For a broader look at how webhooks fit into deep linking workflows, see the webhooks and integrations overview<\/a>.<\/p>\n\n\n\n Almost every webhook issue falls into one of four buckets:<\/p>\n\n\n\n Knowing which category you are dealing with cuts your debugging time significantly. The Tolinku dashboard's delivery log<\/a> shows the HTTP status code and response time for every delivery attempt, which tells you immediately whether the problem is on the network side (category 1), in your application logic (categories 2-3), or a performance issue (category 4).<\/p>\n\n\n\n The biggest obstacle to debugging webhooks is that you cannot receive them on ngrok<\/a> is the most widely used option. Install it, then run:<\/p>\n\n\n\n This gives you a public URL like ngrok also provides a local inspection UI at Webhook.site<\/a> gives you a temporary public URL that logs incoming requests. It is useful when you want to inspect raw payloads without writing any code. You can see the exact headers, body, and timing of each delivery. The limitation is that it does not forward to your local server, so it is better for inspection than for end-to-end testing.<\/p>\n\n\n\n Cloudflare Tunnel<\/a> provides a free tunnel option that works well for longer-lived development environments. localtunnel<\/a> is an open-source alternative if you want to avoid creating accounts.<\/p>\n\n\n\n Whichever tool you use, the workflow is the same: start your local server, create a tunnel, register the tunnel URL in your Tolinku Appspace's webhook settings<\/a>, and trigger test events.<\/p>\n\n\n\n Before debugging with real events, use Tolinku's test delivery feature. In the webhooks page of your Appspace dashboard, each endpoint has a "Send Test" option. This sends a sample payload to your endpoint and reports the result immediately.<\/p>\n\n\n\n Test deliveries are valuable for two reasons. First, they confirm basic connectivity: can the platform reach your endpoint at all? Second, they provide a known-good payload. If your handler works with a test delivery but fails on real events, the problem is in your event-specific processing logic, not in the plumbing.<\/p>\n\n\n\n If a test delivery fails, check the delivery log for the HTTP status code. A Signature verification is where most webhook debugging happens. Tolinku signs every webhook delivery using HMAC-SHA256 over the raw request body. The signature is sent in the Here is a correct verification implementation:<\/p>\n\n\n\n The most common cause of signature failures is body parsing<\/strong>. If you use The fix is to capture the raw body during parsing:<\/p>\n\n\n\n Other common signature issues:<\/p>\n\n\n\n When you are stuck, log both the expected and received signatures (in a development environment only) to see whether they are completely different (wrong secret or wrong payload) or just slightly off (encoding issue).<\/p>\n\n\n\n Once the signature is valid, the next failure point is your handler logic. These errors are usually straightforward but can be tricky to reproduce because they depend on specific event types or data shapes.<\/p>\n\n\n\n A defensive handler pattern:<\/p>\n\n\n\n Key patterns in this code:<\/p>\n\n\n\n Common parsing problems include assuming a field exists when it is optional, treating numbers as strings (or vice versa), and hardcoding event types without a default case.<\/p>\n\n\n\n Most webhook platforms expect a response within 5 to 30 seconds. If your handler does heavy processing (database writes, external API calls, image processing), you can easily exceed that window.<\/p>\n\n\n\n The solution is always the same: acknowledge receipt immediately and process the event asynchronously. In Node.js, you can use a simple queue:<\/p>\n\n\n\n For production systems, replace the in-memory queue with something durable like BullMQ<\/a> (backed by Redis), a database-backed job queue, or a message broker. The point is to decouple receipt from processing so that delivery never times out.<\/p>\n\n\n\n Generic logging tells you something went wrong. Good webhook logging tells you exactly what went wrong and with which delivery.<\/p>\n\n\n\n Log these fields on every webhook receipt:<\/p>\n\n\n\n Structured JSON logs are critical here. If you are running in production with a log aggregation service (Datadog, Grafana Loki, AWS CloudWatch), structured logs let you filter by event type, search by delivery ID, and correlate webhook receipts with downstream processing errors.<\/p>\n\n\n\n Log again after processing completes (or fails):<\/p>\n\n\n\n With both log entries, you can quickly answer questions like: "Did we receive the delivery?" and "Did we successfully process it?" These are different questions with different answers, and conflating them is a common debugging pitfall.<\/p>\n\n\n\n Logging helps you investigate problems after they occur. Monitoring helps you catch them as they happen.<\/p>\n\n\n\n Track these metrics:<\/p>\n\n\n\n Set alerts on the delivery success rate. If it drops below 95% for more than a few minutes, something needs attention. The Tolinku dashboard's webhook delivery log shows failed deliveries from the platform's perspective, but your own monitoring catches failures that happen after the When a webhook is not working, run through this checklist in order:<\/p>\n\n\n\n Work through this list from top to bottom. Most issues resolve within the first three or four items.<\/p>\n\n\n\n Debugging webhooks is fundamentally different from debugging a standard API integration. You do not control the request, you cannot easily reproduce it, and failures can be silent. The combination of good local tooling (tunnels and test deliveries), structured logging, and proactive monitoring turns webhook debugging from a guessing game into a systematic process.<\/p>\n\n\n\n Start by using ngrok<\/a> or Webhook.site<\/a> during development. Use Tolinku's test delivery feature<\/a> to verify connectivity and signature verification. Add structured logs that track both receipt and processing. And set up monitoring so you catch failures before your downstream systems go stale.<\/p>\n\n\n\n For more on setting up webhook endpoints from scratch, see the webhook setup guide<\/a>. For a broader look at building integrations around deep link events, see the webhooks and integrations overview<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" A practical guide to debugging webhook delivery failures, signature mismatches, payload parsing errors, and timeouts. Covers local development tunnels, logging strategies, and monitoring.<\/p>\n","protected":false},"author":2,"featured_media":1127,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Debugging Webhooks: Tools and Techniques for 2026","rank_math_description":"Practical guide to debugging webhook delivery failures, signature mismatches, payload parsing errors, and timeouts. Covers ngrok, logging, and monitoring.","rank_math_focus_keyword":"debugging webhooks","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-debugging.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-debugging.png","footnotes":""},"categories":[15],"tags":[62,74,20,264,263,274,275,80,61],"class_list":["post-1128","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-engineering","tag-api","tag-debugging","tag-deep-linking","tag-engineering","tag-integrations","tag-monitoring","tag-node-js","tag-testing","tag-webhooks"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=1128"}],"version-history":[{"count":4,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1128\/revisions"}],"predecessor-version":[{"id":2253,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1128\/revisions\/2253"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/1127"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=1128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=1128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=1128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/platform-webhooks.png\")
\nThe webhooks page with create form, webhook list, and delivery log.<\/em><\/p>\n\n\n\nThe Four Categories of Webhook Failures<\/h2>\n\n\n\n
\n
Setting Up Local Development<\/h2>\n\n\n\n
localhost<\/code>. The sending platform needs a publicly reachable URL. There are several tools that solve this by creating tunnels from the public internet to your local machine.<\/p>\n\n\n\nngrok<\/h3>\n\n\n\n
ngrok http 3000\n<\/code><\/pre>\n\n\n\nhttps:\/\/abc123.ngrok-free.app<\/code> that forwards to your local port 3000. Copy that URL into the Tolinku dashboard as your webhook endpoint.<\/p>\n\n\n\nhttp:\/\/127.0.0.1:4040<\/code> where you can see every request, replay failed deliveries, and inspect headers and bodies. This inspection interface alone makes it worth using during development.<\/p>\n\n\n\nWebhook.site<\/h3>\n\n\n\n
Other Tunnel Options<\/h3>\n\n\n\n
Using Test Deliveries<\/h2>\n\n\n\n
000<\/code> or connection error means the platform could not reach your URL. A 4xx<\/code> or 5xx<\/code> means your server received the request but responded with an error.<\/p>\n\n\n\nDebugging Signature Mismatches<\/h2>\n\n\n\n
X-Webhook-Signature<\/code> header, and the event type is in the X-Webhook-Event<\/code> header.<\/p>\n\n\n\nconst crypto = require('crypto');\n\nfunction verifyWebhookSignature(req, secret) {\n const signature = req.headers['x-webhook-signature'];\n\n if (!signature) {\n return false;\n }\n\n \/\/ Sign the raw request body (not parsed JSON)\n const expected = crypto\n .createHmac('sha256', secret)\n .update(req.body) \/\/ req.body is a Buffer from express.raw()\n .digest('hex');\n\n const sig = Buffer.from(signature, 'hex');\n const exp = Buffer.from(expected, 'hex');\n\n if (sig.length !== exp.length) return false;\n\n return crypto.timingSafeEqual(sig, exp\n );\n}\n<\/code><\/pre>\n\n\n\nexpress.json()<\/code> before your webhook route, Express parses the body into a JavaScript object, and the raw bytes are gone. The HMAC is computed over the raw request body, so you need to preserve it.<\/p>\n\n\n\napp.use('\/webhooks', express.json({\n verify: (req, res, buf) => {\n req.rawBody = buf.toString('utf-8');\n }\n}));\n<\/code><\/pre>\n\n\n\n\n
tolk_sec_<\/code> or tolk_pub_<\/code>). The signing secret is specific to each webhook endpoint.<\/li>\ntimestamp.body<\/code>, not just body<\/code>. If you forget to prepend the timestamp, the HMAC will not match.<\/li>\n<\/ul>\n\n\n\nDebugging Payload Parsing Errors<\/h2>\n\n\n\n
app.post('\/webhooks\/tolinku', (req, res) => {\n \/\/ Respond immediately to avoid timeout\n res.status(200).json({ received: true });\n\n try {\n const { event, timestamp, data } = JSON.parse(req.body.toString());\n\n if (!event || !data) {\n console.error('Malformed webhook payload:', JSON.stringify(req.body));\n return;\n }\n\n switch (event) {\n case 'link.clicked':\n handleLinkClicked(data);\n break;\n case 'deferred_link.claimed':\n handleLinkOpened(data);\n break;\n case 'install.tracked':\n handleLinkInstalled(data);\n break;\n case 'referral.created':\n handleLinkConverted(data);\n break;\n case 'referral.completed':\n handleLinkReferred(data);\n break;\n default:\n handleCustomEvent(data);\n break;\n default:\n console.warn(`Unhandled webhook event type: ${event}`);\n }\n } catch (err) {\n console.error('Webhook processing error:', err);\n }\n});\n<\/code><\/pre>\n\n\n\n\n
200<\/code> immediately, then process asynchronously. This prevents timeouts even if your handler logic is slow.<\/li>\nevent<\/code> and data<\/code> exist before switching on the event type.<\/li>\nDebugging Timeouts<\/h2>\n\n\n\n
const eventQueue = [];\n\napp.post('\/webhooks\/tolinku', (req, res) => {\n res.status(200).json({ received: true });\n eventQueue.push(req.body);\n});\n\n\/\/ Process events in the background\nsetInterval(() => {\n while (eventQueue.length > 0) {\n const event = eventQueue.shift();\n processEvent(event).catch(err => {\n console.error('Failed to process event:', err);\n });\n }\n}, 100);\n<\/code><\/pre>\n\n\n\nLogging Strategies That Help<\/h2>\n\n\n\n
function logWebhookReceipt(payload) {\n console.log(JSON.stringify({\n type: 'webhook_received',\n event: payload.event,\n event_timestamp: payload.timestamp,\n status: 'received',\n received_at: new Date().toISOString()\n }));\n}\n<\/code><\/pre>\n\n\n\nfunction logWebhookProcessed(deliveryId, event, success, error) {\n console.log(JSON.stringify({\n type: 'webhook_processed',\n delivery_id: deliveryId,\n event: event,\n status: success ? 'success' : 'failed',\n error: error ? error.message : null,\n processed_at: new Date().toISOString()\n }));\n}\n<\/code><\/pre>\n\n\n\nMonitoring and Alerting<\/h2>\n\n\n\n
\n
200<\/code> response. A sudden drop means something is broken.<\/li>\n200<\/code> before processing.<\/li>\n200<\/code> response.<\/p>\n\n\n\nA Debugging Checklist<\/h2>\n\n\n\n
\n
id<\/code> field.<\/li>\n<\/ol>\n\n\n\nWrapping Up<\/h2>\n\n\n\n