A webhook is an API concept growing in popularity. As more and more of what we do on the web includes events, webhooks are becoming even more applicable. These are incredibly useful and a resource-light ways to implement event reactions.
What is a webhook?
So what exactly is a webhook? By definition, a webhook (also called a web callback or HTTP push API) is a way for an app to provide other applications with real-time information. A webhook delivers data to other applications as it happens, meaning you get data immediately—unlike typical APIs where you would need to poll for data very frequently to get it in real time. This makes webhooks much more efficient for the provider and consumer. The only drawback to webhooks is the difficulty of initially setting them up.
Webhooks are sometimes referred to as reverse APIs because of the ability to give you what amounts to an API spec, and you must design an API for the webhook to use. The webhook will make an HTTP request to your app (typically a POST), and then you’ll have to interpret it.
How do webhooks work?
Consuming a webhook
The first step in consuming a webhook is giving the webhook provider a URL to deliver a request. This is often done through a back-end panel or an API, meaning you also need to set up a URL in your app accessible from the public web.
Most webhooks will POST data to you in one of 2 ways: as JSON (typically) or XML (blech) to be interpreted, or as a form data (application/x-www-form-urlencoded or multipart/form-data). Either way, your provider will tell you how it delivers it (or even give you a choice in the matter). The good news is both of these are fairly easy to interpret, and most web frameworks will do the work for you. If the web frameworks don’t, you may need to call on a function or 2.
Debugging a webhook
Debugging a webhook can be complex at times, as webhooks are principally asynchronous. Thus, you must trigger them and wait, then check the response. This can be tiresome and is fairly inefficient. Luckily, there are better ways. It amounts to the following:
- Understand what the webhook provides by using a tool like RequestBin to collect the webhook’s requests.
- Mock the requests using a tool like cURL or Postman.
- Test the code on your machine by using a tool like ngrok.
- Watch the whole flow using a tool like Runscope.
Securing a webhook
As webhooks deliver data to publicly available URLs in your app, there’s the chance that someone else could find that URL and then provide you with false data. To prevent this from happening, you can employ a number of techniques. The easiest thing to do (and what you should implement before going any further) is to force TLS connections (HTTPS). Once you’ve implemented that, you may go forward and further secure your connection:
- The first, and most supported, way to secure a webhook is to add tokens to the URL that act as unique identification, e.g.,
- The next option is to implement Basic Auth—this is also widely supported and very easy to do.
- The third option is to have the provider sign each request it makes to you and then verify the signature—unlike the first two solutions, which work great to prevent most attacks but have the disadvantage of sending the auth token with the request. This has the disadvantage of requiring the provider to have implemented request signing—meaning if it doesn’t already, you’re probably out of luck.
Tips and best practices for creating webhooks
Here are a couple of things to keep in mind when creating webhook consumers:
- Webhooks deliver data to your application and may stop paying attention after making a request. Meaning, if your application has an error, you’ll loser your data. Many webhooks will pay attention to responses and resend requests if your application errors out. So if your application processed the request and still sent an error, there may be duplicate data in your app. Understand how your webhook provider deals with responses to prepare for the possibility of application errors.
- Webhooks can make a lot of requests. If your provider has a lot of events to tell you about, it may end up issuing a distributed denial of service on your app. Make sure your application can handle the expected scale of your webhook. We made another tool, Loader.io, to help with that.
Try webhooks with Twilio SendGrid
For more information on SendGrid’s API, check out our docs pages. Happy webhooking!