Sign in Subscribe
By George Lioumpas in Web Architecture

Be aware of these things when it comes to Webhooks

Having webhooks in our apps now days is a very common practice. They are nothing more, than just regular HTTP endpoints, most of the times, just handling the POST method. Having them, we allow third party applications, to notify our system about events that took place on their end and act accordingly on our system.

Common use cases

  • Notifications about payments failures / successes (ex. Stripe)
  • Stock update on E-commerce updates on ERP
  • Communication apps webhooks for two way data flow (ex. Slack actions)
  • Communication between different apps in our own system

and many many more.

Best practices when it comes to webhooks:

  • Fallback polling - Use a fallback polling mechanism for actions that are critical and you want to make sure that you don't lose a single request. For example that could be the case for payments. Payment provider will send you a webhook when a payment is processed, but what if not? Things happen, you maybe never receive this request. But this is a critical one. Make sure you have a fallback mechanism. That can be a mechanism that polls every X time the payment provider and checks if the payment was processed. Find a balance here to not overhead your system with polling, since this is just a fallback one.
  • Queues to handle the webhook request - This really depends on your architecture and your application's load. If your application already has a ton of load, you don't want to overhead the system more. So just queue the action that needs to be executed on the webhook request, and you save some HTTP traffic. Also that should be the case if the action is a heavy process. (Ex: image processing or large data handling). Use queues because this is too risky to be handled on the HTTP level. Third party apps even may have timeout, and if you try to run long running code there, it may unexpectedly stops. Be aware, most of the times you need to respond quickly on the request, like any other of your HTTP endpoints.
  • Secure your webhook endpoint - You want to ensure that the legitimate third party app send the request, and not any other with bad intentions, right? So we need a way to secure our endpoint. The most common ways I have seen is Signature Verification, IP whielisting or regular API keys, or a combination of any of them. Also validation (using for example regular Laravel validation) the data may be beneficial.

Subscribe to Lioy

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe