A __webhook__ in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks - wikipedia
Webhooks are: > User-defined HTTP callbacks.
The format is usually JSON. The request is done as an POST (HTTP) request. The term "webhook" was coined by Jeff Lindsay in 2007 from the computer programming term Hooking.
# Function
Webhooks are usually triggered by some event, such as pushing code to a repository or a comment being posted to a blog. When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another - wikipedia
Common uses are to trigger builds with continuous integration systems or to notify bug tracking systems. Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.
# Authenticating the webhook notification
When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a spoofing attack. Different techniques to authenticate the client are used: - wikipedia
- The receiving endpoint can choose to keep a whitelist of IP addresses for known sources which requests will be accepted from. - HTTP basic authentication can be used to authenticate the client. - The webhook can include information about what type of event it is, and a secret or signature to verify the webhook. - An HMAC signature can be included as an HTTP header. GitHub and Stripe use this technique. - Facebook signs their requests using SHA-1. - Mutual TLS authentication can be used when the connection is established. The endpoint (the server) can then verify the client's certificate.
# See also