// learn

Concepts

Plain-English explainers on the networking + protocol concepts that show up when you wire integrations. Written so a junior dev gets it on the first read.

• What is a webhook?

  A webhook is a one-way HTTP POST that an external service makes to your URL when something happens on their side. It's the inversion of polling: they tell you instead of you asking.

• What is a reverse tunnel?

  A reverse tunnel makes a server behind NAT or a firewall reachable from the public internet by having it dial out to a public relay, instead of waiting for inbound connections.

• HTTP vs HTTPS in development — when does it matter?

  Most modern browser features require HTTPS. Here's the actual list, what fails on plain HTTP, and how to develop with HTTPS without per-machine cert management.

• OAuth callback URL — what it is, why it must be HTTPS, how to test locally

  OAuth providers redirect the user to your callback URL with an authorization code. The URL is registered in advance and must match exactly. Here's how to test against localhost without breaking provider validation.

• HMAC webhook signatures — what they prove and how to verify them

  HMAC is what stops random people on the internet from POSTing fake events to your webhook URL. Here's how it actually works, and the four classic ways verification fails in practice.

• Public vs private IP — what each is for, and why your laptop has both

  Your laptop's local Wi-Fi address (192.168.x or 10.x) and the IP the world sees are different things. Here's the model that makes sense of NAT, port-forwarding, IPv6, and tunnels.

• ngrok vs Cloudflare Tunnel — when each is the right pick (and where lrok fits)

  Both expose your localhost. Each makes different trade-offs. Here's a 2026 buyer's-guide-style breakdown — billing model, friction, ops profile.

• Server-Sent Events (SSE) — when to use them instead of WebSockets

  SSE is one-way streaming from server to client over plain HTTP. It's simpler than WebSockets, easier to proxy, and right for any case where you only need server-pushed updates.

• Webhook retries and idempotency

  Webhook providers retry on failure — sometimes for days. Without idempotency, retries double-charge customers and double-send emails. The fix is a deduplication key on every event.

• Request signing — HMAC, Ed25519, RSA-PSS, and what to use

  Webhook signatures are how providers prove a request came from them. The crypto choice (HMAC, Ed25519, RSA-PSS) affects performance, key management, and what kind of attacker you're defending against.

• Port forwarding — what it is, why home routers default to off

  Port forwarding tells your router 'when traffic for port X arrives, send it to this device on the LAN.' It works for self-hosted servers and game lobbies, but only when ISP CGNAT and IPv4 scarcity don't get in the way.

• Why HTTPS on localhost is hard (and how to make it work)

  Browsers increasingly demand HTTPS for everything — cookies, service workers, OAuth, mobile testing. But you can't get a real cert for localhost. Three working approaches: mkcert, dev tunnels, and HTTPS-secure-context exemptions.

• CORS preflight — why your fetch fails before it sends

  When your browser sees a 'non-simple' cross-origin request, it sends an OPTIONS preflight before the real request. If the server doesn't handle OPTIONS correctly, the real request never goes out.