A webhook is a mechanism that allows one application to automatically send real-time data to another application when a specific event occurs, enabling event-driven communication without constant polling.
A webhook is an HTTP callback — a user-defined URL that a source application calls with an HTTP POST request when a specific event happens. Unlike traditional APIs where your app asks a server for data, webhooks flip the model: the server pushes data to your app the moment something occurs. This makes them ideal for event-driven architectures where immediacy matters.
Webhooks eliminate the need for continuous polling, where your application repeatedly asks a server 'did anything change yet?' — a wasteful and slow pattern. By receiving data instantly at the moment of an event, you reduce server load, lower latency, and build more responsive integrations. Common use cases include payment confirmations, CI/CD pipeline triggers, chat notifications, and third-party service sync.
First, you register a publicly accessible URL (your webhook endpoint) with the source service. When a matching event fires — such as a completed payment — the source service sends an HTTP POST request containing a JSON or XML payload describing the event to your URL. Your server receives the request, processes the payload, and responds with an HTTP 200 status to acknowledge receipt.
Because your webhook endpoint is publicly accessible, any party could potentially send forged requests to it. Most providers sign their payloads using a shared secret and a hashing algorithm like HMAC-SHA256, sending the signature in a request header. Always validate this signature before processing the payload to ensure the request is genuinely from the expected source.
Webhook providers typically implement retry logic — if your endpoint fails to respond with a 2xx status within a timeout window, they will resend the event, sometimes multiple times. This means your handler must be idempotent: processing the same event twice should not cause duplicate side effects. Use a unique event ID included in the payload to detect and skip already-processed events.
© RM Full Stack & AI Engineer · All guides · Roadmaps · Open the app