Guide

Share Sanitized Requests

Share sanitized requests turns a captured FastHook request into a read-only snapshot that can be opened without a dashboard login. It is designed for support tickets, incident handoffs, vendor debugging, and teammate review.

The shared snapshot is created after FastHook redacts sensitive header, query, and body keys. Authorization headers, cookies, API keys, provider signatures, tokens, passwords, private keys, and custom redaction keys are replaced before the public link is returned.

This is different from sharing dashboard access. A request share contains only the sanitized copy created at that moment, has an expiration time, and does not expose the team, source configuration, destinations, retries, or unrelated traffic.

What The Share Link Contains

A sanitized request share keeps enough evidence to debug the webhook shape while removing values that commonly grant access or identify private credentials.

FastHook stores a snapshot for the share link. Opening the link later reads the sanitized copy, not the original request payload.

  • Request id, status, source id, created time, and verification state.
  • HTTP method, path, query string, and URL display.
  • Headers with sensitive values redacted.
  • Parsed query parameters with sensitive values redacted.
  • Body content with nested sensitive keys redacted.
  • A body_truncated flag when the sanitized body is larger than the share limit.
  • Expiration metadata for the public link.

Default Redaction Rules

FastHook redacts common secret-bearing names wherever they appear in headers, query parameters, or nested JSON body objects. Matching is case-insensitive and also catches common separators such as dashes and underscores.

You can add extra redaction keys when the payload uses business-specific fields such as customer_id, account_number, or internal_user_email.

  • authorization, bearer, cookie, set-cookie, token, access_token, refresh_token, password, secret, client_secret, private_key, api_key, x-api-key, and x-auth-token.
  • Provider signatures such as stripe-signature, x-hub-signature, x-hub-signature-256, x-slack-signature, x-sendgrid-signature, x-telegram-bot-api-secret-token, and x-twilio-signature.
  • Custom redact_keys passed when the share is created.
  • Deeply nested objects and arrays up to the maximum safe depth.
  • Very large strings, arrays, objects, and body payloads are truncated to keep the link inspectable.

Dashboard Workflow

  • Open Requests in the FastHook dashboard.
  • Select the captured request you want to discuss.
  • Click Share sanitized in the request inspector.
  • FastHook creates an expiring sanitized snapshot and copies the public link.
  • Send the link to a teammate, vendor, or support ticket.
  • Use replay, modified replay, or transformations only after the shared evidence is understood.

API Workflow

Use the create share endpoint when you need to automate support links from incident tooling or internal dashboards. The default expiration is seven days and the maximum expiration is thirty days.

Create sanitized share
curl -X POST "https://api.fasthook.io/v1/requests/req_01jv8c3m7b2p4q9x6r5t1n0k8s/share" \
  -H "Authorization: Bearer fhp_xxx" \
  -H "x-team-id: tm_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Support case 1842",
    "expires_in_seconds": 604800,
    "redact_keys": ["customer_id", "account_number", "internal_email"]
  }'

Security Boundaries

Sanitized sharing is for debugging evidence, not for moving production data into public channels. If a payload contains regulated data or customer identifiers, add custom redaction keys before creating the share.

Public share links should be treated as bearer links. Anyone with the URL can read the sanitized snapshot until it expires or is revoked.

  • Do not share unsanitized dashboard screenshots when a sanitized link is enough.
  • Use short expirations for vendor tickets and public issue trackers.
  • Add custom redaction keys for tenant ids, customer ids, internal emails, or account numbers.
  • Keep full request access inside the authenticated dashboard.
  • Use noindex public share pages so share URLs are not intended for search indexing.

When To Use A Share Link

  • A provider support team needs to see the request shape but not your secrets.
  • A receiver owner needs headers, path, and body shape during an incident.
  • A teammate needs evidence in a ticket without joining the production team.
  • You want to compare original evidence before creating a modified replay.
  • You need a stable reproduction artifact while a webhook route is being debugged.

When Dashboard Access Is Better

Use dashboard access when the person needs to investigate multiple requests, retry delivery, inspect attempts, change routes, or manage sources and destinations. A sanitized share is intentionally narrow.

  • The person needs to replay or retry events.
  • They need destination attempts and response bodies for many requests.
  • They must change filters, transformations, or connection state.
  • They need to compare traffic across a time range.
  • They are an operator who should have auditable team access.

Next