Mailgun Webhook Tester — Test & Inspect Mailgun Webhooks Online

If you are wiring up Mailgun webhooks, the first question is always the same: what does Mailgun actually send? The docs show an idealised payload, but the real request — its headers and the exact JSON shape — is what your handler has to parse. A Mailgun webhook tester gives you a public URL that captures those real requests so you can read every byte before you write any code.

Get a free Mailgun webhook tester URL

The fastest way is our free Webhook Bin — a no-code webhook tester that gives you an instant public URL and stores every request that hits it, headers and body included. No signup, no deploy:

1. Open the Webhook Bin and copy the URL it generates for you.
2. In the Mailgun dashboard → Sending → Webhooks, add a webhook endpoint and paste that URL.
3. Trigger an event (see below) and watch the request land in the bin in real time.

Because the bin keeps the full request, you can inspect the headers, the Content-Type, and the complete payload — everything you need to build and verify a handler.

What a Mailgun webhook looks like

Mailgun delivers webhooks as an HTTP POST with a application/json body. Mailgun's modern webhooks POST JSON with two top-level objects: a signature object (timestamp, token, signature) and an event-data object describing what happened. Note that the signature lives in the body, not in a header.

A typical payload looks like this:

{
  "signature": {
    "timestamp": "1700000000",
    "token": "abc123...",
    "signature": "<hex hmac>"
  },
  "event-data": {
    "event": "delivered",
    "recipient": "[email protected]",
    "message": {
      "headers": {
        "message-id": "..."
      }
    }
  }
}

Common Mailgun events you will want to test:

• delivered
• opened
• clicked
• permanent_fail (bounced)
• complained
• unsubscribed

Verifying the Mailgun signature

Mailgun does not put its signature in a header. Each webhook body includes a signature object with three fields: timestamp, token and signature. To verify, concatenate timestamp + token, compute an HMAC-SHA256 of that string keyed by your Mailgun HTTP webhook signing key (Settings → Webhooks), hex-encode it, and compare it to the signature field in constant time. Also reject requests whose timestamp is not recent so a captured token can't be replayed.

You can sanity-check an HMAC implementation with the free HMAC signature verifier; for language-specific code and the common pitfalls, read verify a webhook signature.

From inspecting to receiving on localhost

A bin is perfect for seeing the payload. When you are ready to drive your local handler with real Mailgun events — without deploying — forward them straight to localhost with the Webhook Relay agent. The full walkthrough is here: Receive Mailgun webhooks on localhost.

That gives you a stable public URL that tunnels to your machine, so Mailgun keeps delivering to the same endpoint while you iterate on localhost, no firewall changes or public IP required.

Test Mailgun webhooks online in three steps

1. Capture — point Mailgun at a Webhook Bin URL and inspect the real request.
2. Verify — confirm the request is authentic (see above).
3. Forward — when the shape is clear, receive Mailgun webhooks on localhost and build your handler.

New to webhooks in general? Start with what is a webhook and how to test webhooks.

Ready to inspect your first Mailgun event? Open a free Webhook Bin and paste the URL into Mailgun.