Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
John Sheehan
November 20, 2015
Technology
2
520
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
170
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
730
Scale-Oriented Architecture with Microservices
johnsheehan
2
350
Crafting a Great Webhooks Experience
johnsheehan
0
190
The rise of distributed applications.
johnsheehan
2
460
Zen and the Art of API Maintenance
johnsheehan
2
2.4k
Building API integrations you can live with.
johnsheehan
0
120
Free API debugging and testing tools you should know about.
johnsheehan
5
850
Modern Tools for Modern Applications
johnsheehan
1
190
Other Decks in Technology
See All in Technology
なぜインフラコードのモジュール化は難しいのか - アプリケーションコードとの本質的な違いから考える
mizzy
52
16k
バグと向き合い、仕組みで防ぐ
____rina____
0
280
AIと共に開発する時代の組織、プロセス設計 freeeでの実践から見えてきたこと
freee
3
700
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
1.3k
機密情報の漏洩を防げ! Webフロントエンド開発で意識すべき漏洩パターンとその対策
mizdra
PRO
9
3.3k
AIエージェントによるエンタープライズ向けスライド検索!
shibuiwilliam
1
360
Proxmox × HCP Terraformで始めるお家プライベートクラウド
lamaglama39
1
200
エンジニア採用と 技術広報の取り組みと注力点/techpr1112
nishiuma
0
140
Master Dataグループ紹介資料
sansan33
PRO
1
3.9k
「O(n log(n))のパフォーマンス」の意味がわかるようになろう
dhirabayashi
0
150
QAを"自動化する"ことの本質
kshino
1
120
今、MySQLのバックアップを作り直すとしたら何がどう良いのかを考える旅
yoku0825
1
360
Featured
See All Featured
Designing Experiences People Love
moore
142
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Making Projects Easy
brettharned
120
6.4k
Music & Morning Musume
bryan
46
6.9k
The Pragmatic Product Professional
lauravandoore
36
7k
Context Engineering - Making Every Token Count
addyosmani
9
380
Code Review Best Practice
trishagee
72
19k
Embracing the Ebb and Flow
colly
88
4.9k
Java REST API Framework Comparison - PWX 2021
mraible
34
9k
Optimizing for Happiness
mojombo
379
70k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com
johnsheehan
mizzy
____rina____
freee
oracle4engineer
mizdra
shibuiwilliam
.jpg){kind=avatar}
lamaglama39
nishiuma
sansan33
dhirabayashi
kshino
yoku0825
moore
jcasabona
caitiem20
brettharned
bryan
lauravandoore
addyosmani
trishagee
colly
mraible
mojombo
csswizardry
![Thank you! Questions? [email protected] Try Runscope free: runscope.com](https://files.speakerdeck.com/presentations/d5de91d075d3406aa354d68fc96dfd91/slide_52.jpg){kind=link}