Skip to main content

Best Practices

Follow these recommendations to build a reliable webhook integration.

1. Respond Quickly

Your webhook endpoint should respond with 200 OK as fast as possible. Process the event asynchronously if needed — for example, push it to a message queue and return immediately.

2. Always Verify Signatures

Never trust a webhook payload without verifying the X-EasyConfirm-Signature header. This prevents spoofed requests from being processed. See Signature Verification for implementation examples.

3. Handle Duplicate Events

In rare cases (e.g., network issues), you may receive the same event more than once. Use the data.id (order ID) and event combination to deduplicate.

const processedEvents = new Set();

function handleWebhook(payload) {
  const dedupeKey = `${payload.data.id}:${payload.event}`;

  if (processedEvents.has(dedupeKey)) {
    return; // Already processed
  }

  processedEvents.add(dedupeKey);
  // Process the event...
}

:::tip Production Deduplication In production, use a persistent store (Redis, database) instead of an in-memory Set to survive restarts. :::

4. Check Delivery Logs

If webhooks aren't arriving, check the Delivery Logs in the dashboard to see the HTTP status codes and error messages from your endpoint.

5. Keep Your Secret Safe

:::warning Security Checklist

  • Never expose your webhook secret in client-side code
  • Store it in environment variables or a secrets manager
  • If you suspect the secret is compromised, regenerate it from the dashboard immediately :::