Webhook

A webhook is an HTTP callback — a server-to-server request that one system sends to another when a specific event occurs. Instead of your app constantly polling an API to check for changes (pull), the external service pushes the data to you the moment something happens (push).

Webhook vs API: push vs pull

With a regular API, your code initiates the request: "Hey Stripe, do I have any new payments?" You ask repeatedly until something changes. This is polling. It wastes requests, adds latency, and scales poorly.

With a webhook, Stripe calls your URL: "Here's a new payment event." You get the data instantly, only when something actually happens. No wasted requests. No delay.

How webhooks work

1. You register a URL with the external service (e.g., https://yourapp.com/webhooks/stripe)
2. An event occurs in the external system (payment succeeds, user signs up, repo push)
3. The service sends an HTTP POST to your registered URL with the event payload
4. Your server receives the request, processes the data, and returns a 200 OK
5. If your server doesn't respond (timeout, 5xx error), the service retries with exponential backoff

Common webhook use cases

• Payment events — Stripe, PayPal, and Paddle send webhooks for charges, refunds, and subscription changes
• User lifecycle — Auth0 and Clerk notify you when users sign up, verify email, or delete accounts
• Repository events — GitHub sends webhooks for pushes, pull requests, and issue comments
• Communication — Twilio and SendGrid fire webhooks for incoming messages, delivery status, and bounces
• E-commerce — Shopify sends webhooks for orders, inventory changes, and fulfillment updates

How to receive a webhook

Your endpoint needs to:

• Accept POST requests with a JSON body
• Return 200 quickly — process the payload asynchronously if the work takes more than a few seconds. If you exceed the sender's timeout, they'll assume delivery failed and retry
• Be publicly accessible — the external service needs to reach your URL over the internet
• Handle duplicates — always process webhooks idempotently, because retries mean you may receive the same event more than once

Securing webhooks

Verify signatures

Most webhook providers sign each request with a shared secret (usually HMAC-SHA256). The signature arrives in a header like X-Signature or Stripe-Signature. Compute the expected signature from the raw request body and your secret key, then compare. If they don't match, reject the request.

Use HTTPS

Always register an HTTPS URL. Webhook payloads often contain sensitive data — customer emails, payment amounts, account IDs. HTTPS encrypts the payload in transit.

Verify the source

Some providers publish their IP ranges. Where available, restrict your webhook endpoint to only accept requests from those IPs.

Common problems

• Failed deliveries — your server is down, returns a 500, or times out. The sender retries, but if failures persist, they may disable your webhook
• Out-of-order delivery — events may arrive in a different order than they occurred. Always check timestamps or sequence numbers
• Duplicate events — retries mean the same event can arrive multiple times. Use the event ID to deduplicate
• Payload size limits — some events have large payloads. Make sure your endpoint can handle the maximum size

FAQ

What is the difference between a webhook and an API?

An API is pull-based: your code makes a request to get data. A webhook is push-based: the external service sends data to your URL when an event happens. Webhooks are more efficient when you only care about changes.

What HTTP method do webhooks use?

Almost all webhooks use HTTP POST. The event data is sent in the request body as JSON. Some older systems use GET with query parameters, but POST is the standard.

How do I test a webhook?

Use a tool like our webhook tester to send test requests to any endpoint and inspect the response. For local development, use a tunneling service (like ngrok) to expose your local server to the internet, then point the webhook URL at your tunnel.

Always handle webhooks idempotently to survive duplicate deliveries. For heavy processing, queue the webhook payload as a background job and return 200 immediately — this prevents timeouts from causing unnecessary retries.