DEV Community: Dinuka Karunarathna The latest articles on DEV Community by Dinuka Karunarathna (@dinuka_karunarathna). https://dev.to/dinuka_karunarathna https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3935640%2F982e27b3-8d5b-4f4d-ac79-33142c217615.jpg DEV Community: Dinuka Karunarathna https://dev.to/dinuka_karunarathna en Stop Writing Webhook Boilerplate in Spring Boot Dinuka Karunarathna Sun, 17 May 2026 00:52:13 +0000 https://dev.to/dinuka_karunarathna/stop-writing-webhook-boilerplate-in-spring-boot-1og https://dev.to/dinuka_karunarathna/stop-writing-webhook-boilerplate-in-spring-boot-1og <p>If you've ever needed to send outgoing webhooks from a Spring Boot application, you know the drill. You wire up an HTTP client, implement HMAC signing, add retry logic, bolt on a circuit breaker, set up an async thread pool, and somehow fit audit logging in too, before you've even written a single line of business logic.</p> <p>I got tired of doing this repeatedly across projects, so I built <br> <a href="https://github.com/karunarathnad/spring-webhook-sender" rel="noopener noreferrer">spring-webhook-sender</a> - a Spring Boot 3.x starter that handles all of it for you.</p> <h2> What it does </h2> <p>Drop in one dependency and inject <code>WebhookClient</code>. That's it. Under the hood it handles:</p> <ul> <li> <strong>HMAC-SHA256 signing</strong> - every request gets an <code>X-Webhook-Signature: sha256=&lt;hmac&gt;</code> header automatically</li> <li> <strong>Retry with exponential backoff</strong> - 5xx and network errors are retried; 4xx are not</li> <li> <strong>HTTP 429 Retry-After support</strong> - respects the server's retry window</li> <li> <strong>Per-endpoint circuit breaker</strong> - powered by Resilience4j; a broken endpoint only trips its own circuit</li> <li> <strong>Non-blocking async dispatch</strong> - <code>sendAsync()</code> returns a <code>CompletableFuture</code>, your thread is never blocked</li> <li> <strong>Audit logging</strong> - SLF4J by default, pluggable to a database via a single bean</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webhook-sender<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.0.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Requires Java 17+ and Spring Boot 3.2+. No extra configuration needed — Spring Boot auto-configuration wires everything up.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OrderService</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebhookClient</span> <span class="n">webhookClient</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">WebhookEndpoint</span> <span class="no">PAYMENT_ENDPOINT</span> <span class="o">=</span> <span class="nc">WebhookEndpoint</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">id</span><span class="o">(</span><span class="s">"payment-service"</span><span class="o">)</span> <span class="o">.</span><span class="na">targetUrl</span><span class="o">(</span><span class="s">"https://payments.example.com/webhooks"</span><span class="o">)</span> <span class="o">.</span><span class="na">secret</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"PAYMENT_WEBHOOK_SECRET"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onOrderCreated</span><span class="o">(</span><span class="nc">Order</span> <span class="n">order</span><span class="o">)</span> <span class="o">{</span> <span class="nc">WebhookEvent</span> <span class="n">event</span> <span class="o">=</span> <span class="nc">WebhookEvent</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">eventType</span><span class="o">(</span><span class="s">"order.created"</span><span class="o">)</span> <span class="o">.</span><span class="na">payload</span><span class="o">(</span><span class="n">order</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">webhookClient</span><span class="o">.</span><span class="na">sendAsync</span><span class="o">(</span><span class="n">event</span><span class="o">,</span> <span class="no">PAYMENT_ENDPOINT</span><span class="o">)</span> <span class="o">.</span><span class="na">thenAccept</span><span class="o">(</span><span class="n">result</span> <span class="o">-&gt;</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"delivered={} attempts={}"</span><span class="o">,</span> <span class="n">result</span><span class="o">.</span><span class="na">success</span><span class="o">(),</span> <span class="n">result</span><span class="o">.</span><span class="na">totalAttempts</span><span class="o">()));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The JSON payload sent to the endpoint looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"eventId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f1c2d4-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order.created"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occurredAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-10T08:30:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"payload"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"orderId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ORD-001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"amount"</span><span class="p">:</span><span class="w"> </span><span class="mf">99.99</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Configuration </h2> <p>All settings have sensible defaults. Override only what you need in <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">webhook</span><span class="pi">:</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">max-attempts</span><span class="pi">:</span> <span class="m">3</span> <span class="na">initial-interval</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">multiplier</span><span class="pi">:</span> <span class="m">2.0</span> <span class="na">max-interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">circuit-breaker</span><span class="pi">:</span> <span class="na">failure-rate-threshold</span><span class="pi">:</span> <span class="m">50</span> <span class="na">minimum-number-of-calls</span><span class="pi">:</span> <span class="m">10</span> <span class="na">async</span><span class="pi">:</span> <span class="na">core-pool-size</span><span class="pi">:</span> <span class="m">4</span> <span class="na">max-pool-size</span><span class="pi">:</span> <span class="m">16</span> </code></pre> </div> <h2> Extending </h2> <p>Need to persist delivery records to a database? Register one bean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuditLogger</span> <span class="nf">webhookAuditLogger</span><span class="o">(</span><span class="nc">WebhookAuditRepository</span> <span class="n">repo</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">record</span> <span class="o">-&gt;</span> <span class="n">repo</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">toEntity</span><span class="o">(</span><span class="n">record</span><span class="o">));</span> <span class="o">}</span> </code></pre> </div> <p>Need a custom signing strategy? Override <code>SignatureStrategy</code>. Need snake_case JSON? Override <code>webhookObjectMapper</code>. The library gets out of your way when you need it to.</p> <h2> Verifying on the receiving side </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">Mac</span> <span class="n">mac</span> <span class="o">=</span> <span class="nc">Mac</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"HmacSHA256"</span><span class="o">);</span> <span class="n">mac</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">secret</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">),</span> <span class="s">"HmacSHA256"</span><span class="o">));</span> <span class="nc">String</span> <span class="n">expected</span> <span class="o">=</span> <span class="s">"sha256="</span> <span class="o">+</span> <span class="nc">HexFormat</span><span class="o">.</span><span class="na">of</span><span class="o">().</span><span class="na">formatHex</span><span class="o">(</span><span class="n">mac</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">rawBody</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">)));</span> <span class="nc">String</span> <span class="n">received</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"X-Webhook-Signature"</span><span class="o">);</span> <span class="c1">// constant-time comparison to prevent timing attacks</span> <span class="kt">boolean</span> <span class="n">valid</span> <span class="o">=</span> <span class="nc">MessageDigest</span><span class="o">.</span><span class="na">isEqual</span><span class="o">(</span><span class="n">expected</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">),</span> <span class="n">received</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">));</span> </code></pre> </div> <h2> Links </h2> <ul> <li>GitHub: <a href="https://github.com/karunarathnad/spring-webhook-sender" rel="noopener noreferrer">https://github.com/karunarathnad/spring-webhook-sender</a> </li> <li>Maven Central: <a href="https://central.sonatype.com/artifact/io.github.karunarathnad/spring-webhook-sender" rel="noopener noreferrer">https://central.sonatype.com/artifact/io.github.karunarathnad/spring-webhook-sender</a> </li> </ul> java springboot webhook opensource