Webhooks
Webhooks enable event-driven integrations without continuous polling. They are used by virtually every SaaS platform (Stripe, GitHub, Slack, Twilio) to.
What Webhooks Actually Means
A webhook is a mechanism where a server sends an HTTP POST request to a pre-configured URL when a specific event occurs. Instead of the client repeatedly polling for updates (pull), the server pushes notifications to the client (push). Webhooks are the push-based alternative to polling.
When to Use It (and When Not To)
Webhooks enable event-driven integrations without continuous polling. They are used by virtually every SaaS platform (Stripe, GitHub, Slack, Twilio) to notify your application of events in real-time.
The Architecture
You register a webhook URL with the service (e.g., tell Stripe to POST to https://myapp.com/webhooks/stripe). When an event occurs (payment succeeded, payment failed), Stripe sends an HTTP POST to your URL with the event data as JSON. Your server processes the event (update order status, send email) and returns 200 OK. If your server is down or returns an error, Stripe retries.
Key Principles
- Push model: The server notifies the client when an event occurs, rather than the client asking repeatedly.
- HTTP POST: Webhook payloads are delivered as HTTP POST requests to a URL you configure.
- Idempotency: Webhooks may be delivered multiple times. Your handler must be idempotent — processing the same event twice should not cause problems.
- Verification: Sign webhook payloads with a secret (HMAC) so the receiver can verify the sender is authentic.
- Retry logic: If your endpoint returns a non-2xx status, the sender retries with exponential backoff.
Who Does This Well
Stripe sends webhooks for payment events (succeeded, failed, refunded). This is how merchants update order status in real-time.
GitHub sends webhooks for repository events (push, pull request, issue). This triggers CI/CD pipelines.
Slack receives incoming webhooks to post messages to channels from external services.
The Hard Parts Nobody Talks About
- Not verifying webhook signatures — exposes you to spoofed events
- Processing webhooks synchronously — if your handler is slow, the sender may time out and retry
- Not making handlers idempotent — duplicate deliveries cause duplicate processing
The Tradeoffs
- Push (webhook) vs Pull (polling): Webhooks are more efficient but harder to debug. Polling is simpler but wastes resources.
- Reliability: You depend on the sender's retry logic. If they stop retrying and you missed the event, data is lost.
- Security: Without signature verification, anyone can send fake webhooks to your endpoint.
Interview Angles
- What is a webhook and how does it differ from polling?
- How do you ensure webhook delivery reliability?
- How do you secure webhooks?
- What happens if the webhook receiver is down?
Keep Learning
The Real-World Incident That Made This Famous
Understanding Webhooks became critical after multiple high-profile production incidents at major tech companies. When systems handle millions of users, even small misunderstandings about Webhooks can lead to cascading failures that cost millions in lost revenue and erode user trust. Companies like Netflix, Google, Amazon, and Meta have all invested heavily in mastering Webhooks because they learned the hard way that ignoring it leads to outages.
The key lesson from these incidents: Webhooks is not just a theoretical concept — it is a practical skill that separates engineers who build resilient systems from those who build fragile ones.
How Senior Engineers Think About This
Senior engineers approach Webhooks differently from textbook definitions. Instead of memorizing rules, they build mental models. They ask: "What problem does Webhooks solve? When does it fail? What are the alternatives?" This problem-first thinking leads to better design decisions because every system has unique constraints.
When evaluating Webhooks in a system design context, experienced engineers consider the failure modes first. What happens when this component goes down? How does the system degrade? Is the degradation graceful or catastrophic? These questions reveal more about your understanding than any textbook definition.
Common Interview Mistakes
Mistake 1: Giving a textbook definition without context. Interviewers want to see you connect Webhooks to real systems and real problems.
Mistake 2: Not discussing trade-offs. Every design decision involving Webhooks has trade-offs. Discuss what you gain and what you give up.
Mistake 3: Overcomplicating the solution. Start with the simplest approach to Webhooks that meets the requirements, then add complexity only when justified.
Production Checklist
- Define clear metrics for measuring the effectiveness of your Webhooks implementation
- Set up monitoring and alerting that specifically tracks Webhooks-related failures
- Document your Webhooks design decisions in Architecture Decision Records (ADRs)
- Test failure scenarios related to Webhooks in staging before production deployment
- Review and update your Webhooks implementation quarterly as system requirements evolve
- Train new team members on the specific Webhooks patterns used in your system
Read the original source | Content from System-Design-Overview
Practical Implementation for .NET Developers
In a .NET application, you would typically implement this pattern using the following approach:
ASP.NET Core setup: Create a service class that encapsulates the logic, register it with dependency injection, and inject it into your controllers or minimal API endpoints. The built-in DI container handles lifecycle management.
Entity Framework Core: For database interactions, EF Core provides the ORM layer. Use migrations for schema management and raw SQL for performance-critical queries. Consider Dapper for read-heavy paths where EF Core's overhead matters.
Azure integration: If deploying to Azure, leverage managed services — Azure Cache for Redis, Azure SQL, Azure Service Bus, Azure Cosmos DB. These eliminate operational overhead and provide built-in monitoring through Application Insights.
Testing: Use xUnit with Testcontainers for integration tests that spin up real databases in Docker. Mock external dependencies with NSubstitute. The WebApplicationFactory class lets you test your entire HTTP pipeline in-process.
Monitoring: Add Application Insights telemetry to track request latency, dependency calls, and custom metrics. Use structured logging with Serilog to make production debugging possible:
Log.Information("Processing order {OrderId} for {CustomerId}", orderId, customerId);
This gives you searchable, structured logs in Azure Monitor or Seq.