Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crafting a Great Webhooks Experience
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
John Sheehan
November 20, 2015
Technology
2
550
Crafting a Great Webhooks Experience
Presented at API Strategy and Practice 2015 #apistrat
John Sheehan
November 20, 2015
Tweet
Share
More Decks by John Sheehan
See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
180
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
760
Scale-Oriented Architecture with Microservices
johnsheehan
2
350
Crafting a Great Webhooks Experience
johnsheehan
0
210
The rise of distributed applications.
johnsheehan
2
480
Zen and the Art of API Maintenance
johnsheehan
2
2.5k
Building API integrations you can live with.
johnsheehan
0
130
Free API debugging and testing tools you should know about.
johnsheehan
5
860
Modern Tools for Modern Applications
johnsheehan
1
200
Other Decks in Technology
See All in Technology
Databricks (と気合い)で頑張るAI Agent 運用
kameitomohiro
0
350
入門DBSC
ynojima
0
100
どこで打鍵するのが良い? IaCの実行基盤選定について
nrinetcom
PRO
2
110
全自動で回せ!Claude Codeマーケットプレイス運用術
yukyu30
3
150
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
4k
WBCの解説は生成AIにやらせよう - 生成AIで野球解説者AI Agentを実現する / Baseball Commentator AI Agent for Gemini
shinyorke
PRO
0
320
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
AIに視覚を与えモバイルアプリケーション開発をより円滑に行う
lycorptech_jp
PRO
1
760
パネルディスカッション資料 (at Tableau Now! - 2026-02-26)
yoshitakaarakawa
0
1k
Webアクセシビリティ技術と実装の実際
tomokusaba
0
190
ブラックボックス観測に基づくAI支援のプロトコルのリバースエンジニアリングと再現 ~AIを用いたリバースエンジニアリング~ @ SECCON 14 電脳会議 / Reverse Engineering and Reproduction of an AI-Assisted Protocol Based on Black-Box Observation @ SECCON 14 DENNO-KAIGI
chibiegg
0
130
マネージャー版 "提案のレベル" を上げる
konifar
10
3.6k
Featured
See All Featured
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.1k
The Language of Interfaces
destraynor
162
26k
Odyssey Design
rkendrick25
PRO
2
530
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.6k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
110
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
280
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
1.9k
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
470
How to train your dragon (web standard)
notwaldorf
97
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
First, design no harm
axbom
PRO
2
1.1k
Transcript
Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope
None
None
None
None
None
"user defined callbacks made with HTTP POST"
"Webhooks are the easiest way to remotely execute code." --
Jeff Lindsay once when we were talking
HTTP Push Notifications
A Reverse API
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
Provider makes request to URL when an event happens. Consumer
sets up a server to listen for callbacks. Consumer registers callback URL with provider.
None
Implementing Webhooks
url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url,
data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)
Problem #1: Error Handling
> POST /callback < 400 Bad Request
> POST /callback < 302 Found < Location: http://
> POST /callback < 200 OK < Content-Type: text/plain <
<Response></Response>
Error Handling Suggestions
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Be lenient in what you accept back if you can
reasonably guess. Retry failed callbacks with exponential back off. Decide if redirects are to be followed or not.
Problem #2: Flooding
None
Active Queues ↪ ↪
Problem #3: Security
> POST http://localhost:3000
> POST http://foo.lvh.me
DoS Attack Vector
Proving the Source
Validation Techniques
Key Sharing
Request Signing
Re-fetch > POST /callback > { id: 123 } >
GET /users/123 < { id: 123 } Webhook Callback App Code
Security Suggestions
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Validate your requests. Document it well! Resolve IPs before making
request. Consider proxying. Consider subscription validation for high-volume cases.
Developer Experience
Payload Design
Fat vs.Thin
Mirror API Resources
Complete Documentation!
Tooling
Accept Multiple Callback URLs
Hooks API
Debugger & Logs
Manual Retries
Generate Test Callbacks
Tunneling Recommended: ngrok.com
Thank you! Questions?
[email protected]
Try Runscope free: runscope.com
johnsheehan
kameitomohiro
ynojima
nrinetcom
yukyu30
sansan33
shinyorke
lycorptech_jp
yoshitakaarakawa
tomokusaba
chibiegg
konifar
aleyda
destraynor
rkendrick25
thoeni
cargoodrich
marktimemedia
akashhashmi
tammyeverts
notwaldorf
panda_program
axbom
![Thank you! Questions? [email protected] Try Runscope free: runscope.com](https://files.speakerdeck.com/presentations/d5de91d075d3406aa354d68fc96dfd91/slide_52.jpg){kind=link}