Webhook glossary.

Hash-based Message Authentication Code — a cryptographic signature that proves a webhook came from a specific sender and wasn't tampered with in transit.

A cryptographic header attached to a webhook request that lets the receiver prove the message is genuine and untampered.

The shared key between webhook sender and receiver used to compute HMAC signatures. Treat like a password — leak it and authenticity collapses.

The acceptable age (usually 5 minutes) of a signed webhook. Anything older is rejected to prevent replay attacks.

An attack where a captured valid webhook is re-sent later — possibly by an attacker — to trigger duplicate side effects. Defended against with timestamps and idempotency.

The property that processing the same webhook twice has the same effect as processing it once. Critical because providers retry deliveries.

The strategy webhook senders use when a delivery fails — repeated attempts with increasing delays to avoid hammering a recovering receiver.

A one-time challenge-response a provider sends when you register a new webhook URL, to confirm you own the endpoint.

A managed service that sits between an event source and your endpoint, handling delivery, retries, fan-out, and routing — Hookdeck, Svix, AWS EventBridge.

Webhooks push events to your endpoint when they happen; polling pulls state on a schedule. Webhooks are real-time but harder to debug.