Glossary · Definition
Webhook
A webhook is an HTTP POST your service receives whenever a specific event happens at another service. Stripe sends one when a payment succeeds; GitHub sends one when a PR opens; Slack sends one when a slash command runs. Push, not pull.
Definition
A webhook is an HTTP POST your service receives whenever a specific event happens at another service. Stripe sends one when a payment succeeds; GitHub sends one when a PR opens; Slack sends one when a slash command runs. Push, not pull.
What it means
The provider lets you register a URL; when the event fires, the provider POSTs JSON (or form-encoded) data to your URL. You respond 2xx to ack receipt; 4xx/5xx triggers retry (provider-specific: Stripe retries 3 days with exponential backoff; GitHub retries 5 times). Production webhooks need: signature verification (HMAC-SHA256 with a shared secret in the X-Signature header — proves the request came from the provider), idempotency (event deduplication via the provider's event ID, so retries don't double-process), and observability (log every webhook with payload + response status so you can debug failures).
Advertisement
Why it matters
Webhooks are the standard way services notify each other of events without polling. Stripe, GitHub, Slack, Twilio, Calendly, Linear, Notion — every modern SaaS exposes them. Common mistakes: trusting the request without verifying the signature (lets attackers forge events), processing synchronously instead of queuing (a slow handler causes provider to retry, leading to duplicate work), and ignoring signature mismatches without logging (silent failures become 'why didn't my Slack integration trigger?' tickets).
Frequently asked questions
Webhooks vs polling?
Webhooks: real-time, low overhead, requires public-facing endpoint. Polling: simpler to set up, eventually consistent, wastes API calls. Use webhooks for events that need immediate action, polling for slow-changing state queries.
Local development?
ngrok, Cloudflare Tunnel, or webhook.site exposes a local endpoint via a public URL. Stripe + GitHub also have CLI tools (stripe listen, gh webhook forward) that proxy webhooks to localhost.
What if my server is down?
Most providers retry with exponential backoff for hours or days. Some (Stripe) have a webhook event log you can replay. Critical: always log webhook receipt + response so you can replay missed events manually.
Related terms
- DefinitionAPIAn API (Application Programming Interface) is a contract that lets one program request something from another — typically over HTTP, in JSON. 'Web APIs', 'REST APIs', 'GraphQL APIs' are all flavors of the same idea: a defined surface for programmatic access.
- DefinitionHTTPSHTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.