Best Practices

Tips and recommendations for getting the most out of HookReplay in your webhook development workflow.

Organization

Use descriptive names

Name your workspaces and endpoints clearly so you can quickly identify them:

Good Examples 
Workspace: "E-commerce App - Development"
├── Endpoint: "Stripe Payments"
├── Endpoint: "Shopify Orders"
└── Endpoint: "SendGrid Email Events"

Workspace: "E-commerce App - Staging"
├── Endpoint: "Stripe Payments"
└── Endpoint: "Shopify Orders"

Separate by environment

Create different workspaces for development, staging, and production testing. This keeps your webhook data organized and makes it easy to find relevant requests.

One endpoint per webhook source

Create separate endpoints for each service sending webhooks (Stripe, GitHub, etc.). This makes it easier to filter and find specific webhooks.

Local Development Workflow

Configure your webhook provider once

Set your HookReplay URL as the webhook destination in your external service's settings.

Start the CLI before coding

Run hookreplay and use connect at the start of your development session.

Trigger webhooks naturally

Perform actions in the external service (make a payment, create an issue, etc.) to generate real webhooks.

Debug and iterate

Replay the same webhook multiple times while debugging your handler. No need to trigger new events.

Interactive CLI

The HookReplay CLI is interactive, so run it in a separate terminal window alongside your development server. Configure once with config api-key, then just connect each session.

Testing Strategies

Capture real webhooks first

Start by capturing real webhooks from your external services. These become your test fixtures for local development.

Create variations

Use the request editor to create variations of real webhooks:

  • Change event types (e.g., payment.succeededpayment.failed)
  • Modify amounts or quantities to test edge cases
  • Add or remove fields to test validation
  • Send malformed data to test error handling

Save these as versions with descriptive comments for future use.

Test failure scenarios

Don't just test the happy path. Create test cases for:

  • Duplicate webhook delivery (same event ID)
  • Out-of-order events
  • Missing required fields
  • Invalid signatures (if applicable)

Webhook Handler Best Practices

Return 200 quickly

Webhook providers often have short timeout windows (5-30 seconds). Return a 200 OK immediately and process the webhook asynchronously if needed.

Node.js Example 
app.post('/webhook', async (req, res) => {
  // Return 200 immediately
  res.status(200).json({ received: true });

  // Process asynchronously
  processWebhook(req.body).catch(console.error);
});

Handle duplicates (idempotency)

Webhook providers may retry delivery, sending the same event multiple times. Always check if you've already processed an event before taking action.

Idempotency Check 
async function processWebhook(event) {
  // Check if already processed
  const exists = await db.processedEvents.findOne({ eventId: event.id });
  if (exists) {
    console.log(`Event ${event.id} already processed, skipping`);
    return;
  }

  // Process the event
  await handleEvent(event);

  // Mark as processed
  await db.processedEvents.create({ eventId: event.id });
}

Verify webhook signatures

In production, always verify webhook signatures to ensure requests come from the expected source. Most providers include a signature header you can validate.

Testing Signatures

HookReplay preserves original headers including signatures. You can still verify signatures during replay testing.

Log everything

Log incoming webhooks and processing results. This makes debugging much easier when something goes wrong.

Logging Example 
app.post('/webhook', (req, res) => {
  console.log('Webhook received:', {
    type: req.body.type,
    id: req.body.id,
    timestamp: new Date().toISOString()
  });

  // ... process webhook

  console.log('Webhook processed:', { id: req.body.id, status: 'success' });
});

Security

  • Keep API keys secure: Use environment variables, never commit keys to git
  • Use HTTPS: Always use HTTPS URLs for webhook endpoints (HookReplay enforces this)
  • Validate input: Never trust webhook data blindly - validate and sanitize
  • Limit permissions: Your webhook handler should have minimal database/service permissions

Common Pitfalls

Blocking on processing

Don't do heavy processing before returning 200. Use async queues instead.

No idempotency

Processing the same webhook twice can cause duplicate orders, charges, etc.

Missing error handling

Unhandled errors can cause webhook failures and cascade issues.

Assuming order

Webhooks can arrive out of order. Don't assume event A arrives before event B.