Webhook Pattern Reference

HMAC signature verification ensures payload integrity and sender authenticity. The webhook provider signs the raw request body using a shared secret with HMAC-SHA256, placing the signature in a header like X-Hub-Signature-256. The receiver recomputes the HMAC using the same secret and compares it with constant-time comparison. This prevents both payload tampering during transit and unauthorized senders from injecting fake events.

At-least-once delivery means the sender retries until a 200 response is received, so the same event may be delivered multiple times during failures. At-most-once means no retries, accepting potential message loss. Exactly-once is achieved by combining at-least-once delivery with idempotency keys on the receiver side. The receiver stores processed webhook IDs in a cache like Redis with a TTL and skips duplicates, ensuring each event is processed only once.

Exponential backoff (1s, 2s, 4s, 8s, 16s...) prevents overwhelming a recovering endpoint with rapid retries. Adding random jitter (typically 50-100% of the delay) prevents the thundering herd problem where many failed webhooks retry at exactly the same intervals, creating synchronized traffic spikes. The formula delay * (0.5 + random * 0.5) ensures retries are spread across the time window.

A dead letter queue (DLQ) captures webhook deliveries that have exhausted all retry attempts, typically after 5-10 retries over several hours. DLQs prevent permanent data loss and enable manual investigation. You should monitor DLQ depth as a key metric and alert operations teams when events accumulate. DLQ entries should include the original payload, target endpoint, error details, and failure timestamp for debugging.

The fan-out pattern delivers a single event to multiple subscriber endpoints simultaneously. When an event occurs, the system retrieves all subscribed endpoints for that event type, then dispatches webhook requests concurrently using Promise.allSettled (not Promise.all, since individual failures should not cancel other deliveries). Each subscriber has independent retry logic and failure tracking.

Use date-based version strings like 2024-01-01 passed via a X-Webhook-Version header. Subscribers specify their desired version when registering endpoints. The provider maintains transformers for each active version, converting the internal event format to the subscriber-expected schema. This allows evolving the payload structure without breaking existing integrations, with old versions deprecated on a published timeline.

Most webhook providers expect a 200 response within 5-10 seconds. Receivers should immediately acknowledge with 200 OK and enqueue the payload for asynchronous background processing using a message queue like RabbitMQ or Redis. This decouples reception from processing, preventing timeouts on complex operations and ensuring the provider does not trigger unnecessary retries.

Critical metrics include delivery success/failure rate (target above 99.5%), average response latency from consumer endpoints, retry ratio indicating how often first attempts fail, DLQ queue depth showing unrecoverable failures, and per-endpoint health scores. Set up alerts for sudden drops in success rate, sustained high retry ratios, and growing DLQ depth. Dashboard these metrics alongside event volume to correlate issues with traffic patterns.