Webhook delivery, retries, and dead letter queues: a practical playbook

Webhooks look simple until partners slow down, TLS middleboxes break handshakes, and your workers retry the same non-idempotent side effect fifty times. The difference between a healthy integration fabric and a pager factory is explicit state machines, not hope.

Start with delivery semantics you can document: at-least-once is the common default. That forces consumers to deduplicate using event IDs you stamp at enqueue time, not only at HTTP success.

Signing payloads protects integrity but rotates poorly if you forget overlapping key windows. Publish two active signing keys during rotation and reject only after dependents confirm pickup of the new secret.

Backoff should use jitter on top of exponential delay. Synchronized retries across shards recreate the thundering herd you thought you solved.

Poison messages belong in a dead letter topic with structured failure reasons: HTTP status, truncated body, timeout flag. Operators need search, not raw logs.

Partial success is the subtle failure mode. If your handler wrote to the database then crashed before acknowledging the queue message, your idempotency layer must recognize the duplicate and short-circuit safely.

Observability should chart attempt histograms, age of oldest undelivered message, and consumer lag for each tenant tier. Sudden lag often precedes certificate expiry or DNS cutovers.

Contract testing with sandbox endpoints catches schema drift before production. Version webhooks in the path or header and sunset old versions with published timelines.