Top-level /hook/** webhook receivers. These sit
outside the /api auth middleware — they are
public (no access-token) because the provider (Stripe) posts
signed event payloads directly. They are normally configured as provider
webhook endpoints, not called by hand; this page lets you replay a sample
event body for debugging.