Webhooks are inherently event-driven: nothing happens until an event arrives. Serverless functions match this pattern perfectly.<\/p>\n\n\n\n The tradeoff is cold starts and execution time limits. For webhook receivers that verify a signature, parse a payload, and forward to a queue or database, the execution time is well within limits (typically under 1 second).<\/p>\n\n\n\n The most common serverless webhook setup. API Gateway provides the HTTPS endpoint; Lambda runs the handler.<\/p>\n\n\n\n After deployment, SAM outputs the API Gateway URL. Use that as your webhook endpoint in Tolinku.<\/p>\n\n\n\n Cloud Functions offer a simpler deployment model than Lambda (no API Gateway configuration needed).<\/p>\n\n\n\n The output includes the function's URL. Use it as your Tolinku webhook endpoint.<\/p>\n\n\n\n Workers run at the edge, close to users. They have no cold starts (always warm) and a generous free tier (100,000 requests\/day).<\/p>\n\n\n\n Configure the secret:<\/p>\n\n\n\n In all three platforms, the recommended pattern is: verify the signature, respond 200, and forward the event to a queue for processing. This keeps the function execution time short and decouples ingestion from processing.<\/p>\n\n\n\n For 10,000 webhook events per day (a moderate volume):<\/p>\n\n\n\n![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/platform-webhooks.png\")
\nThe webhooks page with create form, webhook list, and delivery log.<\/em><\/p>\n\n\n\nWhy Serverless for Webhooks?<\/h2>\n\n\n\n
\n\n
\n Concern<\/th>\n Traditional Server<\/th>\n Serverless<\/th>\n<\/tr>\n<\/thead>\n \n Idle cost<\/td>\n Running 24\/7 regardless of traffic<\/td>\n Zero cost when no events<\/td>\n<\/tr>\n \n Scaling<\/td>\n Manual or auto-scaling with lag<\/td>\n Instant per-request scaling<\/td>\n<\/tr>\n \n Ops burden<\/td>\n OS patches, runtime updates, monitoring<\/td>\n Managed by the platform<\/td>\n<\/tr>\n \n Cold starts<\/td>\n None (always running)<\/td>\n 100-500ms on first invocation<\/td>\n<\/tr>\n \n Long-running tasks<\/td>\n Supported<\/td>\n Limited (Lambda: 15 min max)<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n AWS Lambda + API Gateway<\/h2>\n\n\n\n
Handler Code<\/h3>\n\n\n\n
\/\/ handler.ts\nimport crypto from 'crypto';\n\nconst WEBHOOK_SECRET = process.env.WEBHOOK_SECRET!;\n\nexport async function handler(event: any) {\n const body = event.body;\n const isBase64 = event.isBase64Encoded;\n const rawBody = isBase64 ? Buffer.from(body, 'base64') : Buffer.from(body);\n\n \/\/ Verify signature\n const signature = event.headers['x-webhook-signature'];\n const expected = crypto\n .createHmac('sha256', WEBHOOK_SECRET)\n .update(rawBody)\n .digest('hex');\n\n if (signature !== expected) {\n return { statusCode: 401, body: 'Invalid signature' };\n }\n\n const webhookEvent = JSON.parse(rawBody.toString());\n\n \/\/ Process the event\n await processEvent(webhookEvent);\n\n return { statusCode: 200, body: 'OK' };\n}\n\nasync function processEvent(event: any) {\n const { event: eventType, timestamp, data } = event;\n console.log(JSON.stringify({ eventType, timestamp, data }));\n\n \/\/ Forward to SQS, DynamoDB, or another service\n \/\/ Example: write to DynamoDB\n \/\/ await dynamodb.put({ TableName: 'webhook-events', Item: { ... } });\n}\n<\/code><\/pre>\n\n\n\nDeployment with SAM<\/h3>\n\n\n\n
# template.yaml\nAWSTemplateFormatVersion: '2010-09-09'\nTransform: AWS::Serverless-2016-10-31\n\nResources:\n WebhookFunction:\n Type: AWS::Serverless::Function\n Properties:\n Handler: handler.handler\n Runtime: nodejs20.x\n Timeout: 10\n MemorySize: 256\n Environment:\n Variables:\n WEBHOOK_SECRET: !Ref WebhookSecret\n Events:\n Webhook:\n Type: Api\n Properties:\n Path: \/webhooks\/tolinku\n Method: post\n<\/code><\/pre>\n\n\n\nsam build && sam deploy --guided\n<\/code><\/pre>\n\n\n\nLambda-Specific Considerations<\/h3>\n\n\n\n
\n
Google Cloud Functions<\/h2>\n\n\n\n
Handler Code<\/h3>\n\n\n\n
\/\/ index.ts\nimport crypto from 'crypto';\nimport type { HttpFunction } from '@google-cloud\/functions-framework';\n\nconst WEBHOOK_SECRET = process.env.WEBHOOK_SECRET!;\n\nexport const webhookHandler: HttpFunction = async (req, res) => {\n if (req.method !== 'POST') {\n res.status(405).send('Method not allowed');\n return;\n }\n\n \/\/ Cloud Functions provides the raw body via req.rawBody\n const rawBody = req.rawBody;\n if (!rawBody) {\n res.status(400).send('No body');\n return;\n }\n\n \/\/ Verify signature\n const signature = req.headers['x-webhook-signature'] as string;\n const expected = crypto\n .createHmac('sha256', WEBHOOK_SECRET)\n .update(rawBody)\n .digest('hex');\n\n if (signature !== expected) {\n res.status(401).send('Invalid signature');\n return;\n }\n\n const event = JSON.parse(rawBody.toString());\n\n \/\/ Process\n await processEvent(event);\n\n res.status(200).send('OK');\n};\n\nasync function processEvent(event: any) {\n console.log(JSON.stringify({\n event_type: event.event,\n timestamp: event.timestamp,\n platform: event.data.platform,\n }));\n}\n<\/code><\/pre>\n\n\n\nDeployment<\/h3>\n\n\n\n
gcloud functions deploy webhookHandler \\\n --runtime nodejs20 \\\n --trigger-http \\\n --allow-unauthenticated \\\n --set-env-vars WEBHOOK_SECRET=whsec_your_secret_here \\\n --timeout 10s \\\n --memory 256MB \\\n --region us-central1\n<\/code><\/pre>\n\n\n\nCloud Functions Considerations<\/h3>\n\n\n\n
\n
rawBody<\/code><\/strong>: Cloud Functions preserves the raw request body in req.rawBody<\/code>. Use this for signature verification, not req.body<\/code> (which is pre-parsed).<\/li>\n--allow-unauthenticated<\/code><\/strong>: Required because Tolinku sends webhooks without Google Cloud authentication. The X-Webhook-Signature<\/code> header provides authentication.<\/li>\nCloudflare Workers<\/h2>\n\n\n\n
Handler Code<\/h3>\n\n\n\n
\/\/ src\/index.ts\nexport default {\n async fetch(request: Request, env: Env): Promise<Response> {\n if (request.method !== 'POST') {\n return new Response('Method not allowed', { status: 405 });\n }\n\n const rawBody = await request.arrayBuffer();\n const bodyBytes = new Uint8Array(rawBody);\n\n \/\/ Verify signature using Web Crypto API\n const signature = request.headers.get('x-webhook-signature');\n if (!signature) {\n return new Response('Missing signature', { status: 401 });\n }\n\n const key = await crypto.subtle.importKey(\n 'raw',\n new TextEncoder().encode(env.WEBHOOK_SECRET),\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign']\n );\n\n const expectedBytes = await crypto.subtle.sign('HMAC', key, bodyBytes);\n const expectedHex = Array.from(new Uint8Array(expectedBytes))\n .map(b => b.toString(16).padStart(2, '0'))\n .join('');\n\n if (signature !== expectedHex) {\n return new Response('Invalid signature', { status: 401 });\n }\n\n const event = JSON.parse(new TextDecoder().decode(bodyBytes));\n\n \/\/ Process (non-blocking with waitUntil)\n const ctx = { waitUntil: (p: Promise<any>) => p };\n ctx.waitUntil(processEvent(event, env));\n\n return new Response('OK', { status: 200 });\n },\n};\n\nasync function processEvent(event: any, env: Env) {\n \/\/ Forward to a queue, KV store, or external API\n console.log(`${event.event}: ${event.data.platform || 'unknown'}`);\n}\n\ninterface Env {\n WEBHOOK_SECRET: string;\n}\n<\/code><\/pre>\n\n\n\nDeployment<\/h3>\n\n\n\n
npx wrangler deploy\n<\/code><\/pre>\n\n\n\nnpx wrangler secret put WEBHOOK_SECRET\n<\/code><\/pre>\n\n\n\nWorkers Considerations<\/h3>\n\n\n\n
\n
crypto<\/code>. Use the Web Crypto API (crypto.subtle<\/code>) for HMAC verification.<\/li>\nwaitUntil<\/code><\/strong>: In a real Workers deployment, use ctx.waitUntil()<\/code> from the ExecutionContext<\/code> to run async processing after the response is sent.<\/li>\nForwarding to a Queue<\/h2>\n\n\n\n
Lambda to SQS<\/h3>\n\n\n\n
import { SQSClient, SendMessageCommand } from '@aws-sdk\/client-sqs';\n\nconst sqs = new SQSClient({});\n\nasync function processEvent(event: any, rawBody: string) {\n const hash = crypto.createHash('sha256').update(rawBody).digest('hex');\n\n await sqs.send(new SendMessageCommand({\n QueueUrl: process.env.SQS_QUEUE_URL!,\n MessageBody: rawBody,\n MessageDeduplicationId: hash,\n MessageGroupId: event.event,\n }));\n}\n<\/code><\/pre>\n\n\n\nCloud Functions to Pub\/Sub<\/h3>\n\n\n\n
import { PubSub } from '@google-cloud\/pubsub';\n\nconst pubsub = new PubSub();\nconst topic = pubsub.topic('webhook-events');\n\nasync function processEvent(event: any, rawBody: Buffer) {\n await topic.publishMessage({\n data: rawBody,\n attributes: {\n eventType: event.event,\n },\n });\n}\n<\/code><\/pre>\n\n\n\nWorkers to Cloudflare Queue<\/h3>\n\n\n\n
async function processEvent(event: any, env: Env, rawBody: string) {\n await env.WEBHOOK_QUEUE.send({\n body: rawBody,\n eventType: event.event,\n });\n}\n<\/code><\/pre>\n\n\n\nCost Comparison<\/h2>\n\n\n\n