What Is a Webhook?
A webhook is an HTTP POST request that an external service sends to your server when an event occurs — payments, form submissions, status changes — without you having to poll.
Webhooks invert the normal request model. Instead of your app repeatedly asking "did anything change?", the external service notifies your app the instant something happens.
How webhooks work step by step:
- You provide a public URL to the external service (e.g.,
https://yourapp.com/api/webhooks/stripe) - The service sends a POST request to that URL with event data (JSON payload)
- Your handler validates the request, processes the event, and returns HTTP 200
- If you return anything other than 200, most services retry delivery
Why they matter for SaaS:
Stripe's payment lifecycle is entirely webhook-driven. A customer pays → Stripe sends checkout.session.completed → your handler activates the subscription. If you rely on the browser redirect instead, you'll miss payments when users close the tab early.
Security: always verify the signature: Every webhook provider signs its payloads with a secret. Verify the signature before processing — otherwise any attacker can POST fake events to your endpoint.
Idempotency: Webhooks can be delivered more than once. Design every handler to be idempotent — use the event ID as a deduplication key and skip events you've already processed.