Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crafting a Great Webhooks Experience

John Sheehan
November 20, 2015
Technology
2
500

Crafting a Great Webhooks Experience

Presented at API Strategy and Practice 2015 #apistrat

John Sheehan

November 20, 2015
Tweet

More Decks by John Sheehan

See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
150
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
640
Scale-Oriented Architecture with Microservices
johnsheehan
2
330
Crafting a Great Webhooks Experience
johnsheehan
0
160
The rise of distributed applications.
johnsheehan
2
420
Zen and the Art of API Maintenance
johnsheehan
2
2.4k
Building API integrations you can live with.
johnsheehan
0
100
Free API debugging and testing tools you should know about.
johnsheehan
5
820
Modern Tools for Modern Applications
johnsheehan
1
180

Other Decks in Technology

See All in Technology
事業継続を支える自動テストの考え方
tsuemura
0
300
Datadogとともにオブザーバビリティを布教しよう
mego2221
0
130
開発者が自律的に AWS Security Hub findings に 対応する仕組みと AWS re:Invent 2024 登壇体験談 / Developers autonomously report AWS Security Hub findings Corresponding mechanism and AWS re:Invent 2024 presentation experience
kaminashi
0
190
管理者しか知らないOutlookの裏側のAIを覗く#AzureTravelers
hirotomotaguchi
2
240
Platform Engineeringは自由のめまい
nwiizo
4
1.9k
Building Products in the LLM Era
ymatsuwitter
10
4.4k
Ask! NIKKEIの運用基盤と改善に向けた取り組み / NIKKEI TECH TALK #30
kaitomajima
1
450
飲食店予約台帳を支えるインタラクティブ UI 設計と実装
siropaca
6
1.4k
Classmethod AI Talks(CATs) #15 司会進行スライド(2025.02.06) / classmethod-ai-talks-aka-cats_moderator-slides_vol15_2025-02-06
shinyaa31
0
170
RSNA2024振り返り
nanachi
0
500
偶然 × 行動で人生の可能性を広げよう / Serendipity × Action: Discover Your Possibilities
ar_tama
1
740
SA Night #2 FinatextのSA思想/SA Night #2 Finatext session
satoshiimai
1
100

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
328
21k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
Done Done
chrislema
182
16k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
630
A Philosophy of Restraint
colly
203
16k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
27
1.9k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Side Projects
sachag
452
42k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
20
2.4k
BBQ
matthewcrist
86
9.5k

Transcript

  1. Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope

  2. None
  3. None
  4. None
  5. None
  6. None

  7. "user defined callbacks made with HTTP POST"

  8. "Webhooks are the easiest way to remotely execute code." --

    Jeff Lindsay once when we were talking

  9. HTTP Push Notifications

  10. A Reverse API

  11. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  12. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  13. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.
  14. None

  15. Implementing Webhooks

  16. url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,

    data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)

  17. Problem #1: Error Handling

  18. > POST /callback < 400 Bad Request

  19. > POST /callback < 302 Found < Location: http://

  20. > POST /callback < 200 OK < Content-Type: text/plain <

    <Response></Response>

  21. Error Handling Suggestions

  22. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  23. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  24. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  25. Problem #2: Flooding

  26. None

  27. Active Queues ↪ ↪

  28. Problem #3: Security

  29. > POST http://localhost:3000

  30. > POST http://foo.lvh.me

  31. DoS Attack Vector

  32. Proving the Source

  33. Validation Techniques

  34. Key Sharing

  35. Request Signing

  36. Re-fetch > POST /callback > { id: 123 } >

    GET /users/123 < { id: 123 } Webhook Callback App Code

  37. Security Suggestions

  38. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  39. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  40. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  41. Developer Experience

  42. Payload Design

  43. Fat vs.Thin

  44. Mirror API Resources

  45. Complete Documentation!

  46. Tooling

  47. Accept Multiple Callback URLs

  48. Hooks API

  49. Debugger & Logs

  50. Manual Retries

  51. Generate Test Callbacks

  52. Tunneling Recommended: ngrok.com

  53. Thank you! Questions? [email protected] Try Runscope free: runscope.com