What is a webhook source?
The webhook source is the system that emits webhook events — for example, Stripe, GitHub, or your own application. The source has four responsibilities: generating the event when something happens internally, building the payload describing it, signing the request so the receiver can verify origin, and retrying when delivery fails. Source behavior is not standardized — Stripe sends signed JSON, Slack sends signed form-encoded data, Twilio signs the URL plus form params instead of a raw body — so your handler must match each provider's contract precisely. Always verify signatures; anyone on the internet can POST claiming to be Stripe.
The source is whichever system experienced the event and is announcing it. In a Stripe integration, Stripe is the source. In a GitHub Actions setup, GitHub is the source. In an internal microservice architecture, one of your own services may be the source for another.
The source is responsible for four things. Generating the event when something happens internally. Building the payload describing what happened. Signing the request so the receiver can verify the source. Retrying when delivery fails. The receiver is responsible for verifying, deduplicating, and acting on the event — and only those.
Source behavior varies in ways that bite during integration. Stripe sends signed JSON. Slack sends signed form-encoded data. Shopify sends signed JSON but the secret rotation flow is different. Twilio signs the URL plus form params, not a raw body. The "shape" of being a webhook source is not standardized — each provider made independent design decisions, and your handler must match each one's contract precisely.
The same source may run multiple webhook subsystems. Stripe alone has Connect webhooks, account webhooks, and connect-account-on-behalf-of webhooks, each with subtly different envelope shapes. GitHub has organization webhooks, repository webhooks, and app webhooks. Always check the docs page that matches your specific subscription, not just the top-level "Webhooks" page.
In a multi-tenant system, the source is also part of the security boundary. If you accept webhooks from "Stripe," you must verify each delivery actually came from Stripe — anyone on the internet can POST JSON to your URL claiming to be Stripe. Signature verification (HMAC over the body with a shared secret) is how you prove the source. Without it, every webhook endpoint is an open RPC to your handler logic.
When you are the source — emitting webhooks to your own customers — you take on all four responsibilities above. Most teams underestimate the retry-and-observability work involved. You will need a queue, persistent state for in-flight deliveries, a dashboard for customers to inspect their receive history, and a circuit breaker so a flaky customer endpoint doesn't kill your queue.
See Webhook Source in real traffic
WebhookWhisper captures every webhook with full headers, body, signature, and timing — so concepts like webhook source stop being abstract and become something you can inspect.
Start Free