Crafting a Great Webhooks Experience

54b75f6fbf4434162bfcda6b0cb9b86b?s=47 John Sheehan
November 20, 2015
Technology
2
400

Crafting a Great Webhooks Experience

Presented at API Strategy and Practice 2015 #apistrat

54b75f6fbf4434162bfcda6b0cb9b86b?s=128

John Sheehan

November 20, 2015
Tweet

More Decks by John Sheehan

See All by John Sheehan
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
0
110
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
2
250
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
2
300
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
0
130
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
2
350
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
2
1.5k
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
0
49
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
5
780
54b75f6fbf4434162bfcda6b0cb9b86b?s=48 johnsheehan
1
150

Other Decks in Technology

See All in Technology
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2k
C422cc033079e005fd1aa1b845b099da?s=48 meow_noisy
0
110
2c58367194cdc9bb97f8e0fd5b20b511?s=48 kenthamaguchi
2
120
55c8dbd8bc4374c44d83b328fbba4b21?s=48 antje
2
130
A35557d139d8d53246763a01ec847a3f?s=48 kichiemon
3
400
7a0bc9670ff654b04d4361a9afd1bba8?s=48 hcrane
18
1.8k
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
1
370
3623c11f38517055d9040073ed81913b?s=48 endoumari
3
880
652359244199b2b5108a5e09c027e0da?s=48 ykanazawa
0
240
Ff98f59b09d38b46d177e9a12b77dad4?s=48 yksn
0
230
26173c2f52b5aa5d06e6806c7a9478d3?s=48 laprasdrum
0
990
Df739988f32c42e8c318ef844d6e902b?s=48 oliver_diary
2
130

Featured

See All Featured
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
9
600
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
7
440
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
4
500
Ba530e786553390f3fb271848485681c?s=48 3n
160
22k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
27k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
202
35k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
10
3.8k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
51
3.9k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
407
57k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
23
1.7k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
582
200k

Transcript

  1. Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope

  2. None
  3. None
  4. None
  5. None
  6. None

  7. "user defined callbacks made with HTTP POST"

  8. "Webhooks are the easiest way to remotely execute code." --

    Jeff Lindsay once when we were talking

  9. HTTP Push Notifications

  10. A Reverse API

  11. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  12. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  13. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.
  14. None

  15. Implementing Webhooks

  16. url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,

    data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)

  17. Problem #1: Error Handling

  18. > POST /callback < 400 Bad Request

  19. > POST /callback < 302 Found < Location: http://

  20. > POST /callback < 200 OK < Content-Type: text/plain <

    <Response></Response>

  21. Error Handling Suggestions

  22. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  23. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  24. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  25. Problem #2: Flooding

  26. None

  27. Active Queues ↪ ↪

  28. Problem #3: Security

  29. > POST http://localhost:3000

  30. > POST http://foo.lvh.me

  31. DoS Attack Vector

  32. Proving the Source

  33. Validation Techniques

  34. Key Sharing

  35. Request Signing

  36. Re-fetch > POST /callback > { id: 123 } >

    GET /users/123 < { id: 123 } Webhook Callback App Code

  37. Security Suggestions

  38. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  39. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  40. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  41. Developer Experience

  42. Payload Design

  43. Fat vs.Thin

  44. Mirror API Resources

  45. Complete Documentation!

  46. Tooling

  47. Accept Multiple Callback URLs

  48. Hooks API

  49. Debugger & Logs

  50. Manual Retries

  51. Generate Test Callbacks

  52. Tunneling Recommended: ngrok.com

  53. Thank you! Questions? john@runscope.com Try Runscope free: runscope.com