GitHub Webhooks Specs | Examples| How to integrate

GitHub uses webhooks to notify third-party apps of github events — such as when an issue is created, a branch is created, or when a pull request is approved. Github events can be used to trigger action in other systems such as an external issue tracker, initiate CI builds, update a backup mirror, or even deploy to your production servers.

Specifications	HMAC Authentication Replay Prevention: ❌ Forward Compatibility: ❌ Zero Downtime Rotation: ❌ One Time Verification Challenge: ✅
Supported Events	Official Doc ↗
Security Headers	Signature Header: `X-Hub-Signature-256` Hash: sha256 Encode: hex payload: `request_body`
Documentation	Official Doc ↗ Verification Challenge ↗
SDKs and Sample Code	Python ↗ Ruby ↗ Jenkins ↗

Sample Validation

const crypto = require('crypto')
const sigHeader = 'X-Hub-Signature-256'
const hashAlgo = 'sha256'
const encode = 'hex'
const hmacSecret = process.env.WEBHOOK_SECRET
app.post('/github-webhook', (req, res) => {
  //01: Validate signature
  const message = req.body
  const digest = 'sha256='+
                  crypto.createHmac(hashAlgo, hmacSecret)
                  .update(message).digest(encode)
  if (request.headers[sigHeader] !== digest) {
      res.status(401).send('Request unauthorized')
  }else{
      //02: Process message
      res.json({ message: "Success" })
  }
})

Specifications

Supported Events

Security Headers

Documentation

SDKs and Sample Code

Sample Validation