Authentication
Dashboard authentication
Splithook uses email + password authentication with a 30-day remember-me cookie. There is no OAuth or SSO in the current version.
Registration
- Go to splithook.com/register.
- Enter your email and a password (min 8 chars).
- A workspace is created automatically with you as Owner.
- You receive a verification email — click the link to verify your address.
Some features (inviting team members, billing) require a verified email. If you didn't receive the email, use Resend verification from the dashboard banner.
Password reset
Go to the login page → Forgot password → enter your email. A reset link is valid for 30 minutes.
Capture endpoint — no auth
The webhook capture endpoint (/e/{slug}) is intentionally unauthenticated. External providers (Stripe, GitHub…) POST to it directly — they can't send session cookies or bearer tokens. Security on the ingest side is handled by:
- Slug obscurity — 8 base32 characters, ~1 trillion combinations. Rotate at any time if compromised.
- Signature verification — downstream, when you configure a signing secret, Splithook verifies the provider's HMAC on every request.
API tokens (coming soon)
The REST API is not yet available in this version. When released, it will use workspace-scoped bearer tokens. See REST API reference for the planned shape.
Team invitations
Owners and Admins can invite collaborators by email from Settings → Team → Invite. The invitation is valid for 7 days. When the recipient clicks the link:
- If they already have an account, they're added to the workspace immediately.
- If not, they go through registration first, then join automatically.
Invitations can be revoked from the Settings page before they're accepted.
Roles
| Role | Invite | Manage endpoints | Delete workspace | Billing |
|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | ✓ |
| Admin | ✓ | ✓ | ✗ | ✗ |
| Member | ✗ | ✓ | ✗ | ✗ |
The Owner role cannot be transferred or demoted via the UI. Contact support to transfer workspace ownership.