A way for applications to send real-time data to other applications when events happen, using HTTP callbacks.
Webhooks are automated messages sent from one app to another when something happens. Instead of constantly checking for updates (polling), the app sends you a notification the moment something occurs.
Think of webhooks like doorbell notifications on your phone. Your doorbell does not make you constantly check if someone is at the door - it alerts you instantly when someone rings.
When someone stars your GitHub repo, GitHub sends a POST request to your webhook URL with details about who starred it.
Payment Processing: Stripe sends webhooks when payments succeed or fail. Your app updates order status automatically.
CI/CD: GitHub sends webhooks when code is pushed. Your CI server receives it and starts building.
Communication: Slack sends webhooks when messages are posted. Your app can respond automatically.
E-commerce: Shopify sends webhooks for new orders, refunds, inventory changes.
Polling (old way):
Webhooks (modern way):
Webhooks are more efficient and faster.
Create an endpoint in your Express.js application that receives POST requests. GitHub will send data to this endpoint whenever events happen. Return a 200 status to acknowledge receipt.
Webhooks need security because anyone could send fake requests to your endpoint:
Signature Verification: Services sign webhook payloads. You verify the signature to ensure it is legitimate.
HTTPS Only: Always use HTTPS to prevent eavesdropping.
IP Whitelisting: Only accept requests from known service IPs.
Stripe provides methods to verify webhook signatures to ensure requests are legitimate.
GitHub: push, pull request, issues, releases, stars
Stripe: payment succeeded, payment failed, subscription canceled
Twilio: SMS received, call completed
Shopify: order created, product updated, customer created
Discord: message posted, member joined
Networks fail. Your server might be down when a webhook arrives. Handle this:
Return 200 Quickly: Acknowledge receipt immediately, process asynchronously
Retry Logic: Most services retry failed webhooks (with exponential backoff)
Idempotency: Handle duplicate webhooks gracefully (services may send same webhook twice)
Logging: Log all webhooks for debugging
Problem: Webhooks need a public URL, but you are developing locally.
Solutions:
Use webhooks when:
Use polling when:
Almost every modern API supports webhooks:
Webhooks are how modern apps communicate in real-time. They are simple, efficient, and powerful. Master webhooks and you can integrate with any service that supports them.
Set up a webhook endpoint, register it with a service, and start receiving real-time updates. It is that easy.
