Webhooks
A webhook is a mechanism for one application to notify another in real time by sending an HTTP POST request to a pre-configured URL whenever a specific event occurs, rather than the receiving application having to repeatedly poll for…
Definition
A webhook is a mechanism for one application to notify another in real time by sending an HTTP POST request to a pre-configured URL whenever a specific event occurs, rather than the receiving application having to repeatedly poll for updates.
Overview
Instead of a client repeatedly asking 'has anything changed yet?', webhooks let the server push a notification the moment something happens. A consumer registers a callback URL with a provider (for example, 'notify me when a payment succeeds'), and when that event occurs, the provider sends an HTTP POST containing event details to that URL. This is a simple, HTTP-native implementation of the same idea behind Event-Driven Architecture, but designed to work across organizational and network boundaries rather than within a single system. Because the receiving endpoint must be publicly reachable and webhooks are delivered over plain HTTP requests, providers typically sign payloads (often with an HMAC signature in a request header) so receivers can verify the request genuinely came from the expected source and wasn't forged or tampered with. Receivers should also respond quickly with a 2xx status and process the payload asynchronously, since providers will often retry delivery — sometimes repeatedly — if they don't get a timely acknowledgment, which means webhook handlers need to be built to safely handle duplicate deliveries. Webhooks are ubiquitous in modern integrations: payment processors notify merchants of successful charges, version control platforms trigger CI/CD pipelines on a push, and CMS platforms alert downstream services when content changes. They complement Web Push Notifications, which push events to an end user's browser or device rather than to another server. Providers exposing webhook payloads also typically apply Rate Limiting and version their event schemas following the same API Versioning practices used for their regular REST endpoints.
Key Concepts
- Event-driven HTTP callbacks pushed from provider to consumer
- Eliminates the need for constant polling to detect changes
- Payloads are typically signed (e.g., HMAC) so receivers can verify authenticity
- Providers commonly retry delivery on failure, so handlers must tolerate duplicates
- Receiving endpoint must be a publicly reachable, stable URL
- Used to connect otherwise unrelated systems and third-party services
- Payload format is usually JSON describing the event and relevant data