This page provides essential security and implementation best practices for webhook endpoints. Following these recommendations will help you build secure, reliable webhook integrations that handle transaction events properly and protect against common vulnerabilities.

Security Best Practices

Implement these security measures to protect your webhook endpoints:
HTTP connections are unencrypted and vulnerable to man-in-the-middle attacks. HTTPS ensures data transmitted between Tonder and your endpoint remains secure and tamper-proof.
Configure authentication (BEARER, API_TOKEN, or BASIC_AUTH) when creating your webhook to prevent unauthorized requests from malicious actors attempting to trigger false events in your system.
Check that required fields are present and contain expected data types before processing webhook events to prevent errors from malformed or unexpected payloads.

Implementation Best Practices

Follow these implementation guidelines for reliable webhook processing:
Tonder has a 30-second timeout for webhook responses. Return a success status immediately upon receiving the webhook, then process the actual business logic (like updating databases or sending emails) in the background to avoid timeouts.
Store processed event IDs temporarily (24-48 hours) and check against this list before processing new events. Tonder’s retry mechanism may send the same event multiple times if your endpoint is temporarily unavailable.
Log the full webhook payload, processing status, and any errors to help troubleshoot issues. Include timestamps and event IDs to correlate webhook events with your application’s business logic.
Wrap webhook processing in try-catch blocks and handle errors gracefully. A failed webhook should not bring down your entire application or prevent other webhooks from being processed.

Next Steps

After implementing webhook best practices: