Webhooks come with their own vocabulary. This glossary covers 30 terms you'll encounter when building, debugging, and operating webhook integrations.
A
- At-Least-Once Delivery
- A delivery guarantee where the provider ensures every event is delivered at least once — but possibly more than once. Requires idempotent receivers.
B
- Backoff (Exponential)
- A retry strategy where each attempt waits longer than the previous: 1s, 2s, 4s, 8s. Prevents overwhelming a struggling server with rapid retries.
C
- Callback URL
- Another term for a webhook endpoint. The URL the provider will POST to when an event occurs.
- Circuit Breaker
- A pattern that stops calling a failing downstream service after a threshold of errors. Prevents cascading failures in webhook processing pipelines.
D
- Dead-Letter Queue (DLQ)
- A secondary queue or table where events land after exhausting all retry attempts. Used to preserve failed events for manual inspection.
- Delivery Attempt
- A single HTTP POST from the provider to your endpoint. One event may result in multiple delivery attempts if earlier attempts fail.
E
- Event
- A discrete occurrence on the provider's side that triggers a webhook. Each event has a type, ID, timestamp, and payload.
- Event ID
- A unique identifier for a specific event included in every webhook payload. Used to implement idempotency.
F–H
- Fanout
- Routing a single webhook event to multiple downstream handlers. Common in enterprise architectures.
- HMAC
- Hash-based Message Authentication Code. Webhook providers use HMAC-SHA256 to sign payloads — verification proves the request came from them.
I
- Idempotency
- Property of an operation that produces the same result when applied multiple times. Idempotent webhook handlers process an event identically whether received once or ten times.
- Idempotency Key
- A unique value used to detect and skip duplicate requests. For webhooks, the event ID serves as the idempotency key.
- Ingestion
- The act of receiving and acknowledging webhook events. Good architectures decouple ingestion (fast) from processing (slow).
J–P
- Jitter
- Random delay added to retry intervals to prevent multiple clients from retrying simultaneously (thundering herd problem).
- Payload
- The data body of a webhook request — the JSON object describing the event.
- Polling
- The alternative to webhooks: periodically calling an API to check for new data. Less efficient and less timely than webhooks.
R
- Raw Body
- The request body as received over the wire, before any parsing. Signature verification must use the raw body.
- Replay
- Resending a previously received webhook event to your handler. Used in testing, incident recovery, and debugging.
- Retry
- A subsequent delivery attempt after a failed one. Providers retry with exponential backoff up to a defined window.
S–T
- Secret
- The shared symmetric key used to compute and verify HMAC signatures. Must be kept confidential.
- Signature
- A cryptographic hash of the request body computed using the shared secret. Included in a request header and verified by the receiver.
- Timestamp
- A field in some webhook signatures indicating when the event was signed. Receivers should reject events older than a few minutes to prevent replay attacks.
- Timing Attack
- A side-channel attack that infers secret values by measuring comparison time. Prevented by timing-safe comparison functions.
- Timeout
- The maximum time a provider waits for your server to respond before declaring delivery failed. Typically 5-30 seconds.
- Topic
- Another term for event type used by some providers (e.g., Shopify). Identifies the kind of event: orders/create, customers/update, etc.
W
- Webhook
- An HTTP callback — a POST request sent by a provider to a registered URL when a specific event occurs.
- Webhook Endpoint
- The URL on your server that receives webhook POST requests. Must be publicly accessible over HTTPS.
- Worker
- A background process that consumes events from a queue and performs the actual processing.