diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 1acaf8d..af3595e 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -78,13 +78,13 @@
 
 - import_tasks: containers/debyltech/fulfillr.yml
   vars:
-    image: git.debyl.io/debyltech/fulfillr:20260606.2328
+    image: git.debyl.io/debyltech/fulfillr:20260607.0217
   tags: debyltech, fulfillr
 
 # Staging back-office (fulfillr-dev.debyltech.com) — same image, staging Turso config.
 - import_tasks: containers/debyltech/fulfillr-dev.yml
   vars:
-    image: git.debyl.io/debyltech/fulfillr:20260606.2328
+    image: git.debyl.io/debyltech/fulfillr:20260607.0217
   tags: debyltech, fulfillr-dev
 
 - import_tasks: containers/debyltech/uptime-kuma.yml
diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2
index 048696f..e0ce118 100644
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -344,6 +344,15 @@
 
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
+	# Public EasyPost tracker webhook — HMAC-verified inside go-fulfillr. Placed
+	# before the IP restriction (handle blocks are mutually exclusive, first
+	# match wins) so EasyPost's servers can POST here while everything else on
+	# this host stays IP-restricted.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9054
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {
@@ -391,6 +400,13 @@
 
 # Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_dev_server_name }} {
+	# Public EasyPost tracker webhook (test mode) — HMAC-verified inside
+	# go-fulfillr. Placed before the IP restriction so EasyPost can POST here.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9055
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {