Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crafting a Great Webhooks Experience

John Sheehan
November 20, 2015
Technology
2
480

Crafting a Great Webhooks Experience

Presented at API Strategy and Practice 2015 #apistrat

John Sheehan

November 20, 2015
Tweet

More Decks by John Sheehan

See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
140
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
550
Scale-Oriented Architecture with Microservices
johnsheehan
2
330
Crafting a Great Webhooks Experience
johnsheehan
0
150
The rise of distributed applications.
johnsheehan
2
400
Zen and the Art of API Maintenance
johnsheehan
2
2.3k
Building API integrations you can live with.
johnsheehan
0
98
Free API debugging and testing tools you should know about.
johnsheehan
5
820
Modern Tools for Modern Applications
johnsheehan
1
170

Other Decks in Technology

See All in Technology
ソフトウェアエンジニアリングの知見を活かして データ基盤をいい感じにする on Snowflake [MIERUNE BBQ #10]
mtpooh
2
150
OSSコミットしてZennの課題を解決した話
dyoshikawa1993
0
150
シフトレフトで挑む セキュリティの生産性向上
sekido
PRO
0
270
AI研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
130
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
RAGのサービスをリリースして1年3ヶ月が経ちました
segavvy
4
950
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
Git 研修 Advanced【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
200
成長期に歩みを止めないための創業期の開発文化形成
mayah
6
420
「我々はどこに向かっているのか」を問い続けるための仕組みづくり / Establishing a System for Continuous Inquiry about where we are
daitasu
0
170
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
Classmethod Odyssey 登壇資料
yamahiro
0
390

Featured

See All Featured
Bash Introduction
62gerente
607
210k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
17
8.7k
Code Reviewing Like a Champion
maltzj
517
39k
5 minutes of I Can Smell Your CMS
philhawksworth
200
19k
Raft: Consensus for Rubyists
vanstee
134
6.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
15
4.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
325
21k
Automating Front-end Workflow
addyosmani
1362
200k
Making Projects Easy
brettharned
111
5.7k
A designer walks into a library…
pauljervisheath
201
24k
KATA
mclloyd
20
13k
A Tale of Four Properties
chriscoyier
155
22k

Transcript

  1. Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope

  2. None
  3. None
  4. None
  5. None
  6. None

  7. "user defined callbacks made with HTTP POST"

  8. "Webhooks are the easiest way to remotely execute code." --

    Jeff Lindsay once when we were talking

  9. HTTP Push Notifications

  10. A Reverse API

  11. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  12. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  13. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.
  14. None

  15. Implementing Webhooks

  16. url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,

    data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)

  17. Problem #1: Error Handling

  18. > POST /callback < 400 Bad Request

  19. > POST /callback < 302 Found < Location: http://

  20. > POST /callback < 200 OK < Content-Type: text/plain <

    <Response></Response>

  21. Error Handling Suggestions

  22. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  23. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  24. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  25. Problem #2: Flooding

  26. None

  27. Active Queues ↪ ↪

  28. Problem #3: Security

  29. > POST http://localhost:3000

  30. > POST http://foo.lvh.me

  31. DoS Attack Vector

  32. Proving the Source

  33. Validation Techniques

  34. Key Sharing

  35. Request Signing

  36. Re-fetch > POST /callback > { id: 123 } >

    GET /users/123 < { id: 123 } Webhook Callback App Code

  37. Security Suggestions

  38. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  39. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  40. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  41. Developer Experience

  42. Payload Design

  43. Fat vs.Thin

  44. Mirror API Resources

  45. Complete Documentation!

  46. Tooling

  47. Accept Multiple Callback URLs

  48. Hooks API

  49. Debugger & Logs

  50. Manual Retries

  51. Generate Test Callbacks

  52. Tunneling Recommended: ngrok.com

  53. Thank you! Questions? [email protected] Try Runscope free: runscope.com