Webhook Best Practices

Review these best practices to ensure your webhooks remain secure and function seamlessly with your integration.

Delivery attempts and retries

Understand how to view delivery attempts, event logs, and the retry logic when webhook events aren't acknowledged.

View events

You can see all webhooks sent by going to the Integrations > Webhooks and clicking the Event Log button. This will show you all sent webhooks, their delivery status, and respective HTTP status codes Prefinery received.

Note: Test events (when you click on the Test button next to an endpoint) are not logged.

Retry logic

Prefinery attempts to deliver your webhooks for a few days with an exponential back off.

Event handling

Handling webhook events correctly is crucial to making sure your integration's business logic works as expected.

Handle duplicate events

Webhook endpoints might occasionally receive the same event more than once. We advise you to guard against duplicated event receipts by making your event processing idempotent.

Order of events

Prefinery does not guarantee delivery of events in the order in which they are generated. For example, adding a user might generate the following events: tester_created, tester_applied and tester_updated.

Your endpoint should not expect delivery of these events in this order and should handle this accordingly.

Security

Keeping your endpoints secure is critical to protecting your customers' information. Prefinery provides several ways for you to verify events are coming from Prefinery in a secure manner.

Receive events with an HTTPS server

If you use an HTTPS URL for your webhook endpoint, Prefinery will validate that the connection to your server is secure before sending your webhook data. For this to work, your server must be correctly configured to support HTTPS with a valid server certificate.

Rotate endpoint signing secret

The signing secret used for verifying that events come from Prefinery is modifiable on the Webhooks page for each project. Click Rotate secret and, after confirming this request, your existing signing secret will be immediately expired and signatures will be generated with the new secret.

Verify events are from Prefinery

Verify webhook signatures to confirm that received events are sent from Prefinery.