Jul 23, 2025
What is Webhook, How it Works and Why it is Used
Salman Saafi
What Is a Webhook?
A webhook is an automated mechanism where one service (the provider) sends an HTTP request (typically POST) to a consumer-defined URL when a specific event occurs. This enables near-instant communication between separate systems without polling or manual intervention.
Key Characteristics
Event-triggered: The request is sent only when a designated event happens, not on a schedule.
Unidirectional: It’s a push from the provider to the consumer.
Payload-driven: The request contains structured data, often in JSON, describing the event context.
How Webhooks Work: Step-by-Step
1. Endpoint Registration
Consumers register a URL (the webhook endpoint) with the provider. This may include:
Event types to subscribe to.
A shared secret or signing key for validation.
Retry strategy or delivery preferences.
2. Event Occurs
When the specified event happens (e.g. a new order, a status change), the provider constructs a payload and attempts delivery.
3. Request Delivery
The provider makes an HTTP request to the registered endpoint. Characteristics:
Method: typically POST.
Headers: may include signature, timestamp, event type, user/tenant ID.
Body: structured (JSON/XML), containing event metadata and payload.
4. Signature Verification
Webhooks are exposed endpoints — anyone who knows your webhook URL can potentially send data to it. That’s why verifying the authenticity of incoming webhook requests is critical.
Common Authentication & Verification Methods
A. HMAC Signature Verification
This is the most widely used method.
How it works:
The webhook sender (e.g., Stripe, GitHub, Vartiq) creates a cryptographic HMAC (e.g., HMAC-SHA256) of the request payload using a shared secret.
Where it's used:
The resulting hash is sent in the headers (X-Signature, X-Hub-Signature-256, etc.).
What you do:
On your side, you:
Use the same shared secret to recompute the HMAC on the incoming payload.
Compare it to the received signature.
If they match, legit. Otherwise, drop it.
B. Secret in URL or Header (Simple Token Auth)
How it works:
You configure a shared static token (like an API key) during webhook setup.
The sender appends it to the request URL as a query param (
?token=xyz)Or adds it in a custom header like
X-Webhook-Token.
Pros:
Simple to implement
Good for low-risk scenarios or internal integrations
Cons:
Not tamper-proof — if intercepted, can be reused.
No payload validation like HMAC provides.
C. IP Whitelisting
How it works:
Only accept webhook requests from known IP ranges of the sender (e.g., Stripe provides their IPs publicly).
Pro tip: Combine this with signature verification for defense-in-depth.
TL;DR
Method | Security | Ease of Use | Best For |
|---|---|---|---|
HMAC Signature | ✅ ✅ ✅ | ✅ ✅ | Most use cases |
Token in URL/Header | ✅ | ✅ ✅ ✅ | Simple setups, internal tooling |
IP Whitelisting | ✅ ✅ | ✅ ✅ | Static IP senders + layered security |
Bonus Tip: If you’re building your own webhook infrastructure, a service like Vartiq can help you manage signature verification, IP filtering, and observability out of the box — so you can focus on your core product and not the plumbing.
5. Acknowledge Receipt
The receiver returns a status code:
2xxto indicate success.4xxor5xxfor failure. Provider retries delivery according to a configurable backoff schedule.
6. Asynchronous Processing
To avoid blocking the HTTP response, the webhook handler should:
Validate the signature.
Enqueue the payload into a message queue or internal processing pipeline.
Respond immediately with
200 OK.
Payload Anatomy and Semantic Design
A typical webhook payload includes:
event_type: identifies the event (e.g.invoice.created,user.updated).event_id: unique identifier for deduplication.timestamp: canonical event time.resource_id: ID of the affected object.data: detailed representation of the resource or change.
Some providers include schema versioning or optional related entities for correlating complex workflows.
Why Use Webhooks
Real-Time Delivery
Notifications happen instantly, enabling near-instant triggers for reactive workflows.
Resource Efficiency
Avoids polling loops that query APIs for changes every few seconds or minutes, reducing API calls and lowering latency.
Decoupling of Systems
Webhooks allow separate services to integrate asynchronously, improving modularity and reducing tight coupling.
Event-Driven Architecture Friendly
Webhooks fit naturally into event-driven systems, bridging external triggers into internal workflows (queues, message buses, fan‑out patterns).
Scaling Webhooks: Technical Patterns
Idempotency and Duplicate Detection
Duplicate webhook deliveries are common. Use these robust patterns for prevention:
Event-ID Tracking: Store
event_idin a cache or database table. Skip events already processed.Upsert with Timestamp: For stateful events, use timestamps to avoid stale updates.
Queue-Based Ingestion
Immediately enqueue webhook payloads to a durable work queue (Kafka, RabbitMQ, SQS). Process asynchronously in workers.
This decouples ingestion from processing to handle spikes and avoids blocking the HTTP response.
Retry and Dead Letter Queue
Allow failed jobs to retry with exponential backoff. After N attempts, route to a DLQ for manual or automated inspection and resolution.
Monitoring and Observability
You should track:
Queue depth.
Event latency (time between event timestamp and processing time).
Failed deliveries and retries.
Per‑customer or per-event-type metrics.
Maintain logs of raw payloads, response codes, and processing outcomes for audit and debugging.
Security Best Practices
Use HTTPS only: TLS is mandatory.
Verify signatures: Recreate the HMAC and compare with the header.
Timestamp checks: Reject payloads older than a short threshold to mitigate replay attacks.
Restrict IP ranges: Some providers publish IP ranges or CIDR lists that can validate IP origin.
Rotate secrets periodically and support secret versioning to avoid downtime during rotation.
Schema Design and Validation
Define formal schemas (e.g. JSON Schema, OpenAPI) for webhook payloads. Validate payloads before processing.
Use versioning to plan for safe schema changes (evolving event types, adding fields).
Reject unknown or unexpected event types by default.
Real-World Example: Stripe Webhook Flow
Register webhook endpoint in Stripe Dashboard or via API.
Stripe sends
POST /webhookwhen events likecharge.succeededoccur.You verify the header
Stripe-Signatureusing your webhook secret.Store
event.idto prevent duplicates.Enqueue event into internal queue and respond with
200.Worker processes the event: fetches the customer, updates internal records, triggers notifications.
Failures trigger retries; persistent failures go into DLQ and trigger alerts.
When to Use Webhooks vs. Other Patterns
Trigger Pattern | Latency | Complexity | Use Case |
|---|---|---|---|
Polling API every N seconds/minutes | Seconds–minutes | Low | Infrequent changes, small scale |
Webhooks | Milliseconds–seconds | Moderate | Reactive, real-time systems |
Message broker subscription | Milliseconds | High | Internal microservices, Kafka |
Batch data pulls | Minutes–hours | Moderate | Analytics, scheduled reporting |
Common Pitfalls
Not handling duplicates: causes double processing (e.g. double billing).
Blocking handlers: slow processing increases latency and risk of retry storms.
Ignoring retries: can lead to infinite loops or unbounded cost.
Lack of observability: undiagnosed failures go unnoticed.
Mutable endpoints: changing URLs or rotating secrets without synchronization breaks delivery.
Emerging Trends and the Future
Native cloud integrations: Major API platforms increasingly support direct delivery to AWS EventBridge, GCP Pub/Sub, and Azure Event Grid.
Typed contracts: JSON schemas, Protocol Buffers, and OpenAPI-style definitions for webhook payloads are standardizing integrations.
Signed and encrypted payloads by default: Ensuring privacy and integrity end-to-end, especially if payloads transit multiple brokers.
Summary
Webhooks are an essential mechanism for real-time event-driven integrations. They offer:
Low-latency event delivery.
Efficient resource usage.
Loose coupling and modular integration.
To implement them reliably at scale, you need:
Signature validation and security.
Idempotent processing logic.
Queuing infrastructure.
Monitoring, retries, and DLQs.
Well-defined payload schemas and event versioning.
When designed and deployed thoughtfully, webhooks become the backbone of reliable, reactive systems. Want to build your own webhook infra? Try Vartiq.
