What are webhooks?

Webhooks are user-defined HTTP callbacks — "reverse APIs" where a server pushes data to a client's URL when a specific event occurs, rather than the client polling for updates. How they work: (1) Client registers a URL with the server (the webhook endpoint); (2) Server stores the URL; (3) When an event occurs, the server makes an HTTP POST request to the registered URL with event data as the request body. Examples: GitHub sends a webhook to your CI server when code is pushed; Stripe sends webhooks when a payment succeeds or fails; Slack bots receive webhooks for slash commands; payment gateways notify merchants of transaction status. Advantages: real-time (no polling), efficient (no wasted requests), decoupled (server doesn't need to know client details). Challenges: (1) Delivery guarantees: if the webhook endpoint is down, events may be lost — need retry logic with exponential backoff; (2) Ordering: webhooks may arrive out of order — use timestamps to sort; (3) Idempotency: same event may be delivered multiple times — use event IDs to deduplicate; (4) Security: verify the webhook came from the expected sender — use HMAC signatures (sender signs payload with shared secret, receiver verifies); (5) Firewall/NAT: the client endpoint must be publicly accessible. Best practices: respond quickly (202 Accepted), process asynchronously, implement signature verification, retry failed deliveries.