Best Practices

Responding to webhooks

Quick acknowledgment

Respond with a 2xx status quickly, preferably within a few seconds. Extend times out after 30 seconds.

1 import { ExtendClient } from "extend-ai";
2 
3 const client = new ExtendClient({ token: "YOUR_API_KEY" });
4 
5 app.post('/webhook', async (req, res) => {
6   try {
7     const event = client.webhooks.verifyAndParse(
8       req.body.toString(),
9       req.headers,
10       "wss_your_signing_secret"
11     );
12     
13     // Queue the event for async processing, then respond immediately
14     await messageQueue.send({
15       type: 'webhook-event',
16       payload: event
17     });
18     
19     res.status(200).send('OK');
20   } catch (err) {
21     if (err.name === "WebhookSignatureVerificationError") {
22       return res.status(401).send('Invalid signature');
23     }
24     res.status(500).send('Internal server error');
25   }
26 });

Asynchronous processing

Queue tasks that are slow, depend on external services, or may need retries.

1 import { ExtendClient } from "extend-ai";
2 
3 const client = new ExtendClient({ token: "YOUR_API_KEY" });
4 
5 // ❌ Bad: Synchronous work can cause timeouts and duplicates
6 app.post('/webhook', async (req, res) => {
7   const event = client.webhooks.verifyAndParse(req.body.toString(), req.headers, secret);
8   
9   await sendToMultipleAPIs(event.payload);
10   await generatePDFReport(event.payload);
11   await enrichDataFromThirdParty(event.payload);
12   await sendEmailNotifications(event.payload);
13   
14   res.status(200).send('OK');
15 });
16 
17 // ✅ Good: Enqueue then respond
18 app.post('/webhook', async (req, res) => {
19   try {
20     const event = client.webhooks.verifyAndParse(
21       req.body.toString(),
22       req.headers,
23       "wss_your_signing_secret"
24     );
25     
26     await jobQueue.add('process-webhook', event);
27     res.status(200).send('OK');
28   } catch (err) {
29     if (err.name === "WebhookSignatureVerificationError") {
30       return res.status(401).send('Invalid signature');
31     }
32     res.status(500).send('Internal server error');
33   }
34 });

Handling duplicates and retries

Idempotency with event IDs

Extend tries to minimize duplicate requests, but occasionally they are unavoidable. If your side effects are not idempotent, you can use the eventId (e.g., event_abc123) to avoid processing the same event multiple times.

1 async function processWebhook(event) {
2   const eventId = event.eventId;
3 
4   // Check if already processed
5   if (await redis.get(`processed:${eventId}`)) return;
6 
7   // Process the event
8   await handleEvent(event);
9 
10   // Mark as processed (expire after 7 days)
11   await redis.setex(`processed:${eventId}`, 86400 * 7, 'true');
12 }

Error handling and reliability

Retry strategy

Extend retries failed or timed-out (30 s) requests with exponential backoff:

1 import { ExtendClient } from "extend-ai";
2 
3 const client = new ExtendClient({ token: "YOUR_API_KEY" });
4 
5 app.post('/webhook', async (req, res) => {
6   try {
7     const event = client.webhooks.verifyAndParse(
8       req.body.toString(),
9       req.headers,
10       "wss_your_signing_secret"
11     );
12 
13     const queued = await messageQueue.send(event);
14     if (!queued.success) {
15       // Return 503 to trigger a retry from Extend
16       return res.status(503).send('Service temporarily unavailable');
17     }
18 
19     res.status(200).send('OK');
20   } catch (err) {
21     if (err.name === "WebhookSignatureVerificationError") {
22       return res.status(401).send('Invalid signature');
23     }
24     res.status(500).send('Internal server error');
25   }
26 });

Security considerations

Always verify signatures

Always verify the webhook signature using the SDK’s verifyAndParse() or verify_and_parse() method. This ensures:

The request actually came from Extend
The payload hasn’t been tampered with
The request is recent (protects against replay attacks)

See the signature verification guide for more details.