diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2
index 048696f..e0ce118 100644
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -344,6 +344,15 @@
 
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
+	# Public EasyPost tracker webhook — HMAC-verified inside go-fulfillr. Placed
+	# before the IP restriction (handle blocks are mutually exclusive, first
+	# match wins) so EasyPost's servers can POST here while everything else on
+	# this host stays IP-restricted.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9054
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {
@@ -391,6 +400,13 @@
 
 # Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_dev_server_name }} {
+	# Public EasyPost tracker webhook (test mode) — HMAC-verified inside
+	# go-fulfillr. Placed before the IP restriction so EasyPost can POST here.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9055
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {