Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crafting a Great Webhooks Experience

John Sheehan
November 20, 2015
Technology
2
460

Crafting a Great Webhooks Experience

Presented at API Strategy and Practice 2015 #apistrat

John Sheehan

November 20, 2015
Tweet

More Decks by John Sheehan

See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
120
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
410
Scale-Oriented Architecture with Microservices
johnsheehan
2
310
Crafting a Great Webhooks Experience
johnsheehan
0
150
The rise of distributed applications.
johnsheehan
2
380
Zen and the Art of API Maintenance
johnsheehan
2
2.1k
Building API integrations you can live with.
johnsheehan
0
68
Free API debugging and testing tools you should know about.
johnsheehan
5
800
Modern Tools for Modern Applications
johnsheehan
1
160

Other Decks in Technology

See All in Technology
「Go Style Guide」から学んだ可読性の高いコードの書き方
andpad
5
2.9k
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
780
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
540
よくわかるフォルシアのエンジニア 旅行プラットフォーム部編
forcia_dev_pr
0
230
Large Language Models: From Prototype to Production
inesmontani
PRO
9
3.1k
dx_osarai_about_connection
hatahata021
0
440
When to use a Lambda function? And when not?!
jeromevdl
1
110
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
1.9k
Blueskyの「今」がわかる!Bot
lamrongol
0
130
推薦によるプロダクト改善とマイクロサービスが噛み合った話
hazumirr
2
620
ChatGPTを活用した 便利ツールの紹介
hankehly
1
540

Featured

See All Featured
Producing Creativity
orderedlist
PRO
334
38k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k
The Art of Programming - Codeland 2020
erikaheidi
37
11k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
[RailsConf 2023] Rails as a piece of cake
palkan
7
1.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Music & Morning Musume
bryan
37
4.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
KATA
mclloyd
13
10k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M

Transcript

  1. Crafting a Great
    Webhooks Experience
    John Sheehan
    CEO, @Runscope

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. "user defined
    callbacks made
    with HTTP POST"

    View Slide

  8. "Webhooks are the
    easiest way to remotely
    execute code."
    -- Jeff Lindsay once
    when we were talking

    View Slide

  9. HTTP Push
    Notifications

    View Slide

  10. A Reverse API

    View Slide

  11. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.

    View Slide

  12. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.

    View Slide

  13. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.

    View Slide

  14. View Slide

  15. Implementing
    Webhooks

    View Slide

  16. url = get_callback_url()
    data = get_webhook_payload_json()
    try:
    resp = requests.post(url, data=data)
    if not resp.ok:
    _logger.error(resp.content)
    except Exception as e:
    _logger.error(e)

    View Slide

  17. Problem #1:
    Error Handling

    View Slide

  18. > POST /callback
    < 400 Bad Request

    View Slide

  19. > POST /callback
    < 302 Found
    < Location: http://

    View Slide

  20. > POST /callback
    < 200 OK
    < Content-Type: text/plain
    <

    View Slide

  21. Error Handling
    Suggestions

    View Slide

  22. Be lenient in what you accept
    back if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.

    View Slide

  23. Be lenient in what you accept
    back if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.

    View Slide

  24. Be lenient in what you accept back
    if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.

    View Slide

  25. Problem #2:
    Flooding

    View Slide

  26. View Slide

  27. Active
    Queues


    View Slide

  28. Problem #3:
    Security

    View Slide

  29. > POST http://localhost:3000

    View Slide

  30. > POST http://foo.lvh.me

    View Slide

  31. DoS Attack Vector

    View Slide

  32. Proving the Source

    View Slide

  33. Validation
    Techniques

    View Slide

  34. Key Sharing

    View Slide

  35. Request
    Signing

    View Slide

  36. Re-fetch
    > POST /callback
    > { id: 123 }
    > GET /users/123
    < { id: 123 }
    Webhook Callback
    App Code

    View Slide

  37. Security
    Suggestions

    View Slide

  38. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.

    View Slide

  39. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.

    View Slide

  40. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.

    View Slide

  41. Developer
    Experience

    View Slide

  42. Payload Design

    View Slide

  43. Fat vs.Thin

    View Slide

  44. Mirror API
    Resources

    View Slide

  45. Complete
    Documentation!

    View Slide

  46. Tooling

    View Slide

  47. Accept Multiple
    Callback URLs

    View Slide

  48. Hooks API

    View Slide

  49. Debugger &
    Logs

    View Slide

  50. Manual
    Retries

    View Slide

  51. Generate
    Test Callbacks

    View Slide

  52. Tunneling
    Recommended: ngrok.com

    View Slide

  53. Thank you!
    Questions?
    [email protected]
    Try Runscope free:
    runscope.com

    View Slide