Webhook vs API: what breaks at 3am

Automation Engineering · By Caleb Sakala · March 31, 2026

Cartoon messenger pigeon crash-landing into a window at night while a phone operator sleeps

Every article comparing webhook vs API gives you the same answer. Webhooks push data when an event occurs. APIs pull data on request. Accurate, and also the least useful thing you can know when you are building an automation that needs to work on a Saturday with no one watching.

What matters is what breaks. Webhooks and APIs both fail, and they fail in ways that the comparison articles never cover.

The thirty-second version

An API call is a request your application makes to another service. Ask for data, get a response. Synchronous, controlled by the caller. If nothing changed since your last request, you burn a call and get back an empty response.

A webhook reverses this. You register a URL with a service, and that service POSTs to your URL when something happens. A payment completes, a form gets submitted. Your system stays idle until the event shows up.

That much is in every comparison article. Here is what they leave out.

Polling costs more than anyone admits

API polling (checking an endpoint on a timer to see if anything changed) is the default integration pattern because it is simple to build and reason about.

It is also wildly wasteful. Zapier published data from 30 million poll requests flowing through their platform and found that 98.5% returned no new data. Their system spent 66 times more resources on polling than webhook-based delivery would have required for the same events.

At small scale, nobody notices. But organizations running hundreds of workflows hit a wall fast. Wasted polls still eat compute and rate limit quota. Stripe enforces 100 requests per second in live mode, and a polling-heavy integration can exhaust that budget before any request carries new data.

Webhooks cut this entirely. No event, no traffic. Cost tracks activity instead of clock cycles.

Webhook delivery is unreliable, and the tutorials do not mention it

Here is the part that comparison guides skip. Anyone who has run webhook-based integrations in production knows the initial delivery failure rate sits between 10% and 20%. Networks drop packets. Servers restart during deployments. DNS hiccups. Mundane, constant.

Stripe's retry schedule shows the scale of the problem. When a webhook delivery fails, Stripe retries with exponential backoff over a window that stretches to 78 hours. Three full days of retries for a single payment event. If your automation depends on that webhook to trigger the next step, those three days are a silent failure that nobody catches until a customer complains.

This is where the "webhooks push, APIs pull" summary actively misleads. Production webhook infrastructure requires idempotency keys (to prevent duplicate processing when retries eventually succeed) and dead letter queues (to catch events that exhaust all retries). Skip either one, and you get corrupted data or lost events with no alert.

Signature verification: ten lines of code that most setups skip

When an API call fails authentication, you get a 401 and a clear error message. Straightforward.

Webhooks have a different problem. Your webhook URL is a publicly accessible HTTP endpoint. Anyone who discovers or guesses it can send fake events to your system. This is not a theoretical risk; Shopify found that merchants who skip signature verification are disproportionately represented in their fraud escalation queue.

HMAC signature verification fixes this. The sending service signs each payload with a shared secret, your endpoint recomputes and compares. About ten lines of code in any language. Yet most webhook setup tutorials, especially the quick-start guides inside automation platforms, do not cover it at all.

Here is the contrarian take: for most teams, the security gap in webhooks is a stronger reason to use API polling than the reliability gap. You can retry a failed webhook delivery. You cannot un-process a fraudulent event that looked legitimate because nobody verified the signature. If your automation triggers financial transactions or modifies customer records, polling with authentication is safer than an unverified webhook endpoint, even though every best-practice guide will tell you webhooks are the superior pattern.

Real workflows use both, and separating them is the wrong frame

According to the Postman 2025 State of APIs report, 63% of developers now use a combination of webhooks and REST APIs in their integration architectures, up from 41% two years prior.

Consider an accounts payable workflow. A webhook fires when a new invoice lands in a shared inbox. That webhook starts the process. But every step after that requires API calls: extracting line items and matching them against open purchase orders, then flagging discrepancies and posting the approved invoice to the accounting system. The webhook is the trigger; the APIs do the work.

When you set this up on Chase Agents, the invoice webhook triggers the first step, then four subsequent API actions run in sequence against the ERP, the approval system, and the GL. If no invoices arrive, nothing runs and nothing costs anything. When an invoice does arrive, the platform handles retry logic and error routing at the infrastructure level, so the person who built the workflow does not have to reimplement exception handling for every new automation they create. One finance team using this setup went from manually processing invoices in batches twice a week to continuous processing with fewer than 6% of invoices requiring manual intervention.

Choosing per step, not per workflow

Stop asking "webhook or API" for your project. Ask it for each step.

For triggering a workflow when something external happens: use a webhook. But invest in signature verification and idempotency before going to production. Those are not optional extras.

For reading or writing data in another system: use an API call. You get error codes and rate limit headers back, both of which matter when processing batches.

For monitoring a data source where no webhook exists: poll, but set the interval based on how stale the data can be before it causes a problem. Polling every 15 minutes for a dashboard that updates daily is burning money for no reason.

A customer support escalation workflow on Chase Agents shows this in practice. A webhook from the ticketing system catches new high-priority tickets, then two sequential API calls pull the customer's account history from the CRM and check the knowledge base for known issues matching the ticket category. Routing happens based on combined context from both lookups. If the webhook fails, the platform retries with backoff and logs the failure. If the CRM API returns a rate limit error, that step waits and retries without killing the rest of the workflow. Each step uses the pattern that fits its job.

If you take one thing from this post, skip the "which is better" framing entirely. Build the trigger with a webhook, do the work with API calls, verify signatures on every inbound event, and treat retry logic as infrastructure, not application code. The teams that get this wrong are not the ones who picked the wrong protocol. They are the ones who treated the decision as binary when every production workflow requires both.