Webhook

Quality 0.50 · 1 view · Updated 2 months ago

Method of web development

title: "Webhook" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["hypertext-transfer-protocol", "events-(computing)", "web-technology", "change-detection-and-notification"] description: "Method of web development" topic_path: "technology/computing" source: "https://en.wikipedia.org/wiki/Webhook" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Method of web development ::

In web development, a webhook is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users who need not be affiliated with the originating website or application. In 2007, Jeff Lindsay coined the term webhook from the computer programming term hook.

Function

Webhooks are "user-defined HTTP callbacks". They are usually triggered by some event, such as pushing code to a repository, a purchase, a comment being posted to a blog and many more use cases. When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another.

Common uses are to trigger builds with continuous integration systems or to notify bug tracking systems. Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.

Authenticating the webhook notification

When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a spoofing attack and its timestamp verified to avoid a replay attack. Different techniques to authenticate the client are used:

  • HTTP basic authentication can be used to authenticate the client.
  • The webhook can include information about what type of event it is, and a shared secret or digital signature to verify the webhook.
  • An HMAC signature can be included as an HTTP header. GitHub, Stripe and Facebook use this technique.
  • Mutual TLS authentication can be used when the connection is established. The endpoint (the server) can then verify the client's certificate.

The sender may choose to keep a constant list of IP addresses from which requests will be sent. This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a firewall or NAT.

References

References

  1. (3 May 2007). "Web hook to revolutionize the web".
  2. "Webhooks". Atlassian.
  3. [https://help.github.com/articles/about-webhooks/ About Webhooks - Github Help]
  4. [http://en.support.wordpress.com/webhooks/ WordPress Webhooks]
  5. [https://webhook-test.com/use-cases-for-webhooks Use Cases for Webhooks]
  6. "Jenkins GitHub Commit Hooks HOWTO".
  7. [https://code.google.com/p/support/wiki/PostCommitWebHooks Google Project Hosting - Post-Commit Web Hooks]
  8. [http://blog.programmableweb.com/2012/01/30/webhooks-realtime-web/ What are WebHooks and How Do They Enable a Real-time Web?]
  9. "Why Verify". Svix Inc..
  10. (16 November 2017). "DocuSign Connect Now Includes Basic Authentication Support". DocuSign, Inc..
  11. "Securing your webhooks". Github, Inc.
  12. "Checking Webhook Signatures". Stripe, Inc.
  13. "Getting Started - Graph API - Documentation - Facebook for Developers". Facebook, Inc..
  14. "Mutual TLS: Stuff you should know". DocuSign, Inc..

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::

hypertext-transfer-protocolevents-(computing)web-technologychange-detection-and-notification