Webhook is an HTTP request sent automatically by system A to system B's endpoint when an event happens. Push-based communication — opposite of polling (where you ask every X minutes "anything new?").
Typical flow:
- You register a URL endpoint at the provider (Stripe, GitHub, Slack)
- When an event happens (payment, push, message) — provider sends POST request with JSON payload to your URL
- Your endpoint receives, processes, replies 200 OK
- If endpoint returns error or timeout — most providers retry (exponential backoff)
Webhook vs polling:
- Webhook: real-time (latency <1s), efficient (zero requests when nothing happens), requires public endpoint
- Polling: latency = poll interval (5min, 1h), wastes requests, works behind firewall
Security considerations:
- Signature verification — providers sign payload, verify signature before trusting
- Idempotency — webhooks often delivered multiple times, use idempotency keys
- Replay protection — check timestamp to block old payloads
- IP allowlist — if provider publishes stable IPs
In automation: webhooks are the preferred way for near-real-time data flow. Polling as fallback when provider does not support webhooks.