What Is a Webhook? (Plain English)

A webhook webhookClick to read the full definition in our AI & Automation Glossary. is an automated message sent from one application to another when a specific event happens. Think of it as a phone call between software systems, not a request for information.

Here's the difference: When you check your email, you're asking "Do I have new messages?" That's polling. A webhook is when your email server calls you the instant a message arrives. One is you asking. The other is the system telling you.

For professional services firms, webhooks eliminate the manual data shuffling that kills billable hours. When a client signs a proposal in PandaDoc, a webhook can instantly create the client record in your practice management system, generate the engagement letter in Clio, and add the kickoff meeting to your calendar. No human touches the keyboard.

Three things happen in every webhook transaction:

1. Event Trigger
Something happens in Application A. A form gets submitted. A payment clears. A document gets signed. The application is programmed to watch for this specific event.

2. HTTP POST Request
Application A immediately sends an HTTP POST request to a URL you've configured. This request contains a JSON payload with data about what just happened. The request goes out within milliseconds of the trigger event.

3. Receiver Processes Data
Application B receives the POST request at that URL, reads the JSON payload, and executes whatever logic you've programmed. Update a database record. Send an email. Create a task. The receiver sends back a 200 status code to confirm receipt.

If the receiver doesn't respond or returns an error, most webhook systems retry the delivery 3-5 times with exponential backoff (waiting longer between each attempt).

You run a 12-person accounting firm. A prospect fills out your "Request a Consultation" form on your website. Here's what happens with webhooks configured:

Trigger Event: Form submission in Typeform
Webhook Fires: Typeform sends this JSON payload to your Zapier webhook URL:

{
  "event_type": "form_response",
  "form_response": {
    "answers": [
      {"field": "name", "text": "Sarah Chen"},
      {"field": "email", "text": "sarah@techstartup.com"},
      {"field": "company", "text": "TechStartup Inc"},
      {"field": "revenue", "text": "$2M-$5M"},
      {"field": "services_needed", "text": "Tax planning, bookkeeping"}
    ]
  }
}

Zapier Processes: Your Zap reads this payload and triggers three actions:

1. Creates contact in HubSpot CRM CRMCustomer Relationship Management software. The system of record for contacts, deals, and client communication. Examples: HubSpot, Salesforce, Pipedrive. with revenue tier tag
2. Sends Slack message to #new-leads channel with prospect details
3. Creates draft engagement letter in Practice Ignition with pre-filled client name and services

Total time: 4 seconds from form submit to engagement letter ready for review.

Manual alternative: Your admin checks the form responses spreadsheet twice daily, copies data into HubSpot, messages the team, then creates the engagement letter. Time: 15 minutes per lead. Error rate: 12% (typos, forgotten steps).

When you set up a webhook, you configure these elements:

Webhook URL (Endpoint)
The destination address where the POST request gets sent. Format: https://hooks.zapier.com/hooks/catch/123456/abcdef/

This URL must be publicly accessible over HTTPS. Most automation platforms (Zapier, Make, Power Automate) give you a unique webhook URL when you create a new automation. Your receiving application listens at this address.

Payload Structure
The JSON data package sent with each webhook. The sending application determines the structure. You don't control what data gets sent, but you control what you do with it.

Example payload from Stripe when a payment succeeds:

{
  "id": "evt_1234567890",
  "type": "payment_intent.succeeded",
  "data": {
    "object": {
      "amount": 5000,
      "currency": "usd",
      "customer": "cus_ABC123",
      "receipt_email": "client@lawfirm.com"
    }
  }
}

Authentication Method
How the receiver verifies the webhook came from the legitimate sender, not an attacker. Three common methods:

• Shared Secret: Sender includes a pre-agreed token in the request header. You verify it matches.
• Signature Verification: Sender creates a hash of the payload using a secret key. You recreate the hash and compare.
• IP Allowlisting: You only accept webhooks from the sender's known IP addresses.

Stripe uses signature verification. Every webhook includes an X-Stripe-Signature header. Your code must verify this signature matches before processing the payload.

Retry Logic
What happens when delivery fails. Standard pattern:

• Attempt 1: Immediate
• Attempt 2: 1 minute later
• Attempt 3: 10 minutes later
• Attempt 4: 1 hour later
• Attempt 5: 6 hours later

After 5 failures, most systems stop trying and log the failure. You should monitor these logs.

Step 1: Create the Trigger
In Zapier, create a new Zap. Select "Webhooks by Zapier" as the trigger app. Choose "Catch Hook" as the trigger event. Zapier generates your webhook URL: https://hooks.zapier.com/hooks/catch/987654/xyz123/

Step 2: Configure the Sender
In your source application (the one sending the webhook), find the webhooks or integrations settings. Paste your Zapier webhook URL. Select which events should trigger the webhook. Save.

For Typeform: Settings > Integrations > Webhooks > Add Webhook > Paste URL > Select "Form submitted" event.

Step 3: Test the Connection
Trigger a test event in your source application. Submit a test form. Make a test purchase. Whatever action fires the webhook.

Back in Zapier, click "Test trigger." Zapier should show you the JSON payload it received. If you see data, the webhook works.

Step 4: Map the Data
Add action steps to your Zap. When mapping fields, you'll see the webhook data available as variables. Select name from the webhook payload to populate the "Contact Name" field in your CRM.

Step 5: Handle Errors
Add a filter step to check for required data. If email is empty, stop the Zap and send yourself an alert. Don't let incomplete data pollute your systems.

Turn on error notifications in Zapier settings. You'll get emailed when a Zap fails, with the payload that caused the failure.

Timeout Errors
Your receiving endpoint must respond within 30 seconds or the sender assumes failure. If your automation takes longer (complex data processing, multiple API APIApplication Programming Interface. The connection point that lets two pieces of software exchange data. How n8n talks to your CRM. calls), respond with 200 immediately, then process asynchronously.

Fix: Use a queue system. Acknowledge receipt instantly, add the job to a processing queue, handle it in the background.

Duplicate Webhooks
Network issues can cause the same webhook to be delivered twice. Your code must be idempotent (safe to run multiple times with the same data).

Fix: Check for a unique identifier in the payload (event_id, transaction_id). Before processing, verify you haven't already processed this ID. Store processed IDs in a database table.

Payload Changes
The sending application updates their webhook format. Your automation breaks because it expects customer_name but now receives client_name.

Fix: Version your webhook endpoints. Use https://yourapp.com/webhooks/v1/stripe and https://yourapp.com/webhooks/v2/stripe. When the sender changes formats, update to v2 without breaking v1.

Authentication Failures
Signature verification fails. Shared secret doesn't match.

Fix: Check for whitespace in your secret key. Verify you're using the correct hashing algorithm (SHA256 vs MD5). Confirm you're hashing the raw request body, not parsed JSON.

Polling: Your application asks "Anything new?" every 5 minutes. Like checking your mailbox repeatedly.

• Uses: 288 API calls per day (every 5 minutes)
• Latency: Up to 5 minutes delay
• Cost: High API usage, rate limit concerns
• Server load: Constant requests even when nothing happens

Webhooks: The application tells you instantly when something happens. Like getting a text when mail arrives.

• Uses: 1 webhook per actual event
• Latency: Under 1 second
• Cost: Minimal, pay only for real events
• Server load: Zero load until events occur

For a firm processing 50 new client intakes per month, polling means 14,400 wasted API calls. Webhooks mean 50 meaningful notifications.

Before going live with webhooks:

• [ ] Use HTTPS only, never HTTP
• [ ] Verify webhook signatures or tokens on every request
• [ ] Validate payload structure before processing
• [ ] Sanitize all data before inserting into databases
• [ ] Rate limit webhook endpoints (max 100 requests per minute)
• [ ] Log all webhook activity with timestamps and payload samples
• [ ] Set up alerts for authentication failures
• [ ] Rotate shared secrets every 90 days
• [ ] Restrict webhook URLs to specific IP ranges when possible
• [ ] Never expose webhook URLs in public documentation

Webhooks aren't always the right choice:

Bidirectional Sync
If Application A and Application B both need to update each other, webhooks can create infinite loops. Use a dedicated integration platform or scheduled sync instead.

Large Data Transfers
Webhooks time out with payloads over 1MB. For bulk data (importing 10,000 contacts), use batch API endpoints or file transfers.

Guaranteed Delivery Requirements
Webhooks use "best effort" delivery. If your receiver is down for 6 hours, you might miss events. For critical data (financial transactions), use a message queue system with guaranteed delivery.

Complex Transformations
If you need to combine data from 5 different sources before taking action, webhooks get messy. Use an ETL tool or scheduled workflow instead.

Webhooks turn your software stack into a nervous system. Events in one application trigger instant reactions in others, without human intervention. For professional services firms, this means less time on data entry and more time on billable work.

Start with one high-volume, error-prone manual process. Client intake. Invoice generation. Document routing. Build a webhook automation for that single workflow. Measure the time saved. Then expand.

The firms winning on operational efficiency aren't using better software. They're using webhooks to make their existing software talk to each other.

What is a webhook in simple terms? A webhook is an automated message sent from one application to another when a specific event happens. When something occurs in Application A - a form is submitted, a payment clears, a document is signed - it immediately sends a JSON data package to a URL in Application B, which executes whatever logic you've programmed.

What is the difference between a webhook and an API? An API is a pull mechanism - your application requests data when it needs it. A webhook is a push mechanism - the other system sends data to you when an event occurs. API polling: hundreds of wasted calls checking 'anything new?' Webhooks: one notification per actual event.

How do I set up a webhook in n8n? Add a Webhook node as your workflow trigger. Set HTTP Method to POST and a path. Click 'Execute Node' to generate the webhook URL. In your source application, paste the URL and select which events should trigger it. Submit a test event - the n8n execution log will show the received payload.

What causes webhook failures and how do I fix them? Four common failures: (1) Timeout errors - respond within 30 seconds; process asynchronously for long-running workflows. (2) Duplicate webhooks - check for a unique event_id before processing. (3) Payload format changes - version your endpoints. (4) Authentication failures - verify you're using the correct shared secret and hashing algorithm (SHA256).