Webhooks: Signing, Replays, and Operator UX

Overview

Webhook integrations fail in boring ways: duplicate POSTs, stale signatures, or DLQs nobody monitors. You will implement HMAC verification with tolerant clock skew, idempotent handlers with dedupe keys, and replay tooling that support engineers can drive without SSH access.

What you practice

• Signature verification harness with fuzzed payloads
• Idempotency key storage patterns for Postgres
• DLQ inspection UI stub your team can extend
• Consumer backoff that cooperates with provider hints
• Structured logs for forensic timelines
• Playbook for pausing a noisy endpoint safely

Outcomes

• Ship a webhook consumer that passes a chaos replay suite
• Author a support-facing replay guide with screenshots
• Instrument delivery latency percentiles for vendors