Webhook glossary.
Concepts every developer working with webhooks runs into — defined plainly, with code where it helps.
Webhook
An HTTP request a service sends to a URL you control the moment something happens — a real-time, event-driven callback instead of you repeatedly asking 'anything new?'
Webhook Payload
The body of a webhook request — the JSON (or form/XML) describing what happened. The signature is computed over these exact bytes, so they matter twice.
Raw Body
The unparsed, byte-for-byte request body. Webhook signatures are computed over it, so reading the parsed body instead is the #1 cause of verification failures.
HMAC
Hash-based Message Authentication Code — a cryptographic signature that proves a webhook came from a specific sender and wasn't tampered with in transit.
Webhook Signature
A cryptographic header attached to a webhook request that lets the receiver prove the message is genuine and untampered.
Signing Secret
The shared key between webhook sender and receiver used to compute HMAC signatures. Treat like a password — leak it and authenticity collapses.
Timestamp Tolerance
The acceptable age (usually 5 minutes) of a signed webhook. Anything older is rejected to prevent replay attacks.
Replay Attack
An attack where a captured valid webhook is re-sent later — possibly by an attacker — to trigger duplicate side effects. Defended against with timestamps and idempotency.
Idempotency
The property that processing the same webhook twice has the same effect as processing it once. Critical because providers retry deliveries.
At-Least-Once Delivery
The delivery guarantee nearly all webhook providers offer: every event arrives one or more times. Duplicates are expected — which is exactly why handlers must be idempotent.
Retry & Backoff
The strategy webhook senders use when a delivery fails — repeated attempts with increasing delays to avoid hammering a recovering receiver.
Dead-Letter Queue (DLQ)
A holding area for webhooks that couldn't be delivered or processed after all retries — so failed events are preserved for inspection instead of silently lost.
Webhook Handshake / Verification
A one-time challenge-response a provider sends when you register a new webhook URL, to confirm you own the endpoint.
Event Gateway
A managed service that sits between an event source and your endpoint, handling delivery, retries, fan-out, and routing — Hookdeck, Svix, AWS EventBridge.
Fan-Out
Delivering a single source event to multiple downstream consumers — one 'order.created' triggering fulfillment, analytics, and email independently.
Webhook vs Polling
Webhooks push events to your endpoint when they happen; polling pulls state on a schedule. Webhooks are real-time but harder to debug.