Webhooks are user-defined HTTP callbacks. Over the years, webhooks have become increasingly popular. Many popular SAAS companies provide webhooks alongside their APIs. As a modern web developer, understanding webhooks is important. In this short guide, I will explain what webhooks are! After reading this, you should have a solid understanding of webhooks.
Webhooks are used for automatic, real-time communication between web applications. Webhooks aims to reduce the cost of periodically sending requests to an API to check for new data(polling). Polling is wasteful & unnecessarily complex. To further explain webhooks, I will give an analogy!
Jane loves Nike sneakers, she drives a long way to the store during the weekend to purchase a pair. After getting there, she realizes the Nike sneakers she loves just got sold out and are out of stock. She is upset, she wasted time & effort driving to the store! She plans to come back on Monday to check if the sneakers will be available. The store manager notices Jane is upset & walks up to her, she explains her dilemma to him! He then tells her not to worry, collects her contact information & promises to let her know as soon as the sneakers are restocked – to save her the stress of driving long distances every day till the sneakers are available
With webhooks, you do not need to make requests to an API in hopes of receiving new data, you would be automatically notified when there is a data modification. Although webhooks are HTTP-based, they differ from traditional HTTP requests as they are event-based, sent from the API when a specified event occurs. POST requests by the API to your systems when the specified event occurs are often called notifications. These notifications are often in JSON format, although they can come in XML or as form data, Either way, the API provider is responsible for informing you of the format the webhook payload would occur in.
- Responding To Webhooks Most Webhook Providers often require a response when a webhook notification is sent. This is to acknowledge the webhook has been received. To acknowledge the receipt of a webhook, your endpoint should return a 2xx HTTP status code. When working with webhooks, it is good practice to always respond to webhook notifications as soon as they are received. This is to ensure that the webhooks do not exceed the provider's timeout period & get lost.
- HTTPS Secure Endpoints In most cases, when wiring up webhooks, API providers require you provide an HTTPS secured URL endpoint as the webhook receiver. This is to ensure the security of webhooks. Along the lines of security, most webhook providers often have various ways of implementing security for webhooks. Some platforms require you to decrypt a Header value and compare it with a value provided on their dashboard. The importance of verifying webhooks is to prevent SSRF vulnerabilities. Your webhook provider will give you more information about the technique you should use in verifying webhooks.
I hope at this point you have a clearer understanding of what webhooks are! I plan on writing more articles on webhooks. I also write for Hookdeck’s blog. I write guides for more specific implementations of webhooks for various platforms, you can check it out to learn more!