What is a Webhook?
A webhook is an HTTP callback mechanism that allows one application to send real-time data to another application when a specific event occurs. Unlike traditional API polling, where a client repeatedly checks for updates, webhooks reverse the communication flow — the server pushes data to the client as soon as something happens. This event-driven approach is more efficient and enables near-instantaneous integrations between systems.
How Webhooks Work
To set up a webhook, the receiving application provides a URL endpoint to the sending application. When a triggering event occurs — such as a payment being completed, a user signing up, or a repository receiving a push — the sender makes an HTTP POST request to the registered URL with a payload describing the event. The receiving application processes the payload and responds with a 2xx status code to acknowledge receipt. If the delivery fails, most webhook providers implement retry logic with exponential backoff to ensure eventual delivery.
Securing Webhooks
Because webhook endpoints are publicly accessible URLs, verifying the authenticity of incoming requests is essential. Common security practices include signing the payload with a shared secret using HMAC-SHA256 and including the signature in a request header. The receiver recomputes the signature and compares it to the one provided. Some providers also include a timestamp to prevent replay attacks. Additionally, webhook endpoints should validate the payload structure, use HTTPS, and implement idempotency to handle duplicate deliveries gracefully.
Common Use Cases
Webhooks are ubiquitous in modern software integrations. Payment processors like Stripe use webhooks to notify applications of successful charges, refunds, and disputes. Version control platforms like GitHub send webhooks for pushes, pull requests, and issues. CI/CD systems trigger builds via webhooks. Communication platforms use them for bot interactions. Any scenario where one system needs to react to events in another system is a natural fit for webhooks, making them a foundational building block of event-driven architectures.