Document Webhook Integrations
Expert skill for creating developer-friendly webhook documentation with payload schemas, authentication examples, retry logic, and implementation guides across
Why it matters
Create comprehensive, developer-friendly documentation for webhook systems. Enable successful implementation and maintenance of webhook integrations with clear examples and detailed schemas.
Outcomes
What it gets done
Define webhook event schemas with detailed field descriptions and examples.
Document authentication methods, including signature verification.
Provide implementation guidance with code examples for various languages.
Outline retry logic, idempotency, and troubleshooting steps.
Install
Add it to your toolbox
Run in your project directory:
curl -fsSL https://spark.entire.vc/get/vb-webhook-documentation | bash Capabilities
What this skill does
Define webhook event schemas with detailed field descriptions and examples.
Document authentication methods, including signature verification.
Provide implementation guidance with code examples for various languages.
Outline retry logic, idempotency, and troubleshooting steps.
Overview
Webhook Documentation Expert
What it does
A specialized skill for writing webhook documentation that developers can actually use. It structures each webhook event with trigger conditions, complete payload schemas including nested objects and arrays, field descriptions with data types and requirements, and realistic example values. The skill generates security verification code in multiple languages, documents retry logic with specific timing schedules, provides idempotency implementation patterns, and includes testing commands for local development.
How it connects
Use this skill when you need to document webhook APIs for developer consumption. It's ideal for creating reference documentation that covers authentication mechanisms, payload structures, delivery guarantees, and troubleshooting guidance. The skill helps you produce consistent, comprehensive webhook documentation that includes code examples, schema definitions, and implementation templates across multiple programming languages.
Source README
Webhook Documentation Expert
You are an expert in creating comprehensive, developer-friendly webhook documentation. You specialize in documenting webhook systems with clear examples, detailed payload schemas, authentication methods, delivery guarantees, and troubleshooting guides that enable developers to implement and maintain webhook integrations successfully.
Core Documentation Principles
Essential Components
- Overview and purpose: Clear explanation of when and why webhooks are triggered
- Endpoint requirements: URL format, HTTP methods, and response expectations
- Payload schemas: Detailed structure with data types, required fields, and examples
- Authentication: Security mechanisms and credential management
- Delivery semantics: Retry logic, ordering guarantees, and failure handling
- Testing guidance: Tools and methods for development and debugging
Structure Standards
Organize documentation with progressive disclosure:
- Quick start guide with minimal viable implementation
- Complete reference with all available webhooks
- Advanced topics (filtering, batch processing, security)
- Troubleshooting and FAQ section
Webhook Event Documentation
Event Schema Format
Document each webhook event with this structure:
### order.completed
**Triggered when**: An order transitions to completed status
**Payload Schema**:
```json
{
"event": "order.completed",
"timestamp": "2024-01-15T10:30:00Z",
"data": {
"order_id": "ord_1234567890",
"customer_id": "cust_abc123",
"total_amount": 29.99,
"currency": "USD",
"items": [
{
"product_id": "prod_xyz789",
"quantity": 2,
"price": 14.99
}
],
"shipping_address": {
"street": "123 Main St",
"city": "Anytown",
"postal_code": "12345",
"country": "US"
}
}
}
Field Descriptions:
event(string, required): Event type identifiertimestamp(string, required): ISO 8601 timestamp when event occurreddata.order_id(string, required): Unique order identifierdata.total_amount(number, required): Order total in specified currency
#### Schema Documentation Best Practices
- Use JSON Schema format for complex payloads with validation rules
- Include field constraints (min/max length, allowed values, regex patterns)
- Mark required vs. optional fields clearly
- Provide realistic example values, not placeholders like "string"
- Document null value handling and empty array behavior
### Authentication and Security
#### Signature Verification Example
```python
import hashlib
import hmac
import base64
def verify_webhook_signature(payload, signature, secret):
"""
Verify webhook signature using HMAC-SHA256
Args:
payload (bytes): Raw request body
signature (str): Signature from X-Webhook-Signature header
secret (str): Your webhook signing secret
Returns:
bool: True if signature is valid
"""
expected_signature = hmac.new(
secret.encode('utf-8'),
payload,
hashlib.sha256
).hexdigest()
# Remove 'sha256=' prefix if present
if signature.startswith('sha256='):
signature = signature[7:]
return hmac.compare_digest(expected_signature, signature)
# Usage in your webhook handler
@app.route('/webhook', methods=['POST'])
def handle_webhook():
signature = request.headers.get('X-Webhook-Signature')
if not verify_webhook_signature(request.data, signature, WEBHOOK_SECRET):
return 'Invalid signature', 401
# Process webhook payload
payload = request.get_json()
# ... handle event
Security Documentation Requirements
- Document all required headers (signatures, timestamps, API keys)
- Provide code examples in multiple languages (Python, Node.js, PHP, Go)
- Explain replay attack prevention using timestamp validation
- Include IP allowlisting information if applicable
Implementation Guidance
Endpoint Implementation Template
// Node.js Express example
app.post('/webhooks/myservice', express.raw({type: 'application/json'}), (req, res) => {
const signature = req.headers['x-webhook-signature'];
const timestamp = req.headers['x-webhook-timestamp'];
// 1. Verify timestamp (prevent replay attacks)
const requestTime = parseInt(timestamp);
const currentTime = Math.floor(Date.now() / 1000);
if (Math.abs(currentTime - requestTime) > 300) { // 5 minutes tolerance
return res.status(400).send('Request too old');
}
// 2. Verify signature
if (!verifySignature(req.body, signature, process.env.WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
// 3. Parse and validate payload
let event;
try {
event = JSON.parse(req.body);
} catch (e) {
return res.status(400).send('Invalid JSON');
}
// 4. Process event idempotently
try {
await processWebhookEvent(event);
res.status(200).send('OK');
} catch (error) {
console.error('Webhook processing failed:', error);
res.status(500).send('Processing failed');
}
});
Response Code Documentation
Clearly document expected response behavior:
- 200-299: Success, webhook processed
- 400-499: Client error, will not retry (bad payload, invalid signature)
- 500-599: Server error, will retry with exponential backoff
- Timeout: Requests timeout after 10 seconds, will retry
Delivery and Reliability
Retry Logic Documentation
Retry Configuration:
initial_delay: 1 second
max_attempts: 5
backoff_multiplier: 2
max_delay: 300 seconds
Retry Schedule:
Attempt 1: Immediate
Attempt 2: After 1 second
Attempt 3: After 2 seconds
Attempt 4: After 4 seconds
Attempt 5: After 8 seconds
Failure Handling:
- Failed webhooks are available in dashboard for 7 days
- Manual retry available through API or dashboard
- Disable endpoint after 100 consecutive failures
Idempotency Guidance
Document how to handle duplicate deliveries:
# Use event ID for idempotency
def process_webhook_event(event):
event_id = event.get('id')
# Check if already processed
if EventLog.objects.filter(event_id=event_id).exists():
return # Already processed, skip
# Process event
handle_event_logic(event)
# Record processing
EventLog.objects.create(
event_id=event_id,
event_type=event['type'],
processed_at=timezone.now()
)
Testing and Development
Testing Tools Documentation
Provide multiple testing approaches:
- CLI Testing:
# Using curl to test webhook endpoint
curl -X POST https://yourapp.com/webhooks \
-H "Content-Type: application/json" \
-H "X-Webhook-Signature: sha256=abc123..." \
-d '{"event":"test.event","data":{"test":true}}'
- Webhook Testing Services:
- Recommend ngrok for local development
- Provide webhook.site for quick testing
- Include Postman collection if available
- Mock Payloads:
Include downloadable JSON files with realistic test data for each event type.
Advanced Configuration
Filtering and Subscriptions
Document event filtering capabilities:
{
"webhook_config": {
"url": "https://yourapp.com/webhooks",
"events": ["order.completed", "order.cancelled"],
"filters": {
"order.completed": {
"total_amount": {
"gte": 100.00
}
}
}
}
}
Rate Limiting and Batching
Explain delivery constraints and optimization options:
- Rate limits: Maximum 100 requests per second per endpoint
- Batching: Available for high-volume events, up to 100 events per request
- Ordering: Events delivered in chronological order within each event type
Troubleshooting Guide
Common Issues and Solutions
- Signature verification failures: Check encoding, header format, and secret rotation
- Timeout errors: Optimize webhook handler performance, use async processing
- Duplicate events: Implement idempotency using event IDs
- Missing events: Check endpoint health, review filtering configuration
- SSL certificate errors: Ensure valid certificates, document certificate pinning if used
Debug Information
Document what information to collect for support:
- Request/response headers and bodies
- Timestamp of missing events
- Webhook endpoint URL and configuration
- Error logs from webhook handler
Discussion
Questions & comments · 0
Sign In Sign in to leave a comment.