Webhooks do's and dont's: what we learned after integrating +100 APIs - Giuliano Iacobelli - Codemotion Rome 2017

1 like500 views

The document discusses best practices for integrating webhooks as part of API design, emphasizing the importance of a robust setup that includes essential components like explicit event types, payloads, and security measures. It highlights the need for APIs to provide detailed information, manage subscription renewals, and ensure security in webhook communications. Additionally, the document touches on debugging and toolkits for effectively working with webhooks.

Technology

Giuliano Iacobelli, Stamplay
g@stamplay.com
Webhooks do’s and dont’s: what we learned
integrating +100 APIs

Webhooks do's and dont's: what we learned after integrating +100 APIs - Giuliano Iacobelli - Codemotion Rome 2017

g@stamplay.com
Lego for APIs
Stamplay is a low-code platform that provides a visual interface to drag&drop
connectors and creates integration workflows between services

g@stamplay.com
Token based Auth 
(e.g OAuth2)
Machine readable
docs (Swagger, RAML,
IO docs)
Webhooks HATEOAS
Key requirements for APIs in the automation era
Simple, consistent, flexible, friendly, explorable via URL  
and use web standards where they make sense.

g@stamplay.com
Key requirements for APIs in the automation era
Simple, consistent, flexible, friendly, explorable via URL  
and use web standards where they make sense.
Token based Auth 
(e.g OAuth2)
Machine readable
docs (Swagger, RAML,
IO docs)
Webhooks HATEOAS

g@stamplay.com
WEBHOOKS
=
HTTP PUSH NOTIFICATIONS

g@stamplay.com
Consumer sets up a server to listen for webhooks 
Consumer registers webhook URL with provider 
Provider starts making request to webhook URL when event
happens
Webhook Setup

g@stamplay.com
Webhook anatomy
Webhooks are fundamental pieces of an API today and a simple notiﬁcation
is no longer enough, as an API provider you need to do the heavy lifting for your users
• a verb: POST
• an explicit event type: which could be subscribed by any
user (for Github: pull_request, fork, commit, issues, etc.. )
• a payload: containing the relevant data for the related event  
• including: the resource itself, the sender (user who
triggered the webhook)  
• constant data structure
• a security hash: to ensure webhook was delivered by the
rightful authority  
• for Github: sharing a common secret used to generate a
hash from the payload
• an ID

g@stamplay.com
Fat payload vs Thin payload
Provide as much information as possible about the event that is being notiﬁed, as well as
additional information for the client to act upon that event.

g@stamplay.com
Batch vs Single
Services providing high frequency / volume of data might opt to make less calls
and batch data into an array

g@stamplay.com
Subscribing to multiple events to single URL
Webhooks are fundamental pieces of an API today and a simple notiﬁcation
is no longer enough, as an API provider you need to do the heavy lifting for your users

g@stamplay.com
Fine grained control on events you want to listen on
Webhooks are fundamental pieces of an API today and a simple notiﬁcation
is no longer enough, as an API provider you need to do the heavy lifting for your users

g@stamplay.com
Renewing subscriptions
Avoid sending webhooks to endpoints that are no longer active
by implementing a subscription renewal logic

g@stamplay.com
API for Webhooks aka REST Hooks
Webhooks are fundamental pieces of an API today and a simple notiﬁcation
is no longer enough, as an API provider you need to do the heavy lifting for your users

g@stamplay.com
Securing Webhooks
Webhooks are fundamental pieces of an API today and a simple notiﬁcation
is no longer enough, as an API provider you need to do the heavy lifting for your users

g@stamplay.com
Webhooks debugging
Receives HTTP requests and captures the data for later inspection

g@stamplay.com
Webhooks toolkit: Ngrok
Secure introspectable tunnels to localhost

g@stamplay.com
Questions?
g@stamplay.com
Try Stamplay:
stamplay.com
Thank you!

More Related Content

What's hot (20)

PDF

Pivoting Spring XD to Spring Cloud Data Flow with Sabby AnandanPivotalOpenSourceHub

PDF

Supercharge your app with Cloud Functions for FirebaseBret McGowen - NYC Google Developer Advocate

PDF

IThome DevOps Summit - IoT、docker與DevOpsSimon Su

PPTX

Stream Processing Live Traffic Data with Kafka StreamsTom Van den Bulck

PDF

GDG Jakarta Meetup - Streaming Analytics With Apache BeamImre Nagi

PDF

Serverless with Google CloudBret McGowen - NYC Google Developer Advocate

PDF

Getting Started on Google Cloud PlatformAaron Taylor

PDF

Where should I run my code? Serverless, Containers, Virtual Machines and moreBret McGowen - NYC Google Developer Advocate

PPTX

Kubernetes + netflix ossCristiano Altmann

PDF

Live Event Debugging With ksqlDB at Reddit | Hannah Hagen and Paul Kiernan, R...HostedbyConfluent

PDF

Application Monitoring using DatadogMukta Aphale

PDF

Making Sense of Your Event-Driven Dataflows (Jorge Esteban Quilcate Otoya, SY...confluent

PPTX

Giles sirett welcome and cloud stack newsShapeBlue

PDF

From Postgres to Event-Driven: using docker-compose to build CDC pipelines in...confluent

PDF

Introduction to Google Cloud PlatformOpsta

PPTX

Meteor Day Athens (2014-11-07)svub

PDF

Building a Serverless company with Node.js, React and the Serverless Framewor...Luciano Mammino

PPTX

Building an Event-oriented Data Platform with Kafka, Eric Sammer confluent

PDF

Serverless with Google Cloud FunctionsJerry Jalava

PDF

Guaranteed Event Delivery with Kafka and NodeJS | Amitesh Madhur, NutanixHostedbyConfluent

Pivoting Spring XD to Spring Cloud Data Flow with Sabby AnandanPivotalOpenSourceHub

Supercharge your app with Cloud Functions for FirebaseBret McGowen - NYC Google Developer Advocate

IThome DevOps Summit - IoT、docker與DevOpsSimon Su

Stream Processing Live Traffic Data with Kafka StreamsTom Van den Bulck

GDG Jakarta Meetup - Streaming Analytics With Apache BeamImre Nagi

Serverless with Google CloudBret McGowen - NYC Google Developer Advocate

Getting Started on Google Cloud PlatformAaron Taylor

Where should I run my code? Serverless, Containers, Virtual Machines and moreBret McGowen - NYC Google Developer Advocate

Kubernetes + netflix ossCristiano Altmann

Live Event Debugging With ksqlDB at Reddit | Hannah Hagen and Paul Kiernan, R...HostedbyConfluent

Application Monitoring using DatadogMukta Aphale

Making Sense of Your Event-Driven Dataflows (Jorge Esteban Quilcate Otoya, SY...confluent

Giles sirett welcome and cloud stack newsShapeBlue

From Postgres to Event-Driven: using docker-compose to build CDC pipelines in...confluent

Introduction to Google Cloud PlatformOpsta

Meteor Day Athens (2014-11-07)svub

Building a Serverless company with Node.js, React and the Serverless Framewor...Luciano Mammino

Building an Event-oriented Data Platform with Kafka, Eric Sammer confluent

Serverless with Google Cloud FunctionsJerry Jalava

Guaranteed Event Delivery with Kafka and NodeJS | Amitesh Madhur, NutanixHostedbyConfluent

Viewers also liked (20)

PDF

Cyber Wars in the Cyber Space - Andrea Pompili - Codemotion Rome 2017Codemotion

PDF

Microservices in GO - Massimiliano Dessì - Codemotion Rome 2017Codemotion

PDF

Does Your Web App Speak Schadenfreude? - Greg Rewis - Codemotion Rome 2017Codemotion

PDF

Community in a nutshell for developers - Alessio Fattorini - Codemotion Rome ...Codemotion

PDF

Invader Studios: sviluppatori da “Incubo” - Tiziano Bucci - Codemotion Rome ...Codemotion

PDF

Kunos Simulazioni and Assetto Corsa, behind the scenes- Alessandro Piva, Fabr...Codemotion

PDF

S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Be...Codemotion

PDF

Component-Based UI Architectures for the Web - Andrew Rota - Codemotion Rome...Codemotion

ODP

Container orchestration: the cold war - Giulio De Donato - Codemotion Rome 2017Codemotion

PPTX

Commodore 64 Mon Amour(2): sprite multiplexing. Il caso Catalypse e altre sto...Codemotion

PDF

Unreal Engine 4 Blueprints: Odio e amore Roberto De Ioris - Codemotion Rome 2017Codemotion

PDF

Thinking Functionally - John Stevenson - Codemotion Rome 2017Codemotion

PDF

Xamarin.Forms Performance Tips & Tricks - Francesco Bonacci - Codemotion Rome...Codemotion

PPTX

The busy developer guide to Docker - Maurice de Beijer - Codemotion Rome 2017Codemotion

PDF

Barbarians at the Gate(way) - Dave Lewis - Codemotion Rome 2017Codemotion

PDF

Web Based Virtual Reality - Tanay Pant - Codemotion Rome 2017Codemotion

PPTX

An Introduction to Apache Ignite - Mandhir Gidda - Codemotion Rome 2017Codemotion

PDF

Comics and immersive storytelling in Virtual Reality - Fabio Corrirossi - Cod...Codemotion

PDF

Galateo semi-serio dell'Open Source - Luigi Dell' Aquila - Codemotion Rome 2017Codemotion

PDF

Docker Inside/Out: the ‘real’ real-world of stacking containers in production...Codemotion