What is FiveHook?
If you run a FiveM server, you probably use Discord webhook URLs to send notifications — a player joins, money changes hands, someone gets banned. A message flies off to your Discord channel. Totally normal.
Here's the problem: those webhook URLs are just sitting out there. If someone gets hold of one, they can spam it, delete it, rename it — and you won't even notice until it's too late.
Even if someone steals the proxy URL, all they see is our address. Your actual Discord token is never exposed.
How does it work?
Your FiveM script sends a request to the proxy URL
You replace the old Discord URL with the proxy URL FiveHook gives you. That's it — nothing else changes.
FiveHook runs the checks
Is this actually coming from FiveM? Too many requests in a short window? Same message sent repeatedly? Unrecognized IP? We verify all of this in milliseconds.
If it passes, it's forwarded to Discord
Clean requests are forwarded instantly. Suspicious ones are silently blocked and logged. You don't have to do anything.
Getting Started
Sign in with Discord
Click "Login with Discord" on the homepage. We use Discord OAuth2 — no separate password, no email signup.
Grab your Discord webhook URL
Open the Discord channel you want to protect. Go to Channel Settings → Integrations → Create Webhook, then click "Copy Webhook URL".
Add a webhook in FiveHook
Dashboard → Webhooks tab → "+ Add Webhook". Give it a name, paste your Discord URL, choose your protection settings.
Copy the proxy URL and drop it into your scripts
After adding, you'll see a proxy URL on the webhook card. Copy it, replace the old Discord URL in your FiveM scripts. Done.
https://discord.com/api/webhooks/1234567890/abcDEF-your-secret-tokenUsing in FiveM
FiveM Lua scripts typically send webhook requests using PerformHttpRequest. The only change you need to make is the URL — everything else stays identical.
Before — the old way (unsafe)
local webhookUrl = "https://discord.com/api/webhooks/123456789/your-secret-token"
PerformHttpRequest(webhookUrl, function(err, text, headers) end, 'POST',
json.encode({
content = "Player joined: " .. GetPlayerName(source)
}),
{ ['Content-Type'] = 'application/json' }
)After — with FiveHook (safe)
-- Replace the Discord URL with your FiveHook proxy URL
local webhookUrl = "https://fivehook.com/api/webhook/your-uuid-here"
PerformHttpRequest(webhookUrl, function(err, text, headers) end, 'POST',
json.encode({
content = "Player joined: " .. GetPlayerName(source)
}),
{ ['Content-Type'] = 'application/json' }
)Using multiple webhooks?
You can create a separate FiveHook proxy for each Discord webhook you have. Each one gets its own protection settings, request logs, and proxy URL. Up to 50, all free.
Protection Settings
Each webhook has four independent protection layers. Leave them all on, or tune them to match your setup.
| Setting | Default | What it does |
|---|---|---|
| FiveM UA Guard | On | Only accepts requests with the exact FXServer/PerformHttpRequest User-Agent. Anything else is rejected outright. |
| Rate Limiting | On | Caps the number of requests per time window. Excess requests are blocked. Stops flood and spam attacks cold. |
| Duplicate Detection | Off | Blocks identical payloads sent repeatedly within a short window. Perfect if a script gets stuck in a loop and hammers the same log message. |
| IP Allowlist | Off | Only allows requests from IPs you explicitly trust. Add your server's IP and everything else is dropped. |
FiveM User-Agent Guard
FiveM's PerformHttpRequest always sends exactly FXServer/PerformHttpRequest as its User-Agent. With this protection on, only requests carrying that exact string get through — anything sent from a browser, Postman, or any other tool is rejected.
Rate Limiting
Set the maximum number of requests per minute directly on the webhook card. Requests beyond the limit are blocked and logged. The default covers most typical FiveM setups.
Duplicate Detection
When enabled, identical payloads sent within a configurable window are blocked after a threshold is hit.
Window — how long the detection window lasts (default: 60 seconds)
IP Allowlist
Add one IP per line. Wildcards are supported:
1.2.3.4 -- exact match 1.2.3.* -- wildcard (any IP in this block) 192.168.1.* -- local network example
Logs & Analytics
Every request that hits your webhook gets logged. Click the log icon on any webhook card to see a full history going back 30 days.
What's in each log entry?
| Field | Description |
|---|---|
| Status | Was the request forwarded? Blocked? Why? (UA mismatch, rate limit, duplicate, IP, etc.) |
| IP Address | Anonymized — the last IPv4 octet is zeroed, the last four IPv6 groups are masked. The real IP is never stored. |
| User-Agent | The client identifier. You can instantly see if it's FiveM or something suspicious. |
| Size | Payload size in bytes. The actual content of your messages is never read or stored. |
| Timestamp | Exact date and time of the request. |
The dashboard chart
The main dashboard shows a 7-day summary chart: total requests vs. blocked requests per day. This data is stored as aggregates — individual message contents are never recorded.
Folders
If you have a lot of webhooks, you can group them into folders — "Economy", "Moderation", "Server Logs", whatever makes sense for your setup.
How to use them
When adding or editing a webhook, type a folder name in the Folder field. Webhooks sharing the same name are automatically grouped together under that folder tab.
Bulk folder settings
There's a small gear icon next to each folder tab. Click it to apply protection settings and rate limits to all webhooks in that folder at once — no need to update them one by one.