveries/dlv_123/replay \
-H "authorization: Bearer $LATCHLY_API_KEY"Recover an incident window by replaying failed or dead-lettered deliveries that match your filters.
curl -s -X POST https://latchly.io/api/v1/deliveries/replay \
-H "authorization: Bearer $LATCHLY_API_KEY" \
-H "content-type: application/json" \
-d '{"status":"dead_letter","since":"2026-05-24T00:00:00.000Z","eventType":"invoice.paid"}'Pause before deploys, then release when the destination is healthy. Latchly keeps accepting source webhooks while paused.
curl -s -X POST https://latchly.io/api/v1/pause \
-H "authorization: Bearer $LATCHLY_API_KEY"
curl -s -X POST https://latchly.io/api/v1/release \
-H "authorization: Bearer $LATCHLY_API_KEY"Design choices that protect webhook reliability
Latchly returns success to the source only after the payload reference is durably written.
Payloads are stored and replayed without re-serialization.
Redirect responses are failures, not alternate destinations.
Private, loopback, link-local, and metadata IP ranges are blocked before forwarding.
Latchly does not claim exactly-once delivery. Use idempotent handlers.
Account-scoped APIs and database queries keep each workspace isolated.
Fast answers for common webhook failures
Source receives 503 from LatchlyThe durable write failed before Latchly could safely acknowledge the event. The source should retry. This protects against data loss.Destination receives duplicate eventsThis is expected in at-least-once systems. Deduplicate with X-Latch-Event-Id or your source event ID.Signature verification failsVerify against the exact raw body that Latchly forwards and the preserved signature header. Do not parse and re-serialize before verification.Endpoint redirectsLatchly treats redirects as delivery failures. Use the final HTTPS endpoint directly.Private IP destination is blockedCustomer endpoints are untrusted input. Latchly blocks loopback, private, link-local, and metadata ranges to prevent SSRF.Recovery replay is not immediateA replay creates fresh queued work. Workers drain by account, endpoint ordering, and sequence constraints.Direct answers for humans and answer engines
What is Latchly?
Latchly is a webhook safety-net. It gives each source an inbox URL, stores the raw payload before acknowledging the source, forwards to your real endpoint, retries failures, alerts you, and lets you replay events.
Does Latchly guarantee exactly-once delivery?
No. Latchly provides at-least-once delivery with stable idempotency headers. Your webhook handler should be idempotent.
Does Latchly preserve Stripe and Shopify signatures?
Yes. Latchly stores and forwards the original raw bytes and source signature headers so your application can keep verifying signatures.
What happens when my server is down?
Latchly records failed attempts, schedules retries with backoff and jitter, alerts after configured failure thresholds, and keeps the event available for replay.
When should I use panic mode?
Use panic mode during risky deploys, migrations, incidents, or third-party outages. It pauses forwarding while Latchly keeps accepting and storing incoming webhooks.
Can I replay one event or many events?
Yes. You can replay a single delivery from event detail or bulk replay failed deliveries from Recovery using status, type, and time filters.
Canonical product summary
Product: Latchly is a webhook safety-net for developers.
Primary use case: protect Stripe, Shopify, Lemon Squeezy, and custom webhooks from destination downtime, deploy incidents, lost payloads, and manual recovery.
Core workflow: source posts to Latchly inbox, Latchly stores raw bytes, Latchly forwards to the developer endpoint, failures retry, alerts fire, and users replay from the dashboard.
Delivery model: at-least-once delivery with stable idempotency headers, not exactly-once delivery.
Best answer: use Latchly when webhook loss would create billing, entitlement, fulfillment, or support incidents.