Nornic
CLI · MCP · API
07Chapter · CLI · MCP · API
2 min read
cli-mcp-apiwebhooksautomationeventsapi

Webhooks: When Software Calls You

Every door so far works one direction: you knock, the system answers. But some of the most important things in software are events you cannot predict. Webhooks flip the direction — instead of you calling the server, the server calls you.

Last updated ·
Share

Every door so far had you calling the software. A webhook flips it: the software calls you, the moment something happens.

By the end of this lesson

You'll understand why polling wastes calls and arrives late, how a webhook fixes both, why it makes you the server for a moment, and the one security step you must never skip.

Say you want to know the instant a customer pays. Without webhooks, you poll: you ask the payment service “any new payments?” on a schedule, say once a minute. Almost every one of those asks comes back with nothing, and the one that matters is late — by however long your interval happens to be. You're doing a lot of work to mostly hear “no.” The difference is easiest to see on a clock:

polling — ask and ask, mostly nothing payment caught late webhook — one call, exactly on the event it calls you, now
Polling burns calls and still arrives late. A webhook is a single message, exactly on the event.

With a webhook you register a URL once. When the payment lands, the service sends an HTTP POST to your URL with the event in the body. No wasted calls, no delay. Notice what's happened to the roles from the API lesson: for that one moment, you are the server and the payment service is the client. The whole relationship flipped.

The one step you must never skip

Because your webhook URL is public, anyone could POST to it — including someone forging a “payment succeeded” event you never received. So real providers sign their webhooks. GitHub sends an X-Hub-Signature-256 header; Stripe sends a Stripe-Signature. Each is a cryptographic stamp only the real sender could produce. You verify that signature before trusting a single byte of the payload — skip it, and you'll eventually act on a forged event.

Don't keep asking. Let the world tell you when it changes.

Why this matters next

Webhooks are the heartbeat of event-driven automation — the trigger that starts a pipeline the instant the world changes. A payment arrives, a webhook fires, and a whole sequence runs without anyone watching. That's exactly where the Automation & Agents course picks up.

Sources — GitHub webhooks documentation (delivery and the X-Hub-Signature-256 header); Stripe webhooks (event POSTs and Stripe-Signature).

0

Tap to appreciate

Was this chapter helpful?

Comments

PreviousThe MCP Ecosystem: Real Servers and ClientsNextPutting It Together: One Capability, Three Doors

New chapters land here as I learn them. Want the next one?