Webhook Automation Comprehensive skill for building webhook-based integrations and real-time event processing. Core Concepts Webhook Architecture WEBHOOK FLOW: ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Source │────▶│ Webhook │────▶│ Handler │ │ System │ │ Endpoint │ │ Logic │ └─────────────┘ └─────────────┘ └──────┬──────┘ │ ┌──────────────────────────┼───────┐ │ │ │ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ Action │ │ Action │ │ Action │ │ A │ │ B │ │ C │ └──────────┘ └──────────┘ └──────────┘ Webhook Types webhook_types : incoming : description : "Receive events from external services" use_cases : - Payment notifications (Stripe , PayPal) - Form submissions - CRM updates - CI/CD events outgoing : description : "Send events to external services" use_cases : - Notify external systems - Trigger workflows - Sync data - Alert integrations Webhook Endpoint Setup Basic Endpoint webhook_endpoint : url : "https://api.example.com/webhooks/incoming" method : POST authentication : type : signature header : "X-Signature-256" algorithm : "HMAC-SHA256" secret : "${WEBHOOK_SECRET}" validation : required_headers : - "Content-Type" - "X-Request-ID" content_types : - "application/json" - "application/x-www-form-urlencoded" response : success : status : 200 body : { "received" : true } error : status : 400 body : { "error" : "Invalid payload" } Signature Verification // Verify webhook signature function verifySignature ( payload , signature , secret ) { const hmac = crypto . createHmac ( 'sha256' , secret ) ; const digest = 'sha256=' + hmac . update ( payload ) . digest ( 'hex' ) ; return crypto . timingSafeEqual ( Buffer . from ( digest ) , Buffer . from ( signature ) ) ; } // Usage app . post ( '/webhook' , ( req , res ) => { const signature = req . headers [ 'x-signature-256' ] ; const payload = JSON . stringify ( req . body ) ; if ( ! verifySignature ( payload , signature , process . env . WEBHOOK_SECRET ) ) { return res . status ( 401 ) . json ( { error : 'Invalid signature' } ) ; } // Process webhook... processWebhook ( req . body ) ; res . status ( 200 ) . json ( { received : true } ) ; } ) ; Event Processing Event Router event_router : routes : - event_type : "payment.succeeded" handler : processPayment actions : - update_order_status - send_confirmation_email - notify_fulfillment - event_type : "customer.created" handler : processNewCustomer actions : - create_crm_contact - send_welcome_email - assign_to_sales - event_type : "subscription.cancelled" handler : processChurn actions : - update_subscription_status - trigger_retention_flow - notify_customer_success - event_type : "*" handler : logUnhandled actions : - log_to_monitoring Payload Transformation transformations : - name : stripe_to_internal source : stripe_webhook target : internal_order mapping : id : "data.object.id" amount : "data.object.amount / 100"

Cents to dollars

currency : "data.object.currency | uppercase" customer_email : "data.object.receipt_email" created_at : "data.object.created | timestamp" metadata : "data.object.metadata" - name : github_to_slack source : github_webhook target : slack_message mapping : text : | {{action | capitalize}} {{repository.name}} {{#if pull_request}} PR: {{pull_request.title}} By: {{pull_request.user.login}} {{/if}} channel : "{{repository.name}}-notifications" Common Integrations Stripe Webhooks stripe_webhooks : endpoint_secret : "${STRIPE_WEBHOOK_SECRET}" events : - type : "checkout.session.completed" handler : | async function(event) { const session = event.data.object; await fulfillOrder(session); await sendReceipt(session.customer_email); } - type : "invoice.payment_failed" handler : | async function(event) { const invoice = event.data.object; await notifyCustomer(invoice); await createDunningTask(invoice); } - type : "customer.subscription.updated" handler : | async function(event) { const subscription = event.data.object; await syncSubscriptionStatus(subscription); } GitHub Webhooks github_webhooks : secret : "${GITHUB_WEBHOOK_SECRET}" events : - type : "push" branches : [ "main" , "develop" ] handler : | async function(event) { await triggerCI(event.repository, event.ref); await notifyTeam(event.commits); } - type : "pull_request" actions : [ "opened" , "synchronize" ] handler : | async function(event) { await runTests(event.pull_request); await requestReview(event.pull_request); } - type : "issues" actions : [ "opened" ] handler : | async function(event) { await triageIssue(event.issue); await assignOwner(event.issue); } Slack Webhooks slack_webhooks : incoming :

Receive slash commands and interactions

signing_secret : "${SLACK_SIGNING_SECRET}" events : - type : "slash_command" command : "/deploy" handler : handleDeployCommand - type : "interactive_message" callback_id : "approval_*" handler : handleApproval outgoing :

Send messages to Slack

webhook_url : "${SLACK_WEBHOOK_URL}" templates : alert : blocks : - type : section text : "🚨 Alert: {{message}}" - type : context elements : - type : mrkdwn text : "Source: {{source}} | Time: {{timestamp}}" Error Handling Retry Strategy retry_config : enabled : true policy : max_attempts : 5 initial_delay : 1000

ms

max_delay : 60000

ms

backoff_multiplier : 2 retry_on : status_codes : [ 408 , 429 , 500 , 502 , 503 , 504 ] exceptions : [ "ECONNRESET" , "ETIMEDOUT" ] dead_letter : enabled : true destination : "failed_webhooks_queue" retention_days : 7 Error Logging error_handling : logging : level : error include : - request_id - event_type - payload_hash - error_message - stack_trace - retry_count alerting : on_failure : - type : slack channel : "#webhook-alerts" threshold : 5

failures per minute

on_dead_letter : - type : pagerduty severity : warning Webhook Testing Test Payload Generator test_payloads : stripe_payment : type : "checkout.session.completed" data : object : id : "cs_test_123" amount_total : 2000 currency : "usd" customer_email : "test@example.com" payment_status : "paid" github_push : ref : "refs/heads/main" repository : name : "my-repo" full_name : "org/my-repo" commits : - id : "abc123" message : "Test commit" author : name : "Test User" Webhook Debugging debugging : tools : - name : "Request Bin" url : "https://requestbin.com" use : "Capture and inspect payloads" - name : "ngrok" command : "ngrok http 3000" use : "Expose local server" - name : "Webhook.site" url : "https://webhook.site" use : "Quick webhook testing" logging : enabled : true log_payloads : true log_headers : true mask_secrets : true Security Best Practices Security Checklist security : authentication : - Verify webhook signatures - Use HTTPS only - Rotate secrets regularly validation : - Validate payload schema - Check timestamp freshness - Verify source IP if possible processing : - Idempotent handlers - Rate limiting - Timeout protection storage : - Encrypt secrets at rest - Audit logging - No sensitive data in URLs IP Allowlisting ip_allowlist : stripe : - "3.18.12.63" - "3.130.192.231"

... more IPs

github : - "192.30.252.0/22" - "185.199.108.0/22"

... more ranges

slack : - "54.159.240.0/22"

... more ranges

Monitoring

Metrics Dashboard

WEBHOOK METRICS - LAST 24 HOURS

═══════════════════════════════════════

Received: 12,456

Processed: 12,398 (99.5%)

Failed: 58 (0.5%)

Retried: 123

BY SOURCE:

Stripe ████████████░░░░ 5,230

GitHub ██████████░░░░░░ 4,120

Slack ████░░░░░░░░░░░░ 1,850

Other ███░░░░░░░░░░░░░ 1,256

LATENCY (p99):

Processing: 245ms

Response: 52ms

ERROR BREAKDOWN:

Timeout: 25

Invalid Sig: 18

Parse Error: 10

Rate Limited: 5

Best Practices

Respond Quickly

Return 200 immediately, process async

Idempotency

Handle duplicate events gracefully

Verify Signatures

Always validate webhook authenticity

Log Everything

Maintain audit trail

Retry Logic

Implement exponential backoff

Dead Letters

Don't lose failed events

Rate Limiting

Protect against flood attacks

Monitoring

Alert on failures and latency