<< back to Guides
<< back to Guides
π Webhooks Deep Dive: Real-Time Communication Between Services
Webhooks are a lightweight, efficient way for applications to notify each other of events in real-time by sending HTTP POST requests to predefined URLs.
They are event-driven, push-based alternatives to polling, commonly used in APIs like Stripe, GitHub, Slack, and many others.
π What is a Webhook?
A webhook is a mechanism where one system (sender) automatically sends an HTTP request (usually POST) to another system (receiver) when a certain event occurs.
π How It Works
- Client registers a webhook URL with the provider.
- Event happens (e.g., payment succeeded).
- Provider sends HTTP POST to the webhook URL with event payload.
- Client processes the event.
π§ͺ Webhook Example: Stripe Payment
π€ Stripe Sends Webhook
POST /webhook
Content-Type: application/json
Stripe-Signature: t=162890...
{
"id": "evt_123",
"type": "payment_intent.succeeded",
"data": {
"object": {
"id": "pi_456",
"amount": 5000
}
}
}
π₯ Your App Receives It
@app.route("/webhook", methods=["POST"])
def handle_webhook():
event = request.get_json()
if event["type"] == "payment_intent.succeeded":
handle_success(event["data"]["object"])
return "", 200
π Webhook Security
Since webhooks are open endpoints, they need to be protected.
β Best Practices
- Verify signatures (e.g., HMAC or API provider secret)
- Use HTTPS only
- Restrict by IP or firewall if possible
- Rate-limit and throttle
- Do not trust user input
πΉ HMAC Signature Verification (Node.js Example)
const crypto = require("crypto");
function verifySignature(payload, header, secret) {
const hmac = crypto.createHmac("sha256", secret);
hmac.update(payload, "utf8");
const digest = hmac.digest("hex");
return digest === header;
}
π¦ Payload Format
- JSON is the standard format.
- Typically includes:
eventortypetimestampdataobjectidof the event
Always refer to the providerβs docs for exact payload structure.
π Reliability & Best Practices
Webhooks are fire-and-forget by design. To ensure robustness:
β Best Practices for Consumers
- Return 2xx quickly (e.g., 200 OK) even if async processing
- Queue webhook events for durable background jobs
- Handle duplicates (idempotency is key)
- Implement retries and dead-letter queues
- Log and monitor events received
β Best Practices for Providers
- Retry failed requests with exponential backoff
- Document webhook structure and behavior
- Provide test utilities (e.g., GitHub/Stripe simulators)
- Allow secret rotation
π§° Tools for Working with Webhooks
| Tool | Purpose |
|---|---|
| ngrok | Expose local server to receive webhooks |
| Webhook.site | Test and inspect HTTP requests |
| RequestBin | Temporary endpoint for debugging |
| Postman | Create mock endpoints & simulate payloads |
| Svix | Hosted webhook management platform |
π Webhooks vs Polling vs Pub/Sub
| Feature | Webhooks | Polling | Pub/Sub (e.g., Kafka) |
|---|---|---|---|
| Push-based | β | β | β |
| Real-time | β | β | β |
| Easy to set up | β | β | β |
| Scalable | β οΈ (needs infra) | β | β |
| Durable | β | β | β |
Use webhooks for simple integrations, and Pub/Sub or message queues for high-volume or critical systems.
𧩠Real-World Use Cases
- Stripe:
payment_intent.succeeded - GitHub:
push,pull_request,issues - Slack: custom slash commands and bots
- Shopify: order creation, cart updates
- Zapier: webhook-based integrations
β Checklist: Webhook Consumer
- [x] HTTPS endpoint
- [x] Signature verification
- [x] Return 2xx response immediately
- [x] Deduplicate events using
id - [x] Use retry + logging mechanism
- [x] Queue events for background processing
π Resources
<< back to Guides