Webhooks are HTTP callbacks that an external system makes to your endpoint when an event happens. To receive them in Salesforce, expose an Apex REST endpoint.
`apex @RestResource(urlMapping='/webhooks/stripe/*') global without sharing class StripeWebhookHandler { @HttpPost global static String doPost() { RestRequest req = RestContext.request; String body = req.requestBody.toString(); String signature = req.headers.get('Stripe-Signature');
if (!verifySignature(body, signature)) { RestContext.response.statusCode = 401; return 'Invalid signature'; }
Map<String,Object> payload = (Map<String,Object>) JSON.deserializeUntyped(body); String eventType = (String) payload.get('type'); // Process payload, write to Salesforce return 'OK'; } } `
Endpoint URL: https://yourorg.my.salesforce.com/services/apexrest/webhooks/stripe/.
Authentication options:
- OAuth bearer token (sender authenticates as a Salesforce user).
- Webhook signature (sender includes HMAC of payload using shared secret; you verify).
- IP allowlisting at Salesforce side.
Security:
- Always verify signatures for webhooks from third-party services.
- `without sharing` so the system user can write regardless of who's "calling".
- Idempotency — webhooks may retry on failure; use idempotency keys to avoid double-processing.
- Rate limiting awareness — high-volume webhooks can blow your daily API limit.
Async pattern: receive the webhook, immediately enqueue a Queueable for processing, return 200 OK fast. Slow processing during the webhook call means timeouts and retries from the sender.