Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crafting a Great Webhooks Experience

John Sheehan
November 20, 2015
Technology
2
490

Crafting a Great Webhooks Experience

Presented at API Strategy and Practice 2015 #apistrat

John Sheehan

November 20, 2015
Tweet

More Decks by John Sheehan

See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
150
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
610
Scale-Oriented Architecture with Microservices
johnsheehan
2
330
Crafting a Great Webhooks Experience
johnsheehan
0
160
The rise of distributed applications.
johnsheehan
2
410
Zen and the Art of API Maintenance
johnsheehan
2
2.3k
Building API integrations you can live with.
johnsheehan
0
99
Free API debugging and testing tools you should know about.
johnsheehan
5
820
Modern Tools for Modern Applications
johnsheehan
1
170

Other Decks in Technology

See All in Technology
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
160
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
590
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
990
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
KATA
mclloyd
29
14k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Practical Orchestrator
shlominoach
186
10k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Build your cross-platform service in a week with App Engine
jlugia
229
18k
It's Worth the Effort
3n
183
27k
Happy Clients
brianwarren
98
6.7k
Embracing the Ebb and Flow
colly
84
4.5k
Visualization
eitanlees
145
15k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Why Our Code Smells
bkeepers
PRO
334
57k

Transcript

  1. Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope

  2. None
  3. None
  4. None
  5. None
  6. None

  7. "user defined callbacks made with HTTP POST"

  8. "Webhooks are the easiest way to remotely execute code." --

    Jeff Lindsay once when we were talking

  9. HTTP Push Notifications

  10. A Reverse API

  11. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  12. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.

  13. Provider makes request to URL when an event happens. Consumer

    sets up a server to listen for callbacks. Consumer registers callback URL with provider.
  14. None

  15. Implementing Webhooks

  16. url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,

    data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)

  17. Problem #1: Error Handling

  18. > POST /callback < 400 Bad Request

  19. > POST /callback < 302 Found < Location: http://

  20. > POST /callback < 200 OK < Content-Type: text/plain <

    <Response></Response>

  21. Error Handling Suggestions

  22. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  23. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  24. Be lenient in what you accept back if you can

    reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.

  25. Problem #2: Flooding

  26. None

  27. Active Queues ↪ ↪

  28. Problem #3: Security

  29. > POST http://localhost:3000

  30. > POST http://foo.lvh.me

  31. DoS Attack Vector

  32. Proving the Source

  33. Validation Techniques

  34. Key Sharing

  35. Request Signing

  36. Re-fetch > POST /callback > { id: 123 } >

    GET /users/123 < { id: 123 } Webhook Callback App Code

  37. Security Suggestions

  38. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  39. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  40. Validate your requests. Document it well! Resolve IPs before making

    request. Consider proxying. Consider subscription validation for high-volume cases.

  41. Developer Experience

  42. Payload Design

  43. Fat vs.Thin

  44. Mirror API Resources

  45. Complete Documentation!

  46. Tooling

  47. Accept Multiple Callback URLs

  48. Hooks API

  49. Debugger & Logs

  50. Manual Retries

  51. Generate Test Callbacks

  52. Tunneling Recommended: ngrok.com

  53. Thank you! Questions? [email protected] Try Runscope free: runscope.com