Guides

Best practices

1. Asynchronous Processing

Always implement asynchronous processing for webhook event handling:

Your webhook endpoint should:

  1. Quickly validate the HMAC signature
  2. Verify the eventBatchId hasn't been processed before (idempotency)
  3. Immediately return 200 OK to SCALAR
  4. Queue events for background processing
  5. Process events asynchronously in a separate worker thread or service

Benefits:

  • Ensures SCALAR sees successful delivery
  • Prevents timeout failures
  • Enables robust error handling during processing
  • Allows retry of processing without re-delivery
  1. Idempotent Processing

Implement idempotent event processing to safely handle retries:

For each event batch:

  1. Store the eventBatchId in your database before processing
  2. Check if eventBatchId already exists before processing
  3. Skip processing if batch was already handled
  4. Return success response for duplicate batches

This ensures duplicate events (due to retries) don't create duplicate data in your system.

  1. HMAC Signature Validation

Always validate webhook signatures to ensure authenticity:

Validation steps:

  1. Extract the signature from the X-Webhook-Signature header

  2. Extract the signature algorithm (e.g., sha256)

  3. Create an HMAC-SHA256 hash of the request body using your webhook secret

  4. Compare the calculated hash with the provided signature

  5. Reject the request if signatures don't match

  6. Data Persistence Strategy

Implement reliable data persistence:

  • Store received events in your database with transaction support
  • Include eventBatchId, eventSubscriptionId, and timestamp
  • Implement database rollback on processing errors
  • Archive old events for auditing and compliance
  1. Batch Configuration

Optimize batch settings for your use case:

  • High-Volume Scenarios: Use max batch size (500) for throughput
  • Low-Latency Requirements: Set low linger time (100-500ms)
  • Balanced Approach: Batch size 250, linger time 1000-2000ms
  • Monitor and Adjust: Track batch sizes and adjust based on actual load patterns
  1. Custom Headers for Security

Use custom headers to enhance security and integration:

  • Add authorization tokens required by your internal systems
  • Include correlation IDs for request tracing
  • Add system identifiers for multi-tenant environments
  • Use headers instead of embedding credentials in URL
  1. Comprehensive Logging

Implement detailed logging for troubleshooting:

Log the following for each webhook request:

  • Timestamp of receipt
  • eventBatchId and eventSubscriptionId
  • Event count in batch
  • Processing status (success/failure)
  • Processing duration
  • Any errors encountered
  • Retry attempts (if applicable)

Keep logs for minimum 30 days for debugging and compliance.

  1. Monitoring and Alerting

Set up monitoring to track webhook health:

Monitor these metrics:

  • Delivery Success Rate: Percentage of batches delivered successfully
  • Processing Latency: Time from receipt to processing completion
  • Error Rate: Percentage of failed deliveries or processing errors
  • Batch Frequency: Events per minute being received
  • Subscription Status: Active vs. on-hold vs. inactive

Alert thresholds:

  • Success rate below 95%
  • Processing latency above 30 seconds
  • Error rate above 5%
  • Subscription status changes to on-hold

Updated about 2 hours ago