Webhook Glossary
Plain-English definitions for every term you will encounter when building, testing, and debugging webhooks.
Quick Answer
A webhook is an HTTP POST that a provider sends to your URL when an event happens. The key concepts to understand are: payload (the data), endpoint (your URL), signature (proof of origin), and idempotency (safe to process twice). This glossary covers 25 terms in full.
Webhook
An HTTP callback that a service sends to a URL you provide when an event occurs — for example, a payment succeeding or a repository receiving a push. Unlike polling, the sender pushes data to you. See the Webhook vs API guide for a full comparison.
Endpoint
A URL that accepts incoming HTTP requests. In webhook testing, your endpoint is the destination URL you paste into a provider's dashboard. Requex generates a unique HTTPS endpoint for you instantly.
Payload
The data body of an HTTP request — typically a JSON object describing the event. For a Stripe payment webhook, the payload contains the charge ID, amount, currency, and customer details.
Header
Key-value metadata attached to an HTTP request or response, sent before the body. Common webhook-related headers include Content-Type (describing the body format), Authorization (carrying credentials), and provider-specific signature headers like Stripe-Signature.
HTTP Method
The action verb of an HTTP request: GET (read), POST (create/send), PUT (replace), PATCH (partial update), DELETE (remove). Most webhooks use POST because they are delivering new event data.
Status Code
The 3-digit number a server returns to indicate the outcome of a request. 2xx codes signal success (200 OK, 201 Created). 4xx codes indicate client errors (400 Bad Request, 401 Unauthorized). 5xx codes indicate server errors. Providers use your status code to decide whether to retry.
Signature
A cryptographic value — usually an HMAC hash — included in a request header to prove the payload came from the expected sender and has not been tampered with. Stripe uses Stripe-Signature; GitHub uses X-Hub-Signature-256. See the webhook authentication guide.
HMAC
Hash-based Message Authentication Code. A signature algorithm that combines a secret key with the request body using a hash function (typically SHA-256) to produce a fixed-length digest. The receiver recomputes the HMAC and compares it to the header value to verify authenticity.
Secret Key
A shared private string known only to the webhook sender and receiver, used to compute or validate an HMAC signature. Never expose your secret key in client-side code or logs.
Retry
When a webhook delivery fails (your endpoint returns a 5xx status or times out), the provider automatically resends the request after a delay. Most providers retry between 3 and 10 times with exponential back-off. See handling failed webhook retries.
Idempotency
The property of an operation that produces the same result whether it is executed once or many times. Because webhooks are retried on failure, your handler must be idempotent — processing the same event ID twice should not double-charge a customer or create duplicate records.
Fanout
Delivering a single webhook event to multiple endpoints simultaneously. Fanout is used when several downstream services all need to react to the same event — for example, a new order notifying both a fulfillment service and an analytics pipeline.
Ingestion
The process of receiving and storing incoming webhook requests. When Requex captures a request at your endpoint, that is ingestion — the request is recorded in the database and made available for inspection before any forwarding or response logic runs.
Latency
The time elapsed between a provider sending a webhook and your endpoint receiving it. High latency can cause webhook processing to fall behind real-time events. Requex shows the timestamp of each received request so you can observe delivery timing.
Timeout
The maximum time a provider waits for your endpoint to respond before treating the delivery as failed and scheduling a retry. Most providers timeout between 5 and 30 seconds. Keep your webhook handler fast — offload heavy processing to a background job.
Rate Limit
A cap on the number of requests a provider will send to your endpoint within a given time window. If your endpoint is too slow or returns errors consistently, some providers will temporarily suspend delivery.
Forwarding Rule
A Requex feature that automatically relays incoming webhook requests to a second URL — typically your local development server or staging environment — so you can test your own code against real payloads.
Test Endpoint
A temporary, disposable URL used during development to receive webhook deliveries without pointing providers at production infrastructure. Requex provides free test endpoints with no setup required.
Ephemeral
Short-lived, temporary. An ephemeral webhook endpoint exists only for the duration of a session and is discarded afterwards. Useful for one-off debugging or CI pipeline tests where persistence is unnecessary.
Response Config
A Requex feature that lets you define exactly what HTTP response your endpoint returns to senders — status code, headers, body content, and optional delay. Useful for testing how your service behaves when a downstream API returns specific error codes.
Tunnel
A persistent connection that exposes a local port to the public internet via a forwarding server, giving it a stable HTTPS URL. Tools like ngrok and the upcoming Requex tunneling feature use this approach so providers can send webhooks directly to localhost.
Real-time
Data delivered or displayed immediately as events occur, without polling or page refresh. Requex uses WebSockets (Socket.IO) to push new requests to your browser dashboard the instant they are received.
Bearer Token
An auth credential passed in the Authorization header as Authorization: Bearer <token>. Webhook providers sometimes require a Bearer token to authenticate their outbound requests; your endpoint validates it before processing the payload.
Basic Auth
An HTTP authentication scheme that encodes a username and password as Base64 and sends them in the Authorization header: Authorization: Basic <base64(user:password)>. Supported as an auth mode in Requex's response config.
API Key
A static secret string used to authenticate API or webhook requests. Often passed as a custom header (X-Api-Key) or query parameter. Less secure than HMAC signatures because the key is sent with every request rather than being used to sign the payload.
Test These Concepts in Practice
The fastest way to understand webhook terms is to observe them live. Requex shows you every header, payload, and status code in real time — no signup required.
Open Requex →