Receive webhooks hub Ruby (standard library)
Guide

How to receive webhooks in Sinatra Ruby receiver + reliable processing

A minimal Sinatra endpoint is easy to add. Production reliability (verification, retries, idempotency, backpressure) is the hard part — and Hooque makes that part simple.

Start for free See pricing

Prefer the “no framework” version? Read receive webhooks in Ruby.

Show me the code

TL;DR

  • Treat “receive webhooks in Sinatra (Ruby)” as an ops problem, not just a route handler.
  • Verify the request before parsing/side effects (use a verifySignature(...) stub, then implement provider verification).
  • Return 2xx quickly; move work to a worker/queue to avoid timeouts and retries.
  • Assume retries and design idempotency (dedupe by event id + unique constraints).
  • Log + store raw payloads for replayable debugging.
  • If you need one workflow across many providers, centralize ingest + standardize consumption.

Want the standard-library version and shared pitfalls? Read receive webhooks in Ruby .

Anti-patterns

  • Doing business logic inline in the Sinatra (Ruby) request handler.
  • Parsing/transforming the body before verification (breaks signing inputs).
  • Returning 2xx before authenticity is proven.
  • Skipping idempotency (retries become double side effects).

Need deeper implementation details? Start with Webhook API.

Table of contents

  1. Why it's hard
  2. Minimal receiver
  3. With Hooque
  4. REST loop
  5. SSE loop
  6. FAQ

Why it's hard in production

Frameworks help you build endpoints. They don’t solve retries, replay attacks, or backpressure by default.

Verify authenticity + stop replays

Use a verifySignature(...) stub here, then implement real verification + replay defense for each provider.

Read the guide

Assume retries (duplicates are optional)

Treat every delivery as at-least-once and make side effects idempotent (DB constraints, dedupe keys).

Read the guide

Don’t do work in the request path

Ack fast, process async. Otherwise timeouts, deploys, and spikes turn into missed webhooks.

Read the guide

Debug with real payloads

Save the exact body + headers so you can replay deterministically after a fix.

Read the guide

Add monitoring + alerts early

Track delivered vs rejected, processing latency, queue depth, and error rates.

Read the guide

Iterate locally without losing events

Tunnels help, but durable capture + replay removes the “my laptop was asleep” problem.

Read the guide

Minimal receiver (Sinatra)

Keep verification as a stub here, then implement provider-specific verification + replay protection in the webhook security guide . For the standard-library version and shared pitfalls, see receive webhooks in Ruby . 

require "sinatra"
	
	def verify_signature(headers, body)
	  # don't compromise on security
	  # TODO: implement provider-specific signature verification
	end

	def process_data(body)
	  # TODO: your business logic (DB writes, external API calls, etc.)
	  body
	end
	
	post "/webhooks" do
	  body = request.body.read
	  verify_signature(request.env, body)
	  # What happens if it fails or times out?
	  # Most providers retry -> duplicates unless you designed idempotency.
	  process_data(body)
	  
	  # IMPORTANT: ack fast to avoid timeouts and duplicate deliveries.
	  status 200
	  "ok"
	end

Hooque turns any webhook into a reliable queue.

Jump to REST Jump to SSE

Non-obvious scenario: you can’t expose a port

In real deployments, the hardest part is often “where does this endpoint run?” (NAT, corporate networks, locked-down environments, short-lived preview deployments). Hooque decouples inbound receiving from processing so your Sinatra app doesn’t need to be the public receiver.

The easy path: receive with Hooque + consume forever

Receive once (durably), then process from a queue. Your Sinatra app doesn’t have to be the public receiver.

  • Centralize provider-specific verification and reduce “raw body” pitfalls.
  • Buffer spikes and deployments so you don’t drop deliveries.
  • Use explicit Ack / Nack / Reject to control retries.
  • Replay from the UI after a fix (no guessing what payload was sent).

Want the generic patterns? Read Webhook API and migrate to queue-based processing.

Hooque REST polling loop (runs forever)

Poll the queue forever and handle each event outside the provider’s request path. 

# Ruby 3+ (Net::HTTP)
# Runs forever: poll /next, ack/nack/reject explicitly.
require "json"
require "net/http"
require "uri"

NEXT_URL = ENV.fetch("HOOQUE_QUEUE_NEXT_URL", "https://app.hooque.io/queues/<consumerId>/next")
TOKEN = ENV.fetch("HOOQUE_TOKEN", "hq_tok_replace_me")

def main
  uri = URI(NEXT_URL)
  Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
    loop do
      msg = get_next_message(http, uri, TOKEN)
      unless msg
        sleep 1
        next
      end

      begin
        process_data(msg[:payload], msg[:meta])
        ack(msg, TOKEN)
      rescue => e
        nack(msg, TOKEN, e)
      end
    end
  end
end

def get_next_message(http, uri, token)
  begin
    req = Net::HTTP::Get.new(uri)
    req["Authorization"] = "Bearer #{token}"

    resp = http.request(req)

    if resp.code.to_i == 204
      return nil
    end

    if resp.code.to_i >= 400
      warn "next() failed: #{resp.code} #{resp.body}"
      sleep 2
      return nil
    end

    meta = JSON.parse(resp["X-Hooque-Meta"] || "{}")
    { payload: resp.body, meta: meta }
  rescue => net_e
    warn "Worker connection err: #{net_e.message}"
    sleep 2
    nil
  end
end

def process_data(payload, meta)
  # Example real-life task: run a script on webhook events.
  puts "event: #{meta["messageId"] || meta["deliveryId"]}"
end

def ack(msg, token)
  post_url(msg[:meta]["ackUrl"], token, nil)
end

def nack(msg, token, err)
  err_url = msg[:meta]["nackUrl"] || msg[:meta]["rejectUrl"]
  post_url(err_url, token, { reason: err.message }) if err_url
end

def post_url(url, token, json)
  return unless url
  uri = URI(url)
  req = Net::HTTP::Post.new(uri)
  req["Authorization"] = "Bearer #{token}"
  if json
    req["Content-Type"] = "application/json"
    req.body = JSON.generate(json)
  end
  Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") { |h| h.request(req) }
rescue => e
  warn "Post err: #{e.message}"
end

main

Hooque SSE stream consumer (runs forever)

Stream events in real time and reconnect forever on disconnects. 

# Ruby 3+ — SSE consumer (Net::HTTP)
# Runs forever: connect to /stream, handle "message" events, ack/nack/reject explicitly.
require "json"
require "net/http"
require "uri"

STREAM_URL = ENV.fetch("HOOQUE_QUEUE_STREAM_URL", "https://app.hooque.io/queues/<consumerId>/stream")
TOKEN = ENV.fetch("HOOQUE_TOKEN", "hq_tok_replace_me")

def main
  loop do
    get_message_stream do |msg|
      begin
        process_data(msg[:payload], msg[:meta])
        ack(msg, TOKEN)
      rescue => e
        nack(msg, TOKEN, e)
      end
    end
    warn "Stream dropped, reconnecting..."
    sleep 2
  end
end

def get_message_stream
  begin
    uri = URI(STREAM_URL)
    Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
      req = Net::HTTP::Get.new(uri)
      req["Authorization"] = "Bearer #{TOKEN}"
      req["Accept"] = "text/event-stream"
      
      http.request(req) do |resp|
        event = nil
        data_lines = []
        buffer = ""

        resp.read_body do |chunk|
          buffer += chunk
          while index = buffer.index("\n")
            line = buffer.slice!(0..index)
            line = line.delete_suffix("\n").delete_suffix("\r")
            
            next if line.start_with?(":")
            if line == ""
              if event == "message" && data_lines.any?
                begin
                  raw_msg = JSON.parse(data_lines.join("\n"))
                  yield({ payload: raw_msg["payload"], meta: raw_msg["meta"] || {} })
                rescue JSON::ParserError
                end
              end
              event = nil
              data_lines = []
              next
            end
            event = line.split(":", 2)[1].strip if line.start_with?("event:")
            data_lines << line.split(":", 2)[1].lstrip if line.start_with?("data:")
          end
        end
      end
    end
  rescue => e
    warn "stream error: #{e.message}"
  end
end

def process_data(payload, meta)
  puts "event: #{meta["messageId"] || meta["deliveryId"]}"
end

def ack(msg, token)
  post_url(msg[:meta]["ackUrl"], token, nil)
end

def nack(msg, token, err)
  err_url = msg[:meta]["nackUrl"] || msg[:meta]["rejectUrl"]
  post_url(err_url, token, { reason: err.message }) if err_url
end

def post_url(url, token, json)
  return unless url
  uri = URI(url)
  req = Net::HTTP::Post.new(uri)
  req["Authorization"] = "Bearer #{token}"
  if json
    req["Content-Type"] = "application/json"
    req.body = JSON.generate(json)
  end
  Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") { |h| h.request(req) }
rescue => e
  warn "Post err: #{e.message}"
end

main

FAQ

Answers tailored to Sinatra, plus shared webhook production guidance.

How do I get the raw request body in Sinatra?

General: Signature verification typically requires the raw body bytes (before JSON parsing). Ensure your middleware stack does not transform the body before verification.

How Hooque helps: With Hooque, provider delivery goes to a managed ingest endpoint. Your worker consumes from a queue using REST or SSE, so the “raw body vs parsed body” pitfall is mostly confined to ingest configuration.

What status code should I return for webhooks in Sinatra (Ruby)?

General: Usually return a fast 2xx after validating authenticity and basic schema. Timeouts and 5xx commonly trigger retries.

How Hooque helps: Hooque acknowledges ingest immediately and persists the payload. Your worker acks/nacks/rejects explicitly after processing.

Do I need signature verification in Sinatra (Ruby)?

General: Yes, unless the sender is fully trusted and on a private network. A public endpoint without verification is easy to forge and easy to replay.

How Hooque helps: Hooque can verify at ingest for supported providers or using generic strategies. Either way, your worker receives a normalized meta object and can stay focused on processing.

Why do I see duplicate webhook events in Sinatra (Ruby)?

General: Retries are normal: timeouts, transient network failures, and 5xx responses all produce duplicates. Design idempotency around event ids and side-effect boundaries.

How Hooque helps: Hooque makes delivery outcomes explicit (ack/nack/reject) and provides replay/inspection so you can fix issues without guessing what was received.

How do I test webhooks locally in Sinatra (Ruby)?

General: You can use a tunnel, but local dev still breaks on sleep, VPNs, clock skew, and signature-byte mismatches.

How Hooque helps: With Hooque you can avoid inbound locally: receive events into a durable queue and pull/stream to your laptop, then replay from the UI after changes.

Should I use REST polling or SSE streaming for webhook processing?

General: Use REST polling for simple batch workers and environments without long-lived connections. Use SSE for low-latency “process as it arrives” flows.

How Hooque helps: Hooque supports both: `GET /next` for polling and `GET /stream` for streaming. Both include meta with ready-to-call ack/nack/reject URLs.

Start processing webhooks reliably

Use Sinatra for your app, and keep webhook processing as a simple run-forever consumer loop with explicit ack/nack/reject control.

Start for free See pricing

No credit card required