Skip to main content

Webhook Best Practices

Webhooks push events to consumers in real time but are unreliable by nature. Signature verification, idempotent handlers, fast 2xx acknowledgement, and retries with backoff make them safe for critical workflows.

Organization
Stripe
Published
May 1, 2019

Best Practice: Webhook Best Practices

Webhooks deliver event notifications by having a provider make an HTTP POST to a consumer's URL when something happens, instead of the consumer polling. They are efficient and near real-time, but they are inherently unreliable: the consumer may be down, the network may drop, and a single event may be delivered more than once. Robust webhooks require signature verification, idempotent processing, fast acknowledgement, and retries with backoff. This matters because webhooks often drive critical workflows such as payments, provisioning, and notifications, where a missed or duplicated event causes real harm.

Step-by-Step Implementation Guidance

  1. Sign every payload (for example HMAC-SHA256 over the body) and have receivers verify the signature before trusting it.
  2. Include a timestamp in the signed payload and reject stale requests to prevent replay attacks.
  3. Make handlers idempotent using the event id, so duplicate deliveries are processed once.
  4. Acknowledge fast: return 2xx immediately and process work asynchronously via a queue.
  5. On the sending side, retry failed deliveries with exponential backoff and a delivery log.
  6. Provide a dead-letter path and a way for consumers to replay missed events.
  7. Let consumers subscribe to specific event types and verify their endpoint during setup.

Common Mistakes Teams Make When Ignoring This Practice

  • Trusting payloads without verifying signatures, opening a spoofing hole.
  • Non-idempotent handlers that double-process duplicate deliveries.
  • Doing heavy work before responding, causing timeouts and unnecessary retries.
  • No retry or dead-letter strategy, so transient failures lose events permanently.
  • No way to replay missed events after an outage.

Tools and Techniques That Support This Practice

  • HMAC signatures and Standard Webhooks conventions for verification.
  • Message queues (SQS, RabbitMQ, Kafka) for async processing.
  • Svix and Hookdeck as managed webhook infrastructure.
  • ngrok and request-bin tools for local testing.

How This Practice Applies to Different Migration Types

  • Cloud Migration: Reliable retries matter more when endpoints move and brief downtime is expected.
  • Database Migration: Idempotent handlers prevent duplicate writes when events are replayed during cutover.
  • SaaS Migration: Receiving provider webhooks correctly (signature, idempotency) is core to most integrations.
  • Codebase Migration: Re-pointing webhook URLs needs endpoint verification and replay to avoid lost events.

Checklist

  • Payloads signed and verified.
  • Timestamps signed and replay rejected.
  • Handlers idempotent by event id.
  • Endpoints return 2xx fast; work queued asynchronously.
  • Sender retries with exponential backoff.
  • Dead-letter and replay paths available.
  • Consumers can subscribe per event type.