APIs · Advanced · Hybrid
Webhook Design and Verification
Signature schemes, replay windows, and operational playbooks for inbound HTTP callbacks.
Webhooks fail at 2 a.m. We emphasize observability, signature verification, and honest retry docs—money-moving optional reading only.
Duration: 3 weeks
Tuition (informational): 7,400,000 VND
Final quotes come from admissions. See Money-Back Policy for eligibility.
What ships in the syllabus
- HMAC verification lab with clock skew
- Idempotent handler template for retries
- DLQ pattern sketch for poison events
- Replay attack table-top exercise
- Consumer documentation checklist
- Dashboards for webhook health metrics
- Mentor review of your signing code
Outcomes we actually assess
- Implement verification with documented skew tolerance
- Author a consumer-facing retry policy paragraph
- Run a table-top replay scenario with cohort notes
Minh Vo
API reviewer for payment integrations; publishes internal RFC templates.
FAQ — including what we skip
Specific vendors?
We anonymize patterns; bring your vendor docs for office hours.
PCI scope?
We do not provide compliance sign-off—technical controls only.
Limitation?
No mobile push notification vendors.
Experience notes
“Clock skew lab reproduced Stripe's warnings verbatim.”
“DLQ sketch changed how we talk to support about retries.”