Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
John Sheehan
November 20, 2015
Technology
2
550
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
180
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
760
Scale-Oriented Architecture with Microservices
johnsheehan
2
350
Crafting a Great Webhooks Experience
johnsheehan
0
210
The rise of distributed applications.
johnsheehan
2
480
Zen and the Art of API Maintenance
johnsheehan
2
2.5k
Building API integrations you can live with.
johnsheehan
0
130
Free API debugging and testing tools you should know about.
johnsheehan
5
860
Modern Tools for Modern Applications
johnsheehan
1
200
Other Decks in Technology
See All in Technology
AIエンジニア Devin と歩む、自律型運用プロセスの構築
a2ito
0
560
Serverless Agent Architecture on Azure / serverless-agent-on-azure
miyake
1
120
サンタコンペ2025完全攻略 ~お前らの焼きなましは遅すぎる~
terryu16
1
570
トラブルの大半は「言ってない」x「言ってない」じゃねーか!!
ichimichi
0
280
全自動で回せ!Claude Codeマーケットプレイス運用術
yukyu30
3
150
Oracle Cloud Infrastructure:2026年2月度サービス・アップデート
oracle4engineer
PRO
0
170
What's new in Go 1.26?
ciarana
2
280
Datadog Cloud Cost Management で実現するFinOps
taiponrock
PRO
0
100
AI Agentにおける評価指標とAgent GPA
tsho
1
270
メタデータ同期に潜んでいた問題 〜 Cache Stampede 時の Cycle Wait を⾒つけた話
lycorptech_jp
PRO
0
130
LLM活用の壁を超える:リクルートR&Dの戦略と打ち手
recruitengineers
PRO
1
200
Eight Engineering Unit 紹介資料
sansan33
PRO
1
6.9k
Featured
See All Featured
A better future with KSS
kneath
240
18k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
250
The Art of Programming - Codeland 2020
erikaheidi
57
14k
The Cost Of JavaScript in 2023
addyosmani
55
9.7k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
GitHub's CSS Performance
jonrohan
1032
470k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
220
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
Automating Front-end Workflow
addyosmani
1370
200k
Abbi's Birthday
coloredviolet
2
5.1k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
67
37k
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com
johnsheehan
a2ito
miyake
terryu16
ichimichi
yukyu30
oracle4engineer
ciarana
taiponrock
tsho
lycorptech_jp
recruitengineers
sansan33
kneath
bermonpainter
inesmontani
erikaheidi
addyosmani
cassininazir
jonrohan
ks91
marcduiker
coloredviolet
akihiro_kokubo
![Thank you! Questions? [email protected] Try Runscope free: runscope.com](https://files.speakerdeck.com/presentations/d5de91d075d3406aa354d68fc96dfd91/slide_52.jpg){kind=link}