# Webhook > Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Webhook > Markdown URL: https://mediated.wiki/source/Webhook.md > Source: https://en.wikipedia.org/wiki/Webhook > Source revision: 1353295712 > License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/) Method of web development In [web development](/source/Web_development), a **webhook** is a method of augmenting or altering the behavior of a [web page](/source/Web_page) or [web application](/source/Web_application) with custom [callbacks](/source/Callback_(computer_programming)). These callbacks may be maintained, modified, and managed by third-party users who need not be affiliated with the originating website or application. In 2007, [Jeff Lindsay](https://en.wikipedia.org/w/index.php?title=Jeff_Lindsay_(computer_programmer)&action=edit&redlink=1) coined the term *webhook* from the computer programming term *[hook](/source/Hooking)*.[1] ## Function Webhooks are "user-defined HTTP callbacks".[2] They are usually triggered by some event, such as pushing code to a repository,[3] a purchase, a comment being posted to a blog[4] and many more use cases.[5] When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another. Common uses are to trigger builds with [continuous integration](/source/Continuous_integration) systems[6] or to notify [bug tracking systems](/source/Bug_tracking_system).[7] Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.[8] ## Authenticating the webhook notification When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a [spoofing attack](/source/Spoofing_attack) and its timestamp verified to avoid a [replay attack](/source/Replay_attack).[9] Different techniques to authenticate the client are used: - HTTP [basic authentication](/source/Basic_access_authentication) can be used to authenticate the client.[10] - The webhook can include information about what type of event it is, and a [shared secret](/source/Shared_secret) or [digital signature](/source/Digital_signature) to verify the webhook. - An [HMAC](/source/HMAC) signature can be included as an HTTP header. GitHub,[11] Stripe[12] and Facebook[13] use this technique. - [Mutual TLS authentication](/source/Mutual_authentication) can be used when the connection is established. The endpoint (the server) can then verify the client's certificate.[14] The sender may choose to keep a constant list of [IP addresses](/source/IP_address) from which requests will be sent. This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a [firewall](/source/Firewall_(computing)) or [NAT](/source/Network_address_translation). ## See also - [Application programming interface](/source/Application_programming_interface) - [Event-driven architecture](/source/Event-driven_architecture) - [Open API](/source/Open_API) - [Mashup (web application hybrid)](/source/Mashup_(web_application_hybrid)) ## References 1. **[^](#cite_ref-1)** [*Web hook to revolutionize the web*](https://web.archive.org/web/20180630220036/http://progrium.com/blog/2007/05/03/web-hooks-to-revolutionize-the-web/), 3 May 2007, archived from [the original](http://progrium.com/blog/2007/05/03/web-hooks-to-revolutionize-the-web/) on 2018-06-30 1. **[^](#cite_ref-2)** ["Webhooks"](https://developer.atlassian.com/server/jira/platform/webhooks/). Atlassian. Retrieved 2019-09-24.] 1. **[^](#cite_ref-3)** [About Webhooks - Github Help](https://help.github.com/articles/about-webhooks/) 1. **[^](#cite_ref-4)** [WordPress Webhooks](http://en.support.wordpress.com/webhooks/) 1. **[^](#cite_ref-5)** [Use Cases for Webhooks](https://webhook-test.com/use-cases-for-webhooks) 1. **[^](#cite_ref-6)** [*Jenkins GitHub Commit Hooks HOWTO*](https://web.archive.org/web/20150925064335/http://wiki.cloudbees.com/bin/view/DEV/GitHub+Commit+Hooks+HOWTO), archived from [the original](https://wiki.cloudbees.com/bin/view/DEV/GitHub+Commit+Hooks+HOWTO) on 2015-09-25 1. **[^](#cite_ref-7)** [Google Project Hosting - Post-Commit Web Hooks](https://code.google.com/p/support/wiki/PostCommitWebHooks) 1. **[^](#cite_ref-8)** [What are WebHooks and How Do They Enable a Real-time Web?](http://blog.programmableweb.com/2012/01/30/webhooks-realtime-web/) 1. **[^](#cite_ref-9)** ["Why Verify"](https://docs.svix.com/receiving/verifying-payloads/why). *Svix*. Svix Inc. Retrieved September 12, 2021. Another potential security hole is what's called replay attacks. 1. **[^](#cite_ref-10)** ["DocuSign Connect Now Includes Basic Authentication Support"](https://www.docusign.com/blog/dsdev-docusign-connect-basic-authentication-support/). *DocuSign*. DocuSign, Inc. 16 November 2017. Retrieved January 15, 2020. the Connect notification service has been updated to support the Basic Authentication scheme with customers' Connect servers (listeners). 1. **[^](#cite_ref-11)** ["Securing your webhooks"](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks#validating-payloads-from-github). *Github*. Github, Inc. Retrieved September 12, 2021. 1. **[^](#cite_ref-12)** ["Checking Webhook Signatures"](https://stripe.com/docs/webhooks/signatures). *Stripe*. Stripe, Inc. Retrieved 12 May 2019. 1. **[^](#cite_ref-13)** ["Getting Started - Graph API - Documentation - Facebook for Developers"](https://developers.facebook.com/docs/graph-api/webhooks/getting-started#validate-payloads). *Facebook*. Facebook, Inc. Retrieved 12 May 2019. 1. **[^](#cite_ref-14)** ["Mutual TLS: Stuff you should know"](https://www.docusign.com/blog/dsdev-mutual-tls-stuff-know/). *DocuSign*. DocuSign, Inc. Retrieved January 15, 2020. Mutual TLS plus Client Access Control enables your listener app to ensure that the Connect notification message was sent by DocuSign and that it wasn't modified en route. ## External links - [Working with Webhooks](https://requestbin.com/blog/working-with-webhooks/) v t e Web interfaces Server-side Protocols HTTP v2 v3 Encryption WebDAV CGI SCGI FCGI AJP WSRP WebSocket Server APIs C NSAPI C ASAPI C ISAPI COM ASP Jakarta Servlet container CLI OWIN ASP.NET Handler Python WSGI Python ASGI Ruby Rack JavaScript JSGI Perl PSGI Portlet container Apache modules mod_include mod_jk mod_lisp mod_mono mod_parrot mod_perl mod_php mod_proxy mod_python mod_wsgi mod_ruby Phusion Passenger Topics Web service vs. Web resource WOA vs. ROA Open API Webhook Application server comparison Scripting Client-side Browser APIs C NPAPI LiveConnect XPConnect C NPRuntime C PPAPI NaCl ActiveX BHO XBAP Web APIs WHATWG Audio Canvas DOM SSE Video WebSockets Web messaging Web storage Web worker XMLHttpRequest W3C DOM events EME File Geolocation IndexedDB MSE SVG WebAssembly WebAuthn WebGPU WebRTC WebXR Khronos WebCL WebGL Others Gears Web SQL Database (formerly W3C) WebUSB Topics Ajax and Remote scripting vs. DHTML Browser extension Cross-site scripting and CORS Hydration Mashup Persistent data Web IDL Scripting Related topics Frontend and backend Microservices REST GraphQL Push technology Solution stack Web page Static Dynamic Web standards Web API security Web application Rich Single-page Progressive Web framework --- Adapted from the Wikipedia article [Webhook](https://en.wikipedia.org/wiki/Webhook) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Webhook?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.