What Is a Webhook? Clear Explanation + When to Use One
A webhook is a reverse API: instead of you calling a server, the server calls your URL when something happens. Plain-English explanation with examples and security tips.
Short answer
A webhook is an HTTP endpoint on YOUR server that another service calls when something happens there. Unlike a regular API where you poll for updates, webhooks push the information to you in real time. Stripe uses them to notify you when a payment succeeds; GitHub uses them to tell CI when you push code.
Webhook vs API — the direction flip
With a normal API, your code initiates the request: "Hey server, give me the latest orders." With a webhook, the server initiates: "Hey your code, order #4521 just shipped." The contract is still HTTP + JSON, but the roles are reversed. You expose a URL, you register it with the provider, they call it on events.
How webhooks actually work
- You create a URL endpoint on your site, e.g.
https://yoursite.com/webhooks/stripe. - You register it with the provider (Stripe, GitHub, Shopify) along with which events you care about.
- When that event happens, the provider makes an HTTP POST to your URL with a JSON body describing what occurred.
- Your endpoint processes the payload — updates a database, sends a notification, triggers a job.
- Respond with 2xx fast (usually
200or204). Do the actual work asynchronously if it's slow.
Why webhooks beat polling
| Polling (regular API) | Webhook | |
|---|---|---|
| Latency | Delay = poll interval | Near-instant |
| Request count | High (every interval) | Low (only on events) |
| Server load | On you (polling client) | On provider (pushing) |
| Setup | Trivial | Need public URL + security |
Security is the tricky part
Your webhook URL is public. Anyone who finds it can POST to it and spoof events. Two standard defenses:
- Signature verification — the provider signs every payload with a shared secret using HMAC-SHA256. Your endpoint recomputes the signature and rejects mismatches. Use the hash generator to see SHA-256 in action.
- Idempotency keys — webhooks can be delivered more than once (providers retry on timeouts). Each event should have a unique ID that you record on first receipt and skip on duplicates.
Common webhook providers
- Stripe — payment succeeded/failed, subscription updated, dispute opened
- GitHub — push, pull request, issue, comment, workflow run
- Slack — slash commands, message events, app mentions
- Shopify — order placed, customer created, product updated
- Twilio — SMS received, call completed, delivery status
- Zapier / Make / n8n — generic routing between services via webhooks
Testing webhooks locally
Use ngrok or cloudflared tunnel to expose your local dev server at a public HTTPS URL. Register that URL with the provider's test environment. Tools like Svix and webhook.site let you inspect payloads as they arrive.
Related tools
Inspect signed webhook JWTs with JWT decoder. Verify HMAC signatures manually with hash generator (SHA-256). Pretty-print the JSON payload you receive with JSON formatter.
Featured Tools
Try these free tools directly in your browser — no sign-up required.
JWT Decoder
Decode and inspect JSON Web Tokens (JWTs) instantly. View header, payload, and signature without a secret key. Debug authentication tokens safely.
Hash Generator
Generate cryptographic hashes for any text using MD5, SHA-1, SHA-256, SHA-512, and more. Verify data integrity and create checksums instantly online.
JSON Formatter
Format, beautify, and validate JSON instantly. Paste raw JSON and get a clean, indented, human-readable output with syntax error detection.
URL Encoder / Decoder
Encode or decode URLs and query strings instantly. Convert special characters to percent-encoding and back for safe URL transmission and debugging.