Back to Getting Started
Getting Started

What Is a Webhook? (Plain English)

Non-technical explanation of webhooks with visual diagrams. Referenced when book says 'refer back to the resource website.'

What Is a Webhook
? (Plain English)

A webhook

is an automated message sent from one application to another when a specific event happens. Think of it as a phone call between software systems, not a request for information.

Here's the difference: When you check your email, you're asking "Do I have new messages?" That's polling. A webhook

is when your email server calls you the instant a message arrives. One is you asking. The other is the system telling you.

For professional services firms, webhooks

eliminate the manual data shuffling that kills billable hours. When a client signs a proposal in PandaDoc, a webhook
 can instantly create the client record in your practice management system, generate the engagement letter in Clio, and add the kickoff meeting to your calendar. No human touches the keyboard.

How Webhooks
 Actually Work

Three things happen in every webhook

transaction:

1. Event Trigger
Something happens in Application A. A form gets submitted. A payment clears. A document gets signed. The application is programmed to watch for this specific event.

2. HTTP POST Request
Application A immediately sends an HTTP POST request to a URL you've configured. This request contains a JSON payload with data about what just happened. The request goes out within milliseconds of the trigger event.

3. Receiver Processes Data
Application B receives the POST request at that URL, reads the JSON payload, and executes whatever logic you've programmed. Update a database record. Send an email. Create a task. The receiver sends back a 200 status code to confirm receipt.

If the receiver doesn't respond or returns an error, most webhook

systems retry the delivery 3-5 times with exponential backoff (waiting longer between each attempt).

Real Example: Client Intake Automation

You run a 12-person accounting firm. A prospect fills out your "Request a Consultation" form on your website. Here's what happens with webhooks

configured:

Trigger Event: Form submission in Typeform
Webhook

Fires: Typeform sends this JSON payload to your Zapier webhook
 URL:

{
  "event_type": "form_response",
  "form_response": {
    "answers": [
      {"field": "name", "text": "Sarah Chen"},
      {"field": "email", "text": "sarah@techstartup.com"},
      {"field": "company", "text": "TechStartup Inc"},
      {"field": "revenue", "text": "$2M-$5M"},
      {"field": "services_needed", "text": "Tax planning, bookkeeping"}
    ]
  }
}

Zapier Processes: Your Zap reads this payload and triggers three actions:

  1. Creates contact in HubSpot CRM
     with revenue tier tag
  2. Sends Slack message to #new-leads channel with prospect details
  3. Creates draft engagement letter in Practice Ignition with pre-filled client name and services

Total time: 4 seconds from form submit to engagement letter ready for review.

Manual alternative: Your admin checks the form responses spreadsheet twice daily, copies data into HubSpot, messages the team, then creates the engagement letter. Time: 15 minutes per lead. Error rate: 12% (typos, forgotten steps).

Webhook
 Anatomy: What You're Actually Configuring

When you set up a webhook

, you configure these elements:

Webhook

URL (Endpoint)
The destination address where the POST request gets sent. Format: https://hooks.zapier.com/hooks/catch/123456/abcdef/

This URL must be publicly accessible over HTTPS. Most automation platforms (Zapier, Make, Power Automate) give you a unique webhook

URL when you create a new automation. Your receiving application listens at this address.

Payload Structure
The JSON data package sent with each webhook

. The sending application determines the structure. You don't control what data gets sent, but you control what you do with it.

Example payload from Stripe when a payment succeeds:

{
  "id": "evt_1234567890",
  "type": "payment_intent.succeeded",
  "data": {
    "object": {
      "amount": 5000,
      "currency": "usd",
      "customer": "cus_ABC123",
      "receipt_email": "client@lawfirm.com"
    }
  }
}

Authentication Method
How the receiver verifies the webhook

came from the legitimate sender, not an attacker. Three common methods:

  • Shared Secret: Sender includes a pre-agreed token in the request header. You verify it matches.
  • Signature Verification: Sender creates a hash of the payload using a secret key. You recreate the hash and compare.
  • IP Allowlisting: You only accept webhooks
     from the sender's known IP addresses.

Stripe uses signature verification. Every webhook

includes an X-Stripe-Signature header. Your code must verify this signature matches before processing the payload.

Retry Logic
What happens when delivery fails. Standard pattern:

  • Attempt 1: Immediate
  • Attempt 2: 1 minute later
  • Attempt 3: 10 minutes later
  • Attempt 4: 1 hour later
  • Attempt 5: 6 hours later

After 5 failures, most systems stop trying and log the failure. You should monitor these logs.

Setting Up Your First Webhook
 (Zapier Example)

Step 1: Create the Trigger
In Zapier, create a new Zap. Select "Webhooks

by Zapier" as the trigger app. Choose "Catch Hook" as the trigger event. Zapier generates your webhook
 URL: https://hooks.zapier.com/hooks/catch/987654/xyz123/

Step 2: Configure the Sender
In your source application (the one sending the webhook

), find the webhooks
 or integrations settings. Paste your Zapier webhook
 URL. Select which events should trigger the webhook
. Save.

For Typeform: Settings > Integrations > Webhooks

> Add Webhook
 > Paste URL > Select "Form submitted" event.

Step 3: Test the Connection
Trigger a test event in your source application. Submit a test form. Make a test purchase. Whatever action fires the webhook

.

Back in Zapier, click "Test trigger." Zapier should show you the JSON payload it received. If you see data, the webhook

works.

Step 4: Map the Data
Add action steps to your Zap. When mapping fields, you'll see the webhook

data available as variables. Select name from the webhook
 payload to populate the "Contact Name" field in your CRM
.

Step 5: Handle Errors
Add a filter step to check for required data. If email is empty, stop the Zap and send yourself an alert. Don't let incomplete data pollute your systems.

Turn on error notifications in Zapier settings. You'll get emailed when a Zap fails, with the payload that caused the failure.

Common Webhook
 Failures (And Fixes)

Timeout Errors
Your receiving endpoint must respond within 30 seconds or the sender assumes failure. If your automation takes longer (complex data processing, multiple API

calls), respond with 200 immediately, then process asynchronously.

Fix: Use a queue system. Acknowledge receipt instantly, add the job to a processing queue, handle it in the background.

Duplicate Webhooks


Network issues can cause the same webhook
 to be delivered twice. Your code must be idempotent (safe to run multiple times with the same data).

Fix: Check for a unique identifier in the payload (event_id, transaction_id). Before processing, verify you haven't already processed this ID. Store processed IDs in a database table.

Payload Changes
The sending application updates their webhook

format. Your automation breaks because it expects customer_name but now receives client_name.

Fix: Version your webhook

endpoints. Use https://yourapp.com/webhooks/v1/stripe and https://yourapp.com/webhooks/v2/stripe. When the sender changes formats, update to v2 without breaking v1.

Authentication Failures
Signature verification fails. Shared secret doesn't match.

Fix: Check for whitespace in your secret key. Verify you're using the correct hashing algorithm (SHA256 vs MD5). Confirm you're hashing the raw request body, not parsed JSON.

Webhooks
 vs. API Polling

Polling: Your application asks "Anything new?" every 5 minutes. Like checking your mailbox repeatedly.

  • Uses: 288 API
     calls per day (every 5 minutes)
  • Latency: Up to 5 minutes delay
  • Cost: High API
     usage, rate limit concerns
  • Server load: Constant requests even when nothing happens

Webhooks

: The application tells you instantly when something happens. Like getting a text when mail arrives.

  • Uses: 1 webhook
     per actual event
  • Latency: Under 1 second
  • Cost: Minimal, pay only for real events
  • Server load: Zero load until events occur

For a firm processing 50 new client intakes per month, polling means 14,400 wasted API

calls. Webhooks
 mean 50 meaningful notifications.

Security Checklist

Before going live with webhooks

:

  • [ ] Use HTTPS only, never HTTP
  • [ ] Verify webhook
     signatures or tokens on every request
  • [ ] Validate payload structure before processing
  • [ ] Sanitize all data before inserting into databases
  • [ ] Rate limit webhook
     endpoints (max 100 requests per minute)
  • [ ] Log all webhook
     activity with timestamps and payload samples
  • [ ] Set up alerts for authentication failures
  • [ ] Rotate shared secrets every 90 days
  • [ ] Restrict webhook
     URLs to specific IP ranges when possible
  • [ ] Never expose webhook
     URLs in public documentation

When Not to Use Webhooks

Webhooks

aren't always the right choice:

Bidirectional Sync
If Application A and Application B both need to update each other, webhooks

can create infinite loops. Use a dedicated integration platform or scheduled sync instead.

Large Data Transfers
Webhooks

time out with payloads over 1MB. For bulk data (importing 10,000 contacts), use batch API
 endpoints or file transfers.

Guaranteed Delivery Requirements
Webhooks

use "best effort" delivery. If your receiver is down for 6 hours, you might miss events. For critical data (financial transactions), use a message queue system with guaranteed delivery.

Complex Transformations
If you need to combine data from 5 different sources before taking action, webhooks

get messy. Use an ETL tool or scheduled workflow instead.

Bottom Line

Webhooks

turn your software stack into a nervous system. Events in one application trigger instant reactions in others, without human intervention. For professional services firms, this means less time on data entry and more time on billable work.

Start with one high-volume, error-prone manual process. Client intake. Invoice generation. Document routing. Build a webhook

automation for that single workflow. Measure the time saved. Then expand.

The firms winning on operational efficiency aren't using better software. They're using webhooks

to make their existing software talk to each other.

Revenue Institute

Reviewed by Revenue Institute

This guide is actively maintained and reviewed by the implementation experts at Revenue Institute. As the creators of The AI Workforce Playbook, we test and deploy these exact frameworks for professional services firms scaling without new headcount.

Visit Revenue Institute →Get the Book →

Related Reading

Getting Started

How to Get Your Claude API Key

Read Guide

Getting Started

What Is OAuth? (Plain English)

Read Guide

Getting Started

AI Readiness Self-Assessment

Read Guide

Related Links

Workflows

Browse Ready-to-Use n8n Workflow Files

Read

Platform Guides

Tool Comparisons & Setup Guides

Read

Revenue Institute

Need help turning this guide into reality? Revenue Institute builds and implements the AI workforce for professional services firms.

RevenueInstitute.com