Webhook
WEB-hook
An HTTP callback that sends data to your application automatically when an event occurs in another system.
A webhook is a way for one system to notify another when something happens. Instead of your application constantly asking "did anything change?" (polling), the other system sends you an HTTP request the moment something happens. Stripe sends you a webhook when a payment succeeds. GitHub sends you a webhook when someone opens a pull request. Shopify sends you a webhook when a customer places an order.
The mechanics are simple. You give the other system a URL (your webhook endpoint). When an event occurs, the system sends an HTTP POST request to that URL with a JSON payload describing what happened. Your server receives the request, processes the data, and returns a 200 OK. If your server does not respond, most systems retry the webhook several times over the next few hours.
Webhooks are the backbone of modern integrations. They are how Zapier connects apps. They are how Slack bots respond to messages. They are how payment systems notify your application about charges, refunds, and disputes. Any time you see two systems working together in real time, there is probably a webhook involved.
Examples
A SaaS product integrates with Stripe for payments.
The application registers a webhook endpoint at /api/webhooks/stripe. When a customer's payment succeeds, Stripe sends a POST request with the payment details. The application updates the customer's subscription status, sends a confirmation email, and provisions their account. All of this happens within seconds of the payment, without the application ever checking Stripe's API.
A team uses GitHub webhooks to trigger CI/CD.
Every time a developer pushes code to GitHub, a webhook fires to the CI server. The CI server receives the payload (which branch, which commits, who pushed), checks out the code, runs tests, and reports the results back to GitHub via the status API. The entire feedback loop takes minutes and requires zero manual intervention.
A webhook endpoint goes down and events are lost.
The team deploys a broken version of their webhook handler. For two hours, all incoming webhooks from Stripe return 500 errors. Stripe retries each webhook up to 8 times over 48 hours. The team fixes the handler, and the retries start succeeding. They also add a reconciliation job that compares their database against Stripe's records every hour to catch any events that fell through the cracks.
In practice
Read more on the blog
Frequently asked questions
What is the difference between a webhook and an API?
An API is a request you make when you want data: you ask, and the server answers. A webhook is a notification the server sends you when something happens: the server tells you without being asked. With an API, your application pulls data. With a webhook, the other system pushes data to you. Most integrations use both: webhooks for real-time notifications and APIs for fetching additional details or taking actions.
How do you secure a webhook endpoint?
Three steps. First, verify the signature. Most webhook providers (Stripe, GitHub, Shopify) sign each request with a secret key. Your server verifies the signature to confirm the request came from the real provider, not an attacker. Second, use HTTPS so the payload is encrypted in transit. Third, validate the payload contents before acting on them. Never trust webhook data blindly. Check that the referenced objects exist in your database and that the amounts match your records.
Related terms
Application programming interface: a defined way for software programs to communicate with each other.
Representational State Transfer: an architectural style for building web APIs using HTTP methods.
A design pattern where systems communicate by producing and consuming events instead of direct calls.
A system that stores and delivers messages between services, allowing asynchronous communication.
The property where performing an operation multiple times produces the same result as performing it once.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.