PeakLab
Back to glossary

Webhook

HTTP notification mechanism enabling an application to send real-time data to a defined URL when specific events occur.

Updated on March 30, 2026

A webhook is an event-driven communication pattern that enables an application to automatically send data to a configured URL when a specific event occurs. Unlike traditional APIs where the client regularly polls the server, webhooks reverse this flow by instantly pushing information to the recipient. This real-time HTTP notification mechanism has become a standard for modern integration between services and cloud applications.

Technical Fundamentals

  • Push-based architecture that eliminates repetitive polling and reduces notification latency
  • HTTP POST requests sent to a predefined callback URL with JSON or XML payload
  • Cryptographic signature mechanism (HMAC) to authenticate the source and ensure data integrity
  • Automatic retry management with exponential backoff in case of delivery failure

Strategic Benefits

  • Drastic reduction in server load by eliminating unnecessary polling requests
  • Real-time notifications enabling instant automated workflows
  • Enhanced scalability through decoupled event-driven architecture
  • Resource and bandwidth savings with event-only communications
  • Simplified integrations between heterogeneous systems without complex synchronization logic

Practical Implementation Example

Here's an example of an Express.js server receiving and validating a Stripe payment webhook:

webhook-handler.ts
import express from 'express';
import crypto from 'crypto';

const app = express();
const WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;

// Middleware to receive raw body (required for signature)
app.post('/webhooks/stripe',
  express.raw({ type: 'application/json' }),
  (req, res) => {
    const signature = req.headers['stripe-signature'] as string;
    
    try {
      // HMAC signature verification
      const expectedSignature = crypto
        .createHmac('sha256', WEBHOOK_SECRET)
        .update(req.body)
        .digest('hex');
      
      if (signature !== expectedSignature) {
        return res.status(401).send('Invalid signature');
      }
      
      const event = JSON.parse(req.body.toString());
      
      // Process based on event type
      switch (event.type) {
        case 'payment_intent.succeeded':
          await handlePaymentSuccess(event.data.object);
          break;
        case 'payment_intent.failed':
          await handlePaymentFailure(event.data.object);
          break;
        default:
          console.log(`Unhandled event: ${event.type}`);
      }
      
      // Quick response to avoid timeouts
      res.status(200).json({ received: true });
      
    } catch (error) {
      console.error('Webhook error:', error);
      res.status(400).send('Webhook processing failed');
    }
  }
);

async function handlePaymentSuccess(paymentIntent: any) {
  // Business logic: update order, send email, etc.
  console.log('Payment succeeded:', paymentIntent.id);
}

async function handlePaymentFailure(paymentIntent: any) {
  // Business logic: customer notification, retry logic
  console.log('Payment failed:', paymentIntent.id);
}

Recommended Implementation

  1. Define a dedicated public HTTPS URL for webhooks with a secure endpoint
  2. Implement cryptographic signature validation to authenticate each request
  3. Process webhooks asynchronously with a message queue to avoid timeouts
  4. Respond quickly (< 5 seconds) with a 200 code before any heavy business processing
  5. Implement idempotency to handle potential duplicates during automatic retries
  6. Log all received events for debugging and auditing
  7. Configure a monitoring system to detect delivery failures

Production Best Practice

Use a queue system (Redis, RabbitMQ, AWS SQS) to process webhooks asynchronously. Respond immediately with a 200 OK and process the payload in the background. This prevents timeouts from the provider who might consider your endpoint as failing and stop deliveries. Also implement a deduplication system based on event ID to handle idempotency.

Related Tools and Services

  • Ngrok or LocalTunnel to expose your endpoints locally during development
  • Webhook.site to test and inspect payloads without code
  • Svix to manage complete webhook sending infrastructure (retry, logging, customer portal)
  • Hookdeck to route, transform, and debug incoming webhooks
  • AWS EventBridge or Google Cloud Pub/Sub for distributed event-driven architectures

Webhooks form the foundation of modern event-driven architectures and SaaS integrations. Their adoption significantly reduces infrastructure costs while improving system responsiveness. In a context of growing automation and interconnected application ecosystems, mastering webhooks has become an essential skill for building scalable and reactive applications that meet users' expectations for instantaneity.

Let's talk about your project

Need expert help on this topic?

Our team supports you from strategy to production. Let's chat 30 min about your project.

Related terms

The money is already on the table.

In 1 hour, discover exactly how much you're losing and how to recover it.

Web development, automation & AI agency

[email protected]
Newsletter

Get our tech and business tips delivered straight to your inbox.

Follow us
Crédit d'Impôt Innovation - PeakLab agréé CII

© PeakLab 2026

Legal NoticesPrivacy PolicySitemap