We built Hookdeck with one goal in mind: free developers from the burden of assembling their own webhook infrastructure by providing a reliable, ready-made alternative. If we were going to accomplish this task, the first step would be to build a robust queueing system that would allow our users to process webhooks asynchronously at a predetermined rate.

We wanted to avoid tampering with the inbuilt simplicity of webhooks, namely the straightforward HTTP POST request. …


The series “Working With Webhooks” explore the most important concepts to consider when receiving incoming webhooks.

Working with webhooks exposes an HTTP endpoint that can be called from any actor on your server. Without appropriate measures, this could be extremely unsafe. However, there are now well-understood strategies that ensure your webhook endpoints are secured.

There are 3 main vectors of attacks that you need to watch out and for and protect yourself against.

1) Man-in-the-middle

A man-in-the-middle attack is a vulnerability where a third party obtains access to your webhook data by capturing and reading the request. It’s essential that you only…


The series “Working With Webhooks” explore the most important concepts to consider when receiving incoming webhooks.

As a developer, ensuring your back-end works smoothly is key to delivering reliable services. If you don’t ingest and process your webhooks properly, you risk poor performance and server outages, which can negatively impact your product, your users, and your team.

In this language-agnostic reference guide, you’ll learn to take your webhook game to the next level by implementing delayed processing, one of the most important concepts when building reliable webhooks. …


The series “Working With Webhooks” explore the most important concepts to consider when receiving incoming webhooks.

Most webhook providers operate on an “at least once” delivery guarantee. The key phrase here is “at least” — you will eventually get the same webhook multiple times. Your application needs to be built to handle those scenarios.

What is idempotency?

In computing, when repeating the same action results in the same outcome, we call it idempotent. One common example you have probably encountered is the HTTP PUT vs the HTTP POST methods.

The distinction between the two is that PUT denotes that the action is idempotent…


I’ve been working in e-commerce for the last three years dealing with millions of fairly mission-critical webhook events. My key takeaway is that it sucks to deal with multiple APIs incoming webhooks such as Shopify, Stripe & Intercom, and I hate not having an alternative.

What’s the problem?

Mistakes are human, and so are bugs. Every once in a while, you will introduce errors in your webhook handling methods. Even with the best integration tests, you are probably not prepared for unexpected payload changes (perhaps a stealth API version upgrade) or a platform downtime. You probably have server logs or even better, something…

Alexandre Bouchard

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store