MailSlurp logo

blog

What Is a Webhook? Meaning, Examples, and Reliable Event Callbacks

A webhook is an HTTP callback that pushes event data to your application. Learn webhook meaning, examples, payloads, URLs, retries, security, and testing patterns for reliable integrations.

A webhook is an HTTP callback: one system sends your endpoint an event payload when something happens.

Instead of repeatedly asking an API "anything new?", your app receives pushed events as they occur.

Webhook meaning in one sentence

A webhook means "call this URL when this event happens."

The provider owns the event. Your application owns the webhook URL, validates the request, stores the event, and then starts any follow-up work.

Common webhook events include:

  • email.received
  • email.delivered
  • email.bounced
  • invoice.paid
  • user.created
  • build.failed

Why teams use webhooks

Webhooks are useful when you need near-real-time reactions without heavy polling.

Common examples:

  • payment succeeded/failed,
  • user signed up or changed plan,
  • email delivered/bounced/complained,
  • document processed and ready,
  • CI/CD pipeline status changes.

Webhook vs polling API

Approach How it works Typical tradeoff
Polling Your app requests updates repeatedly Simpler control flow, higher API/load cost
Webhook Provider pushes updates to your endpoint Lower latency, requires robust receiver design

For event-driven systems, webhooks usually reduce latency and infrastructure overhead.

How webhooks work (end-to-end)

  1. You register a callback URL with a provider.
  2. A business event occurs in the provider system.
  3. Provider sends an HTTP request (often POST) to your callback URL.
  4. Your endpoint validates, records, and processes the payload.
  5. Your endpoint returns success/failure status so the provider can decide retry behavior.

The most reliable consumers acknowledge quickly and process asynchronously.

Webhook URL, endpoint, and payload

These terms are often used together, but they are not the same thing.

Term Meaning Example
Webhook URL The public HTTPS address the provider calls https://api.example.com/webhooks/email
Webhook endpoint The server route that receives and validates the request POST /webhooks/email
Webhook payload The JSON or form data sent with the event Event ID, type, timestamp, and resource fields
Webhook secret Shared signing material used to verify the sender HMAC signing secret

A simple webhook payload often looks like this:

{
  "id": "evt_01JZ9WZ3",
  "type": "email.received",
  "createdAt": "2026-06-15T10:30:00Z",
  "data": {
    "inboxId": "inbox_123",
    "messageId": "email_456",
    "from": "customer@example.com"
  }
}

Do not build business logic around field names until you have checked the provider's schema, versioning rules, and signature model.

Webhook payloads and delivery semantics

Most providers do at-least-once delivery, which means duplicates can occur.

Design implications:

  • make handlers idempotent,
  • use event IDs for deduplication,
  • tolerate out-of-order delivery,
  • store raw payloads for replay and audit.

Status codes and retry behavior

Most providers treat a 2xx response as accepted and retry on timeout or 4xx/5xx responses. Exact rules vary, so check the provider documentation, but the receiver pattern is consistent:

  1. verify the signature and timestamp
  2. store the event or mark a duplicate
  3. return 2xx quickly
  4. process slow downstream work in a queue

Avoid doing long API calls, template rendering, or customer-visible updates directly inside the webhook request path.

Security checklist for webhooks

  1. Verify provider signatures (HMAC/JWT or equivalent).
  2. Enforce HTTPS and reject insecure origins.
  3. Validate timestamp to prevent replay attacks.
  4. Restrict inbound source ranges if provider supports it.
  5. Never trust payload fields without schema validation.

"Secret URL only" is not enough for production security.

Reliability checklist

  1. Return 2xx quickly after minimal validation.
  2. Push heavy work to queue/job worker.
  3. Implement dead-letter and replay path.
  4. Track error rate, retry depth, and processing lag.
  5. Keep a manual reprocess tool for incident response.

Webhooks for email workflows

Email systems use webhooks for delivery observability and automation:

  • delivered,
  • bounced,
  • complaint,
  • opened/clicked (where supported),
  • inbound message received.

That enables stateful workflows like suppression lists, escalations, and customer-visible status updates.

Related guides:

Testing webhook integrations safely

A robust test setup should validate:

  • URL routing and request method
  • signature verification logic,
  • duplicate event handling,
  • timeout/retry behavior,
  • schema evolution compatibility.

For email events, MailSlurp can generate realistic message and delivery events so teams can test webhook consumers before production release.

For release-critical flows, pair webhook tests with inbox tests. For example, create an inbox, trigger a message, receive the webhook, fetch the message, and assert the app state that should change after processing.

Anti-patterns to avoid

  • synchronous downstream API calls inside webhook request path,
  • no deduplication key strategy,
  • treating missing events as impossible,
  • no replay tooling during incidents.

Final take

Webhooks are a powerful event integration pattern, but only when handlers are built for security, retries, and idempotency. Treat the webhook consumer like production infrastructure, not a thin demo endpoint.