Which providers use webhooks?

Stripe, GitHub, Shopify, Twilio, SendGrid, Clerk, PlanetScale — almost every modern API uses them for async events.

How do I test webhooks locally?

Use the Stripe CLI (`stripe listen`) or ngrok to forward provider events to localhost during development.

Do I need a separate queue service?

For low volume, a simple database-backed queue works. For production scale, BullMQ (Redis) or a managed queue is more reliable.

What if an event is never delivered?

Most providers have a dashboard to replay events. For critical flows, also poll the provider API periodically as a safety net.

Webhook Integration Guide 2026 — Receive, Verify & Process Events

Webhooks are how the internet talks to itself — Stripe fires one when a payment completes, GitHub when a PR merges, Twilio when a message arrives. Building a receiver that's fast, secure and never drops an event requires more than a simple POST handler. This guide covers the full pattern.

Step 1 — Always verify the signature

Every serious webhook provider signs its payloads with an HMAC-SHA256 signature. Your receiver must verify this before doing anything else — an unverified handler is an open door for replay attacks and forged events.

app/api/stripe/webhook/route.ts

TypeScript

1import Stripe from "stripe";2const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);3 4export async function POST(req: Request) {5  const body = await req.text(); // raw body — required for signature check6  const sig = req.headers.get("stripe-signature")!;7  let event: Stripe.Event;8  try {9    event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!);10  } catch {11    return new Response("Bad signature", { status: 400 });12  }13  await queue.add("stripe-event", event); // hand off immediately14  return new Response("ok");15}

Stripe webhook verification — the raw body must be used, not the parsed JSON.

Step 2 — Respond fast, process async

Webhook providers (Stripe, GitHub, etc.) expect a 2xx response within 5–30 seconds or they retry. Heavy processing — sending emails, updating databases, calling other APIs — should happen in a background queue, not in the handler itself.

Step 3 — Idempotent processing

Every webhook can be delivered more than once (network blips, provider retries). Your processor must be idempotent — running it twice on the same event must have the same result as running it once. The simplest pattern: store the event ID and skip if already seen.

workers/stripe.ts

TypeScript

1export async function handleStripeEvent(event: Stripe.Event) {2  const exists = await db.processedEvent.findUnique({ where: { id: event.id } });3  if (exists) return; // already handled — safe to skip4 5  await db.processedEvent.create({ data: { id: event.id } });6 7  if (event.type === "checkout.session.completed") {8    const session = event.data.object as Stripe.Checkout.Session;9    await activateSubscription(session.metadata!.orgId);10  }11}

Idempotent event processing — skip already-handled events.

Step 4 — Handle retries gracefully

When your handler returns a non-2xx, providers retry with exponential backoff. Configure your queue with the same pattern for downstream failures — up to 3 retries with delays, then move to a dead-letter queue for manual inspection.

< 200ms

Handler response time

event_id

Idempotency key

3×

Retry attempts

DLQ

Failed events

Need this built? Explore our API Development & Integrations service.

View service →

Written by Zahid Ghotia · Published 5 June 2026 · 7 min read

Webhook Integration Guide: Receive, Verify & Process Events Reliably

Step 1 — Always verify the signature

Step 2 — Respond fast, process async

Step 3 — Idempotent processing

Step 4 — Handle retries gracefully

Frequently asked questions

Related articles

Stripe Payment Integration Guide for Developers

How to Build a SaaS Platform from Idea to Launch

Need API & webhook integrations?