Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
John Sheehan
November 20, 2015
Technology
2
480
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
140
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
550
Scale-Oriented Architecture with Microservices
johnsheehan
2
330
Crafting a Great Webhooks Experience
johnsheehan
0
150
The rise of distributed applications.
johnsheehan
2
400
Zen and the Art of API Maintenance
johnsheehan
2
2.3k
Building API integrations you can live with.
johnsheehan
0
98
Free API debugging and testing tools you should know about.
johnsheehan
5
820
Modern Tools for Modern Applications
johnsheehan
1
170
Other Decks in Technology
See All in Technology
ソフトウェアエンジニアリングの知見を活かして データ基盤をいい感じにする on Snowflake [MIERUNE BBQ #10]
mtpooh
2
150
OSSコミットしてZennの課題を解決した話
dyoshikawa1993
0
150
シフトレフトで挑む セキュリティの生産性向上
sekido
PRO
0
270
AI研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
130
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
RAGのサービスをリリースして1年3ヶ月が経ちました
segavvy
4
950
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
Git 研修 Advanced【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
200
成長期に歩みを止めないための創業期の開発文化形成
mayah
6
420
「我々はどこに向かっているのか」を問い続けるための仕組みづくり / Establishing a System for Continuous Inquiry about where we are
daitasu
0
170
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
Classmethod Odyssey 登壇資料
yamahiro
0
390
Featured
See All Featured
Bash Introduction
62gerente
607
210k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
17
8.7k
Code Reviewing Like a Champion
maltzj
517
39k
5 minutes of I Can Smell Your CMS
philhawksworth
200
19k
Raft: Consensus for Rubyists
vanstee
134
6.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
15
4.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
325
21k
Automating Front-end Workflow
addyosmani
1362
200k
Making Projects Easy
brettharned
111
5.7k
A designer walks into a library…
pauljervisheath
201
24k
KATA
mclloyd
20
13k
A Tale of Four Properties
chriscoyier
155
22k
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com