Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
John Sheehan
November 20, 2015
Technology
2
520
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
170
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
720
Scale-Oriented Architecture with Microservices
johnsheehan
2
340
Crafting a Great Webhooks Experience
johnsheehan
0
180
The rise of distributed applications.
johnsheehan
2
460
Zen and the Art of API Maintenance
johnsheehan
2
2.4k
Building API integrations you can live with.
johnsheehan
0
120
Free API debugging and testing tools you should know about.
johnsheehan
5
840
Modern Tools for Modern Applications
johnsheehan
1
190
Other Decks in Technology
See All in Technology
AI-Readyを目指した非構造化データのメダリオンアーキテクチャ
r_miura
1
340
OPENLOGI Company Profile for engineer
hr01
1
45k
生成AI時代のPythonセキュリティとガバナンス
abenben
0
150
ハノーファーメッセ2025で見た生成AI活用ユースケース.pdf
hamadakoji
1
500
AI時代の発信活動 ~技術者として認知してもらうための発信法~ / 20251028 Masaki Okuda
shift_evolve
PRO
1
110
プレイドのユニークな技術とインターンのリアル
plaidtech
PRO
1
470
東京大学「Agile-X」のFPGA AIデザインハッカソンを制したソニーのAI最適化
sony
0
140
Okta Identity Governanceで実現する最小権限の原則
demaecan
0
160
【SORACOM UG Explorer 2025】さらなる10年へ ~ SORACOM MVC 発表
soracom
PRO
0
170
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
emiki
0
250
RemoteFunctionを使ったコロケーション
mkazutaka
1
130
QA業務を変える(!?)AIを併用した不具合分析の実践
ma2ri
0
160
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
A Modern Web Designer's Workflow
chriscoyier
697
190k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
RailsConf 2023
tenderlove
30
1.3k
BBQ
matthewcrist
89
9.9k
How to Ace a Technical Interview
jacobian
280
24k
A designer walks into a library…
pauljervisheath
209
24k
Why Our Code Smells
bkeepers
PRO
340
57k
Producing Creativity
orderedlist
PRO
347
40k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com
johnsheehan
r_miura
hr01
abenben
hamadakoji
shift_evolve
plaidtech
sony
demaecan
soracom
emiki
mkazutaka
ma2ri
eileencodes
marktimemedia
tanoku
chriscoyier
sonatard
tenderlove
matthewcrist
jacobian
pauljervisheath
bkeepers
orderedlist
![Thank you! Questions? [email protected] Try Runscope free: runscope.com](https://files.speakerdeck.com/presentations/d5de91d075d3406aa354d68fc96dfd91/slide_52.jpg){kind=link}