Free operator resource | no form or tracking

WEBHOOK RECOVERY CHECKLIST

Recover the event without repeating the damage.

Use this checklist when a webhook is missing, repeated, conflicting, or accepted by one system while its final outcome remains uncertain. It turns an incident into an evidence trail, a safe recovery decision, and an accountable handoff.

Evidence groups
6
Acceptance checks
12
Assumed vendor rules
0

START WITH THE CONTRACT

Write down how this sender actually delivers events.

Retry, retention, redelivery, ordering, signature, and delivery-log behavior are provider-specific. Do not recover from memory or from a different vendor's rules. Record the exact source, event types, endpoint version, stable delivery identity, signing method, retry policy, manual-redelivery path, and evidence-retention window.

Why the source contract matters

Stripe documents automatic retries and possible duplicate delivery. GitHub documents that failed deliveries are not automatically redelivered and that events can arrive out of order. A recovery runbook must name the real sender's behavior rather than assume one universal webhook model.

Primary references: Stripe webhook delivery behavior, GitHub failed-delivery handling, and GitHub delivery evidence.

01 / CAPTURE

Preserve six evidence groups before replay.

  1. 01
    Expected source event

    Business object, event type, source timestamp, and why the event should exist.

  2. 02
    Provider delivery

    Delivery or event ID, attempt times, response status, endpoint, and provider-visible error.

  3. 03
    Receiver decision

    Signature result, schema result, canonical event hash, duplicate/conflict decision, and committed state.

  4. 04
    Downstream effect

    Stable destination ID, write status, response or lookup evidence, and whether the outcome is certain.

  5. 05
    Retry history

    Attempt number, idempotency key, failure class, next decision, and terminal limit.

  6. 06
    Reconciliation set

    Expected source IDs versus committed receiver IDs for the bounded incident window.

Minimize retained data. Store identifiers, hashes, states, and timestamps when they are enough; do not copy credentials, full payloads, or personal fields into an incident report by default.

02 / CLASSIFY

Choose the recovery path from the last trusted state.

Observed stateWhat it provesSafe next question
Not present in sender logNo delivery attempt is evidenced.Was the expected source event created and subscribed?
Sent and rejectedThe receiver returned a failure or could not be reached.Is correction or bounded redelivery supported?
Accepted, not committedTransport succeeded but durable processing is absent.Can the event be re-enqueued with the same identity?
Committed, downstream uncertainThe receiver intended a write but lacks a trusted acknowledgement.Can the destination be queried before any repeat?
Exact duplicateThe same event identity and canonical content already exist.Can it return the recorded outcome without another effect?
Identity conflictThe same event ID carries different canonical content.Who owns the conflict decision and source correction?
Missing in reconciliationThe expected source set exceeds the committed receiver set.Which exact missing IDs are authorized for recovery?

03 / RECOVER

Make replay use the same controls as first delivery.

  • Pause unbounded retries and preserve the incident window.
  • Verify the sender signature against the exact received bytes before parsing.
  • Use one stable event identity and canonical content hash across every attempt.
  • Check the destination by stable business ID when a prior effect is uncertain.
  • Commit durable processing intent before dispatching the downstream action.
  • Replay only the exact authorized missing or failed events.
  • Keep conflict and invalid-input paths out of automatic retry.
  • Cap attempts and move exhausted work to a visible terminal state.
  • Reconcile the source and receiver sets again after recovery.

04 / ACCEPTANCE GATE

Twelve checks before closing the incident.

  • The accountable system owner confirms the recovery scope.
  • The sender, subscription, event type, and endpoint version are identified.
  • The signature-verification rule and raw-byte boundary are documented.
  • Every expected event has a stable source identity.
  • Exact replay and conflicting replay produce different controlled outcomes.
  • Retryable, invalid, conflict, review, and terminal states are distinguishable.
  • The attempt budget is finite and visible.
  • An ambiguous downstream write is queried before it is repeated.
  • Recovery uses the same idempotency key as the original event.
  • Reconciliation proves no expected event remains missing.
  • Logs and handoff evidence exclude unnecessary secrets and personal data.
  • The operator has a tested runbook for the next occurrence.

HONEST LIMITS

A checklist cannot supply authority or production evidence.

This resource is general engineering guidance, not client work, a vendor-specific implementation, a security assessment, legal advice, or proof that a production incident is resolved. Real recovery still requires authorized access, the actual provider contract, client-owned data and retention decisions, an accountable release owner, backups where relevant, and environment-specific tests.

NEED TO RECOVER A REAL WORKFLOW?

Start with evidence, not another blind retry.

Automation Rescue begins with one authorized failure path, sanitized evidence, and an accountable owner for every production decision.

Explore automation rescue Inspect the recovery lab Read the failure-recovery field note