@glaforge WEB HOOKS WEB HOOKS Not as trivial as it may seem Not as trivial as it may seem @glaforge

@glaforge Introduction

@glaforge Ask a service to notify you via an HTTP callback to a URL you specify when an event occur Ask a service to notify you via an HTTP callback to a URL of your choice when an event occurs @glaforge

@glaforge Server to server realtime notification Simple way to connect apps together @glaforge

@glaforge @glaforge

@glaforge Emails ● SendGrid ● MailChimp Chat messages ● Dialogflow ● Intercom Payments ● Stripe ● BrainTree Build results ● TravisCI ● CircleCI Who else is using webhooks? @glaforge

@glaforge Advantages

@glaforge Realtime @glaforge

@glaforge No polling @glaforge

@glaforge No broadcast @glaforge

@glaforge Inconvenients

@glaforge Not in control @glaforge

@glaforge Github Webhooks DEMO @glaforge

@glaforge Check runs Check suites Commit comments Branch / tag creation Branch / tag deletion Deploy keys Deployments Deployment statuses Forks Wiki Issue comments Issues Labels Collaborator Milestones Page builds Projects Project cards Project columns Visibility changes Pull requests PR reviews PR review comments Pushes Registry packages Releases Repositories Repository imports Repository vuln. alerts Stars Statuses Team adds Watches @glaforge

@glaforge Implementing Webhooks

@glaforge Develop & deploy a handler to receive POST requests Register the handler’s URL to the service provider Service provider sends a requests to your handler when an event occurs 1 2 3 Add a webhook mechanism to a service provider 0 @glaforge

@glaforge Status codes: retry if not 2xx @glaforge

@glaforge Exponential back off PROVIDER @glaforge

@glaforge Handler bombed by too many event notifications or retries @glaforge

@glaforge Batch multiple events together PROVIDER @glaforge

@glaforge Missed calls @glaforge

@glaforge Dead letter queue PROVIDER @glaforge

@glaforge Google Cloud Pub/Sub @glaforge

@glaforge Google Cloud Pub/Sub @glaforge

@glaforge Idempotent HANDLER @glaforge

@glaforge Security

@glaforge Use HTTPS @glaforge

@glaforge Whitelist IP addresses HANDLER @glaforge

@glaforge Sign requests with user-provided secret PROVIDER @glaforge

@glaforge Ngrok and RequestBin DEMO @glaforge

@glaforge Apply good security principles: Authentication Authorization @glaforge

@glaforge Some best practices

@glaforge Data, or not data @glaforge

@glaforge Webhook handlers should answer rapidly HANDLER @glaforge

@glaforge Handlers should do nothing HANDLER @glaforge

@glaforge Enqueue calls and handling PROVIDER HANDLER @glaforge

@glaforge Google Cloud Task @glaforge

@glaforge Keep track of non-responding handlers PROVIDER @glaforge

@glaforge Zzz… what if nobody calls... @glaforge

@glaforge Webhooks benefit from serverless solutions HANDLER @glaforge

@glaforge Cloud Functions DEMO @glaforge

@glaforge Cloud Functions, Cloud Run, App Engine @glaforge

@glaforge Google Cloud Functions @glaforge

@glaforge Summary

@glaforge Implementing Webhooks CLIENT ● Reply with 200 ● Reply fast ● Ack reception and defer work to a worker queue ● Calls should be idempotent ● IP whitelisting ● Check request signature ● Take advantage of serverless solutions SERVER ● Send small data payloads (re-fetch) ● Timeout if client too slow ● Retry with exponential backoff ● Keep track of non-responding handlers and delivery with a worker queue ● Batch events when too frequent ● Use a dead letter queue for auditing ● Use HTTPS for secured connections ● Sign requests with a secret ● Use proper authentication / authorization solutions @glaforge

@glaforge Resources

@glaforge Resources Crafting a great webhooks experience (John Sheehan) https://speakerdeck.com/apistrat/crafting-a-great-webhooks-experience-by-john-sheehan WebHooks: the definitive guide https://requestbin.com/blog/working-with-webhooks/ WebHooks: The API Strikes Back (InfoQ) https://www.infoq.com/presentations/webhooks-api/ Webhooks vs APIs https://hackernoon.com/webhook-vs-api-whats-the-difference-8d41e6661652 What is a Webhooks push-style API & how does it work (ProgrammableWeb) https://www.programmableweb.com/news/what-webhooks-push-styled-api-and-how-does-it-work/analysis/The2017/03/28 Webhooks do’s & dont’s: what we learned after integration 100+ APIs https://restful.io/webhooks-dos-and-dont-s-what-we-learned-after-integrating-100-apis-d567405a3671#.s0qgt1i9p @glaforge

@glaforge Resources How & why Pusher adopted Webhooks https://www.programmableweb.com/news/what-are-webhooks-and-how-do-they-enable-real-time-web/2012/01/30 Webhooks vs WebSub: Which Is Better For Real-Time Event Streaming? https://nordicapis.com/webhooks-vs-websub-which-one-is-better-to-stream-your-events-in-real-time/ Webhooks, the devil is in the details https://techblog.commercetools.com/webhooks-the-devil-in-the-details-ca7f7982c24f#.u49yswnm7 How to design a webhook for my API https://phalt.github.io/webhooks-in-apis/ Serverless webhooks to revolutionize the SaaS https://tomasz.janczuk.org/2018/03/serverless-webhooks-to-revolutionize-the-saas.html @glaforge