webhook - jellyfish-tom/TIL GitHub Wiki

[SOURCES]

• https://en.wikipedia.org/wiki/Webhook
• https://zapier.com/blog/what-are-webhooks/

A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The term "webhook" was coined by Jeff Lindsay in 2007 from the computer programming term hook.

The format is usually JSON. The request is done as a HTTP POST request.

Function Webhooks are "user-defined HTTP callbacks".They are usually triggered by some event, such as pushing code to a repository, a comment being posted to a blog and many more use cases. When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another.

Common uses are to trigger builds with continuous integration systems or to notify bug tracking systems. Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.

Authenticating the webhook notification When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a spoofing attack and its timestamp verified to avoid a replay attack. Different techniques to authenticate the client are used:

HTTP basic authentication can be used to authenticate the client. The webhook can include information about what type of event it is, and a shared secret or digital signature to verify the webhook. An HMAC signature can be included as a HTTP header. GitHub, Stripe and Facebook use this technique. Mutual TLS authentication can be used when the connection is established. The endpoint (the server) can then verify the client's certificate. The sender may choose to keep a constant list of IP addresses from which requests will be sent. This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a firewall or NAT.

---

There are two ways your apps can communicate with each other to share information: polling and webhooks. As one of our customer champion's friends has explained it: polling is like knocking on your friend's door and asking if they have any sugar (aka information), but you have to go and ask for it every time you want it. Webhooks are like someone tossing a bag of sugar at your house whenever they buy some. You don't have to ask—they just automatically punt it over every time it's available.

Webhooks are automated messages sent from apps when something happens. They have a message—or payload—and are sent to a unique URL—essentially the app's phone number or address. Webhooks are almost always faster than polling, and require less work on your end.

They're much like SMS notifications. Say your bank sends you an SMS when you make a new purchase. You already told the bank your phone number, so they knew where to send the message. They type out "You just spent $10 at NewStore" and send it to your phone number +1-234-567-8900. Something happened at your bank, and you got a message about it. All is well.