What Webhook is and how to implement the Webhook properly.
Before we go further, let’s we read about hook.
In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook. — Wikipedia
So what is webhook.
A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. —Wikipedia
Method of Webhook
There is 2 method of webhook.
1. Outbound / Outgoing (Call / Sender / Publisher)
Outbound webhook: this is a service where you register your inbound webhook URL for a service to send posts to, typically when an notification event is triggered.
2. Inbound / Incoming (Callback / Receiver / Listener)
Inbound webhook: an inbound webhook service is one that creates a webhook URL to listen to posts of a specific type.
Type of Webhook
There is 2 type of webhook.
1. Client-to-Client (Public)
There is some consideration to use client-to-client communication.
- Client cannot guarantees callback, so first-client need to add confirm / retry to second-client to keep up-to-date.
- Cannot send json, because it’s from client-side, they just use form-data.
- To handle security issue, we need to add CSRF. It’s make sure that it’s the right client to access / call between client.
2. Server-to-Server (Private)
Server-to-server is more recommended.
- You can use any API Method: HTTP, GRPC, etc. But recommend to use standard HTTP and JSON body.
- To Secure this way, you can use IP Whitelist. We should add the IP client that want to use our API.
- Or if the IP dynamic to secure API, you can use Secret Key.
- Or you can use Signature. Combination of some secret-key & something data to get signature with hash or other encrypt. Example: JWT. Usually Financial industry use signature.
Problem and Solution in Webhook
There is a common error in webhook. Which is the data is not received from callback. Both of public or private communication.
1. Client-to-Client (Public)
Problem
Redirect Error (Public). Sometimes we get redirect error, maybe because user not redirect properly or closed the web when still in process.
Solution
The second-client to have API /get-status
. Then the first-client to have scheduler / cron to call API /get-status
2. Server-to-Server (Private)
Problem
Network Error (Private). Maybe sometimes network glitch or server down.
Solution
Use retry implementation with interval / pause time. Maybe 5 minutes, if still error then retry exponantial to 30 minutes, then 1 hour, then 3 hours, then 24 hours. And Use Maximum Retry, in this case we set 24 hours. If still error, then we should automate notification to send email to third-party to handle manual transaction that error from API. Notes, we can handle with call /get-status
to make sure there is no manual transaction.
Conclusion
I recommend you to use server-to-server side because it’s more realible to handle. We should understand how the communication. And should prepare the retry scheme with automation, so you have make sure the application is call the API properly (let’s the data speaking).
That’s all. Have a great day !