Webhooks vs. Polling: Event-Driven Shop Integration
When a customer places an order in the shop, it should reach the ERP within seconds. When stock drops, availability in the shop should be correct immediately. How these events travel between systems determines the latency, load and stability of the entire integration. Two patterns dominate the discussion: webhooks, where the source system actively pushes an event, and polling, where the target system asks at fixed intervals. In our experience, 74 percent of public interfaces are REST-based (project experience) and therefore generally suited to both patterns. This article shows when webhooks are the right choice, when polling is superior, how to secure delivery and integrity with HMAC signatures and retry strategies, and which hybrid approach has proven itself in API development for shop-to-ERP data flows.
Webhooks and Polling: Two Paths, One Goal
Polling is the older and simpler pattern. The target system calls an interface of the source system at a fixed cadence and asks: is there anything new since my last request? In a shop-to-ERP integration, the ERP might query the shop API every five minutes for new orders. The advantage is simplicity: the source system needs to know nothing about its consumers, and the client controls the cadence itself. The disadvantage is obvious: on average, half the interval elapses between an event and its processing, and most requests return no new data.
Webhooks reverse the direction. As soon as an event occurs in the source system, it sends an HTTPS POST on its own to a pre-registered URL on the target system. Latency drops to seconds and no load is generated by empty requests. In exchange, complexity shifts: the target system must operate a publicly reachable endpoint, verify the authenticity of every message and cope with the fact that a delivery can also fail. In practice this shift pays off, because it reflects the reality of event-driven business processes. A well-designed ERP integration chooses the pattern not ideologically but per data flow.
The economic relevance grows with the maturity of the integration. In our experience, an average of 31 percent of large organizations' IT budgets goes to integration and API work (project experience). Insufficient documentation and inconsistent interfaces prove to be recurring main obstacles to API adoption (project experience). The more systems talk to each other, the more important a consistent pattern for event transport becomes. Those who rely on clean contracts, signatures and retry logic from the start save considerable maintenance effort later in interface development.
Latency, Load and Currency in Direct Comparison
The decisive difference between the two patterns lies in data currency and the system load they generate. For time-critical events such as incoming orders or stock changes near a threshold, every second counts. German B2B e-commerce, with a sales volume in the triple-digit billions, is among the fastest-growing distribution channels (BEVH, 2024), and short response times between shop and ERP are a technical foundation for it. For less volatile data such as product descriptions or a nightly master-data reconciliation, a delay of minutes is uncritical by contrast. The following overview summarizes the typical characteristics.
| Criterion | Webhook (push) | Polling (pull) |
|---|---|---|
| Latency | seconds, near real-time | half the interval on average |
| API load | only on real events | constant, even without changes |
| Receiver complexity | public endpoint required | no endpoint required |
| Delivery | retry and ack required | next request fetches missed data |
| Load spikes | possible on bulk events | predictable via fixed cadence |
| Best for | orders, status changes | backfill, reconciliation, bulk data |
Polling has an often-overlooked advantage: predictability. Because the target system sets the cadence, load spikes are plannable and the source system is never overrun. This becomes a challenge with webhooks when a single event in the source system generates many follow-up messages, such as a price-list import touching tens of thousands of items. Server-side batching or throttling helps here. According to Gartner, integration initiatives fail above average precisely on such non-functional requirements as load behavior and fault tolerance (Gartner, 2024), not on the actual business logic.
Webhook for the Time-Critical
Order receipt, payment confirmation and status changes benefit from push: the ERP learns of the event in seconds rather than after the next polling cycle.
Polling for Reconciliation
Periodic full reconciliations and master-data backfill run reliably via polling because the target system controls cadence and load itself.
Hybrid as the Default
Push for currency, complemented by a polling safety net that catches up on missed events. This produces a robust overall architecture.
Signature, Not Trust
Every incoming webhook is verified via HMAC signature before the payload is processed. An open endpoint without verification is a security risk.
Delta, Not Full Pull
Polling only requests data that has changed since the last cursor. This keeps transferred volumes small and APIs fast.
Plan for Failure
Timeouts, network outages and invalid payloads are the normal case. A retry queue and dead letter queue absorb them without losing events.
Delivery Guarantees: Why At-Least-Once Is the Realistic Goal
In a distributed system there is no perfect delivery without trade-offs. Three models are common: at-most-once (delivered no more than once, loss possible), at-least-once (delivered at least once, duplicates possible) and exactly-once (delivered exactly once). True exactly-once across system boundaries is costly and rarely necessary in practice. The pragmatic standard for shop-to-ERP data flows is at-least-once combined with idempotency on the receiver side, so that duplicate deliveries cause no harm.
Concretely this means: the webhook receiver acknowledges a successfully accepted message with a 2xx status code. If it does not respond, or responds with an error, the source system repeats the delivery according to a wait pattern. This is exactly where duplicates arise, when the first delivery was processed but its acknowledgement was lost. The solution is a unique idempotency key per event, which the receiver stores and against which it checks every incoming message. An in-depth treatment of this topic is available in the sister article on idempotency and retry strategies.
An Ack Is Not a Processing Promise
Polling has a structural advantage in delivery: if the client misses a request, for example due to maintenance, the next run catches up on all interim changes, as long as the cursor is advanced correctly. Nothing is lost because the target system controls its own position. This property makes polling the ideal safety net behind webhooks and is the core of the hybrid approach described below.
Security: HMAC Signatures and Protecting the Webhook Route
A webhook endpoint is publicly reachable, so it must treat every message as potentially forged until its authenticity is proven. The most widespread method is an HMAC signature. The source and target systems share secret key material. The source system computes an HMAC over the raw message body, usually with SHA-256, and sends the result in an HTTP header. The receiver recomputes the HMAC with the same secret and compares the two values. If they do not match, the message is discarded.
import crypto from 'crypto';
function verifyWebhook(rawBody, signatureHeader, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody) // use the RAW body, not the parsed JSON
.digest('hex');
// constant-time comparison against timing attacks
const a = Buffer.from(expected);
const b = Buffer.from(signatureHeader);
return a.length === b.length && crypto.timingSafeEqual(a, b);
}Two details determine the quality of the check. First, the signature must be computed over the unaltered raw body, not over a re-serialized JSON, because even a reordered set of keys breaks the signature. Second, the comparison must run in constant time so that an attacker cannot draw conclusions from timing differences. According to the OWASP API Security Project, missing or flawed authentication and authorization are among the most frequently exploited weaknesses in interfaces (OWASP API Security Top 10, 2023).
- HMAC-SHA256 over the raw body: always verify the signature before JSON parsing, and never put secret key material in code or logs.
- Timestamp against replay: a transmitted and signed timestamp prevents intercepted messages from being replayed later. Reject messages outside a short tolerance window.
- Transport encryption: deliver webhooks exclusively over TLS, optionally with mutual authentication (mTLS) for particularly sensitive data flows.
- IP allowlist as a second layer: if the source system uses fixed address ranges, an allowlist complements signature verification but does not replace it.
- Key rotation: rotate the shared secret regularly and plan a transition window with two valid keys.
Polling has a different, simpler security profile here. Because the target system establishes the connection, server-side credentials such as an OAuth token or an API key suffice, and there is no inbound endpoint to protect. This smaller attack surface is a real advantage that is often underrated when comparing the two patterns. A professional interface design weighs the currency gain of webhooks against the lower security effort of polling on a per-data-flow basis.
Resilience: Retry, Backoff and Dead Letter Queue
No receiver is permanently reachable. Maintenance windows, deployments, overloaded databases or network outages are the normal case, not the exception. Robust webhook processing answers the question of what happens to an event whose delivery fails. The proven answer is a retry with exponential backoff: after the first failed attempt the source system waits briefly, then increasingly longer, for example after a few seconds, then minutes, then hours, until a maximum is reached.
An important detail is jitter, a random spread of the wait times. Without jitter, all queued events would be redelivered simultaneously after an outage and could immediately overload the receiver that has only just recovered. Events that could not be delivered after all attempts move into a dead letter queue. There they rest safely for later manual or automatic reprocessing and trigger an alert. This very mechanism ensures that even a longer outage does not mean data loss.
Polling as a Safety Net
On the receiver side, resilience also means separating heavy processing from acceptance. The webhook endpoint validates the signature, writes the message into an internal queue and responds immediately with 2xx. The actual processing, such as creating an order in the ERP, happens asynchronously through workers. If processing fails, it is retried from the internal queue without the source system being affected. This decoupling is a central principle of any resilient integration architecture.
In Practice: Mapping Shop-to-ERP Data Flows Correctly
In a real integration between shop and ERP there is not one data flow but a dozen, each with its own currency and load requirements. The art is to choose the right pattern per flow rather than treating everything the same. Orders, payment and shipping status are classic push candidates because here seconds count. Master data, price lists and a nightly consistency reconciliation are classic pull candidates because here completeness matters more than speed.
- Order receipt (shop to ERP): webhook on order completion, handing the order to the ERP within seconds. The idempotency key is the order number.
- Stock change (ERP to shop): webhook on every inventory movement for near real-time, complemented by a delta reconciliation every few minutes as a safety net.
- Status change (ERP to shop): webhook on shipping and invoice status, so customers see the current state without the shop continuously polling the ERP.
- Master data and prices: polling at intervals of minutes to hours, since large volumes are involved and a short delay is uncritical.
- Consistency reconciliation: nightly or hourly polling that compares both systems and corrects discrepancies from missed events.
This mix is not a compromise but the superior solution. According to a survey by the industry association BITKOM, mid-market companies see the automation of business processes as one of the most important levers for efficiency gains (BITKOM, 2024). Statista reports sustained double-digit growth in German digital commerce over recent years (Statista, 2024), which further increases the pressure on resilient system integrations. A well-designed event transport is the technical prerequisite for this, because it determines whether the automation runs fast, reliably and traceably. Across more than 50 integration projects (project experience), the described hybrid approach has proven a robust standard.
Hybrid Architecture: Push Plus a Polling Safety Net
The mature standard for shop-to-ERP data flows is neither pure polling nor pure webhooks, but a deliberate combination. Webhooks provide the low latency for time-critical events. A periodic delta polling runs as an independent safety net in the background and catches everything the push path lost or missed. The middleware between the systems implements both and decouples business processing from reception.
This layer performs several tasks simultaneously: it validates incoming webhook signatures, persists each event with its idempotency key, processes it asynchronously toward the ERP and runs the delta reconciliation in parallel. As a result, the system is resilient against individual failures without the shop or ERP noticing any of the complexity. Anyone wishing to modernize an existing integration can introduce this approach incrementally, for example by first switching the most critical flow to webhooks while the rest continues to run via polling for now. An accompanying integration consultation helps to align the sequence with your processes.
The Rule of Thumb
The question is rarely webhook or polling, but which data flow needs which pattern and how the two together form a system that loses no order even on a bad day.