Webhook Relay

A portfolio build that demonstrates the whole product surface a serious API client expects — endpoints, ergonomics, reliability semantics, generated SDKs, interactive docs, an operator dashboard, and a deploy story — not just an API behind a README.

Reliability features:

• HMAC-SHA256 outbound signing in the Stripe/Svix t=…,v1=… header format. Each SDK ships a hand-tuned verifySignature helper with constant-time comparison and timestamp-window enforcement.
• Idempotency keys on event ingest with a 24-hour dedup window. Separate idempotency-records table sidesteps MySQL's lack of partial unique indexes; same key + same payload returns the cached response, same key + different payload returns 409.
• Exponential-backoff retries — 30s, 2m, 10m, 1h, 6h — across five retries after the first attempt. Sixth failure dead-letters the delivery.
• Per-subscription circuit breaker auto-pauses a subscriber after eight consecutive failures.
• Dead-letter queue with manual replay; the original attempt history stays intact for audit.
• Per-attempt observability — every attempt records HTTP status, latency, signature header, whitelisted response headers, and a 4 KB body snippet.
• SSRF guard refuses outbound delivery to private / loopback / link-local IPs.
• Workspace-scoped rate limits with X-RateLimit-* headers exposed cross-origin so the try-it console can show them.
• Signing key rotation with a 48-hour grace window — old secret stays valid while receivers update.

Surface:

• 16 REST endpoints under /v1/ — events, subscriptions, deliveries, dead-letters, webhook-test probe, healthz.
• OpenAPI 3.1 spec hand-authored as the source of truth; controllers conform to it. CI lints with Spectral and fails on SDK drift.
• Filament 4 admin dashboard — workspaces, events with payload viewer, subscriptions with pause/resume/rotate actions, deliveries with full attempt timeline and retry, API keys with mint-once-show-once flow. Dashboard widgets: events 24h, deliveries 24h, success rate, dead-letter open count, failing-subs table.
• Next.js 16 docs site at the brand domain — 21 statically rendered routes, Scalar-powered interactive try-it console at /reference, conceptual guides for signing/idempotency/retries/filtering/receivers, per-language SDK pages, downloads page with OpenAPI YAML/JSON + Postman collection + SDK zips.
• SDKs in TypeScript, PHP, Python, Go. Generated from the spec, hand-tuned signature verifiers, identical 5-test contract across all four languages.

Stack:

• Laravel 13.14, PHP 8.3, MySQL 8, Redis + Horizon (under supervisord), Filament 4, Apache + mod_php, Let's Encrypt
• Next.js 16, Scalar API reference, Tailwind 4
• @openapitools/openapi-generator-cli 7.22 for SDK generation
• PHPUnit + ParaTest for the API suite

What it proves:

The same person who hand-authored the OpenAPI spec wrote the controllers, generated the SDKs, hand-tuned the verifier helpers, built the Filament dashboard, scaffolded the Next.js docs site, wired the deploy pipeline, and shipped it live. The case for hiring me to build a single coherent API product instead of stitching together a backend dev + frontend dev + DevOps + tech writer.