A webhook is an HTTP POST your service sends to a URL the customer controls whenever an event happens, like a payment succeeding. It lets the customer's app react in real time instead of polling your API for changes.

How does HMAC signature verification work?

Your service computes an HMAC-SHA256 of the raw request body using a shared secret and sends it in a header. The receiver recomputes the same hash and compares it with a constant-time check. If they match, the payload is authentic and untampered.

Why must webhook handlers be idempotent?

Because deliveries can be retried, the same event may arrive more than once. Handlers must dedupe using the event id so processing it twice has no extra effect — for example, not charging a customer or sending an email twice.

What should happen when a webhook delivery fails?

A non-2xx response or timeout should trigger retries with backoff, up to a maximum number of attempts. After the final failure the event is marked failed and should be replayable from a dashboard so no event is silently lost.

How quickly should a receiver respond?

Respond with 200 OK as fast as possible, ideally within a few seconds, then process the payload asynchronously. Doing slow work before responding risks a timeout, which your service interprets as a failure and retries unnecessarily.

Webhook Documentation Builder

Webhooks are only useful if they are documented

Webhooks let your customers react to events the instant they happen — but only if they can verify the requests, understand the payloads, and handle retries correctly. This builder produces complete, copy-ready webhook documentation: how to receive and verify requests, what each event’s payload looks like, and how your retry policy behaves.

How it works

You set the authentication method — typically HMAC-SHA256. The tool generates the verification recipe: your service signs the raw request body with a shared secret and sends the signature in a header; the receiver recomputes the HMAC and compares it with a constant-time check (timingSafeEqual) to prevent both tampering and timing attacks.

For each event you provide a type, a description, and its fields. The tool renders a realistic JSON payload for each one, choosing sensible example values based on field names (ids, amounts, timestamps). It also documents the retry policy — max attempts and backoff strategy — and stresses idempotency: because retries can deliver the same event twice, handlers must dedupe on the event id.

Tips and example

Always sign the raw body, not the parsed JSON. Re-serializing changes bytes and breaks signature verification.
Tell receivers to respond 200 OK immediately and process asynchronously. A slow handler causes timeouts, which trigger pointless retries.
Make every example payload concrete. A field list like id, amount, currency, status becomes a JSON block developers can copy and test against.
Document that failed events are replayable. Developers trust a webhook system far more when they know a missed event is not lost forever.

Webhook Documentation Builder

Email me this result

Webhooks are only useful if they are documented

How it works

Tips and example