Webhook Glossary
Plain-English definitions of every webhook term you'll meet — endpoints, signatures, idempotency, retry policies, and more. Each entry is short, precise, and links to working code where it matters.
Core
(10)Webhook
A webhook is an HTTP POST request that one service sends to another to notify it that an event has occurred.
Webhook Endpoint
A webhook endpoint is the public HTTPS URL on your server that receives webhook POST requests from a source system.
Webhook Payload
The webhook payload is the body of the HTTP request — usually JSON — describing the event that occurred.
Webhook Event
A webhook event is a single occurrence in a source system that triggers one webhook delivery — for example, a payment succeeding.
Webhook Delivery
A webhook delivery is one HTTP attempt by the source system to deliver an event to your endpoint, including retries.
Webhook Source
The webhook source is the system that emits webhook events — for example, Stripe, GitHub, or your own application.
Webhook Receiver
The webhook receiver is the system that accepts webhook deliveries — your application, an inspector, or a forwarder.
Webhook Handler
A webhook handler is the server-side function that processes a verified webhook event and runs the business logic.
Event-Driven
Event-driven means systems communicate by emitting and reacting to events instead of synchronous request-response calls.
Webhook URL
The webhook URL is the public HTTPS address you register with a source system to receive webhook deliveries.
Security
(8)Webhook Signature
A webhook signature is a cryptographic hash in a request header that proves the webhook came from the claimed source.
HMAC
HMAC is a hash-based message authentication code that combines a secret key with a message hash to prove authenticity.
Webhook Secret
A webhook secret is the shared key — issued when you register an endpoint — used to compute and verify webhook signatures.
Signature Verification
Signature verification is the receiver-side step that checks an inbound webhook's signature against the expected HMAC of the raw body.
Replay Attack
A replay attack is when an attacker captures a valid signed webhook and re-sends it later to trigger duplicate or stale processing.
Timestamp Tolerance
Timestamp tolerance is the maximum age difference — typically 5 minutes — between a signed webhook and "now" before the receiver rejects it.
Signing Secret Rotation
Signing secret rotation is the operational process of replacing a webhook's shared secret with a new one without dropping in-flight deliveries.
Webhook Authentication
Webhook authentication is the mechanism — usually HMAC signatures — that proves an inbound webhook came from the claimed source.
Reliability
(7)Retry Policy
A retry policy is the source's rule for re-sending a webhook after a delivery fails — typically on a backoff schedule with a max attempt cap.
Exponential Backoff
Exponential backoff is a retry strategy where the delay between attempts doubles each time, often with random jitter added.
Idempotency
Idempotency means processing the same webhook event twice produces the same result as processing it once — no duplicate side effects.
Idempotency Key
An idempotency key is a unique identifier — usually the event ID — used to deduplicate retried webhooks or HTTP requests.
Dead-Letter Queue
A dead-letter queue stores webhook events that failed processing after all retries — for manual inspection or replay later.
At-Least-Once Delivery
At-least-once delivery means the source guarantees every event will be delivered one or more times — never zero, but possibly several.
Event Ordering
Event ordering is the property of whether webhooks arrive at the receiver in the same order the events occurred at the source — usually they do not.
HTTP & Concept
(5)Raw Body
The raw body is the exact byte sequence of an HTTP request — required for webhook signature verification before any parsing.
Content-Type
Content-Type is the HTTP header that tells the receiver how to interpret the request body — usually application/json for webhooks.
HTTP Status Code
An HTTP status code is the 3-digit response code your handler returns — providers expect 2xx for success and retry on most non-2xx.
Webhook vs Callback
A callback is any function called back when an event occurs; a webhook is the specific case of an HTTP POST callback over the network.
Webhook Gateway
A webhook gateway is an intermediate service that receives webhooks on your behalf and forwards them to one or more downstream endpoints.
Try Webhooks in Real Time
WebhookWhisper gives you a public HTTPS URL to receive webhooks, full request inspection, and forwarding to localhost — with 80 sample payloads from 36 providers.
Start Free