Create AEP-501: Webhook payloads

[rofrankel]

Adds guidance for webhook payloads.

The referenced common components are added in aep-dev/aep#17.

🍱 Types of changes

What types of changes does your code introduce to AEP? Put an x in the boxes
that apply

• Enhancement
• New proposal
• Migrated from google.aip.dev
• Chore / Quick Fix

📋 Your checklist for this pull request

Please review the AEP Style and Guidance for
contributing to this repository.

General

• Basic Guidance is met.
• Ensure that your PR
  references AEPs
  correctly.
• My code has been formatted
  (usually prettier -w .)

Additional checklist for a new AEP

• A new AEP should be no more than two pages if printed out.
• Ensure that the PR is editable by maintainers.
• Ensure that File structure
  guidelines are met.
• Ensure that
  Document structure
  guidelines are met.

💝 Thank you!

[toumorokoshi]

Thanks! I think there's a few questions I have around this, along with some general things that I think should align better with AEP style currently (unless we decide to change that too).

[toumorokoshi]

why 501? considering the number of the AEP shouldn't matter too much in the future, I'd rather we just start grabbing the next unused integer. What do you think?

[rofrankel]

I just picked a number, happy to renumber it. I think 6 is the next available number right?

[toumorokoshi]

why do we need a new directory for webhooks? this feels like a regular design pattern to me.

[rofrankel]

We have three webhook-specific AIPs internally at Roblox (this is the most interesting one). If we were to have multiple webhook-specific AEPs would you still suggest not having a folder? (No strong feelings on my end either way.)

[toumorokoshi]

501 or 5001?

[rofrankel]

Ack but will let the other comment get resolved first.

[toumorokoshi]

is this different from a regular resource?

[rofrankel]

Webhook payloads aren't resources at all, so I don't think we can treat guidance about resources as applying to them.

[toumorokoshi]

what do you mean by "service API"? do you mean "API service"? https://aep.dev/3#api-service.

If service API is intended to be a new term that differs, it would be good to add it to the Glossary.

[rofrankel]

By "service API" I mean an API that accepts requests, as distinct from a webhook API where the client accepts requests from the API. Happy to add to the glossary if you agree this makes sense.

[toumorokoshi]

Is this any different from aip.dev/180? (pointing to AIPs since we haven't imported it yet).

[rofrankel]

Well...I don't think it's obvious to everyone (or at least it wasn't within Roblox) which rules of service APIs would also apply to webhooks. Thus a general pattern of restating stuff a bit (while staying as DRY as possible).

[toumorokoshi]

Isn't this standard guidance regardless of webhooks? I feel like guidance around what goes in a side-channel vs not could be it's own AEP.

[rofrankel]

Could be...this guidance might overfit specific questions that arose within Roblox. Happy to file a ticket for that. Think we should leave this here in the meantime?

[toumorokoshi]

I don't know if this guidance is actionable. If I wanted to include something in the webhook payload, it's probably because some user needed it, and that's enough of a reason arguably to say it's information specific to the event.

Also if I include non-event related data, it wouldn't break any clients or doc generators. So is it really a must? If this was the only thing that an API did that wasn't AEP compliant, would we be ok with them not adopting the AEPs for this reason?

[rofrankel]

Yeah I agree - this is probably a specific reaction to a question that came up at Roblox, but it was an odd question and likely wouldn't come up elsewhere.

Do you think we should change must to should here or just remove the guidance?

[toumorokoshi]

High level question: have you looked at other standards like https://www.standardwebhooks.com/? That guidance has some pros:

• adoption by a handful of companies.
• guidance around security (e.g. authenticity)
• fanout

I imagine you're motivated by providing webhook guidance around protobuf, but it might be good to base it on an HTTP+JSON standard.