Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
John Sheehan
November 20, 2015
Technology
2
550
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
180
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
760
Scale-Oriented Architecture with Microservices
johnsheehan
2
360
Crafting a Great Webhooks Experience
johnsheehan
0
210
The rise of distributed applications.
johnsheehan
2
480
Zen and the Art of API Maintenance
johnsheehan
2
2.5k
Building API integrations you can live with.
johnsheehan
0
130
Free API debugging and testing tools you should know about.
johnsheehan
5
860
Modern Tools for Modern Applications
johnsheehan
1
210
Other Decks in Technology
See All in Technology
Astro Islandsの 内部実装を 「日本で一番わかりやすく」 ざっくり解説!
knj
0
290
PostgreSQL 18のNOT ENFORCEDな制約とDEFERRABLEの関係
yahonda
0
130
「AIエージェントで変わる開発プロセス―レビューボトルネックからの脱却」
lycorptech_jp
PRO
0
150
スピンアウト講座01_GitHub管理
overflowinc
0
1.5k
How to install a gem
indirect
0
1.7k
「お金で解決」が全てではない!大規模WebアプリのCI高速化 #phperkaigi
stefafafan
5
2.3k
The Rise of Browser Automation: AI-Powered Web Interaction in 2026
marcthompson_seo
0
310
ハーネスエンジニアリング×AI適応開発
aictokamiya
1
240
【社内勉強会】新年度からコーディングエージェントを使いこなす - 構造と制約で引き出すClaude Codeの実践知
nwiizo
26
13k
MCPで決済に楽にする
mu7889yoon
0
130
AWS Systems Managerのハイブリッドアクティベーションを使用したガバメントクラウド環境の統合管理
toru_kubota
1
170
The essence of decision-making lies in primary data
kaminashi
0
110
Featured
See All Featured
Un-Boring Meetings
codingconduct
0
240
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.6k
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
490
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.4k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
320
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9k
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Six Lessons from altMBA
skipperchong
29
4.2k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.2k
Prompt Engineering for Job Search
mfonobong
0
230
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Ruling the World: When Life Gets Gamed
codingconduct
0
180
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com
johnsheehan
knj
yahonda
lycorptech_jp
overflowinc
indirect
stefafafan
marcthompson_seo
aictokamiya
nwiizo
mu7889yoon
toru_kubota
kaminashi
codingconduct
garrettdimon
inesmontani
ipullrank
aleyda
csswizardry
skipperchong
charlesmeaden
mfonobong
smashingmag
![Thank you! Questions? [email protected] Try Runscope free: runscope.com](https://files.speakerdeck.com/presentations/d5de91d075d3406aa354d68fc96dfd91/slide_52.jpg){kind=link}