You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can create webhooks that subscribe to the events listed on this page. To limit the number of HTTP requests to your server, you should only subscribe to the specific events that you plan on handling. For more information, see [AUTOTITLE](/webhooks/creating-webhooks).
24
+
Webhooks enable you to build or set up integrations that subscribe to specific events on {% data variables.product.prodname_dotcom %}. When one of those events is triggered, {% data variables.product.prodname_dotcom %} sends an HTTP POST request to the webhook's configured URL. To minimize the load on your server, it's crucial to subscribe only to the events your integration needs to handle. You can learn more about setting up webhooks in "[Creating Webhooks](/webhooks/creating-webhooks)."
25
25
26
-
Each webhook event on this page includes a description of the webhook properties for that event. If the event has multiple actions, the properties corresponding to each action are included.
26
+
On this page, you'll find a detailed description of the properties included in the webhook payload for each event. If an event has multiple associated actions (for example, an issue can be `opened`, `closed`, or `edited`), you'll see the specific properties relevant to each action.
27
27
28
-
Each event is only available to specific types of webhooks. For example, an organization webhook can subscribe to the `team`event, but a repository webhook cannot. The description of each webhook event lists the availability for that event. For more information, see [AUTOTITLE](/webhooks/types-of-webhooks).
28
+
Keep in mind that the availability of certain webhook events depends on the type of webhook you're creating. For instance, an organization webhook can subscribe to `team`events, while a repository webhook cannot. The description for each event clearly indicates its availability. For more details, refer to "[Types of Webhooks](/webhooks/types-of-webhooks)."
29
29
30
-
### Payload cap
30
+
### Payload Size Considerations
31
31
32
32
{% data reusables.webhooks.payload_cap %}
33
33
34
-
### Delivery headers
34
+
### Examining Delivery Headers
35
35
36
-
HTTP POST payloads that are delivered to your webhook's configured URL endpoint will contain several special headers:
36
+
When {% data variables.product.prodname_dotcom %} sends an HTTP POST request to your webhook's URL, it includes several custom headers that provide valuable context about the delivery:
37
37
38
-
*`X-GitHub-Hook-ID`: The unique identifier of the webhook.
39
-
*`X-GitHub-Event`: The name of the event that triggered the delivery.
40
-
*`X-GitHub-Delivery`: A globally unique identifier (GUID) to identify the event.{% ifversion ghes %}
41
-
*`X-GitHub-Enterprise-Version`: The version of the {% data variables.product.prodname_ghe_server %} instance that sent the HTTP POST payload.
42
-
*`X-GitHub-Enterprise-Host`: The hostname of the {% data variables.product.prodname_ghe_server %} instance that sent the HTTP POST payload.{% endif %}
43
-
*`X-Hub-Signature`: This header is sent if the webhook is configured with a `secret`. This is the HMAC hex digest of the request body, and is generated using the SHA-1 hash function and the `secret` as the HMAC `key`. `X-Hub-Signature` is provided for compatibility with existing integrations. We recommend that you use the more secure `X-Hub-Signature-256` instead.
44
-
*`X-Hub-Signature-256`: This header is sent if the webhook is configured with a `secret`. This is the HMAC hex digest of the request body, and is generated using the SHA-256 hash function and the `secret` as the HMAC `key`. For more information, see [AUTOTITLE](/webhooks/using-webhooks/securing-your-webhooks).
45
-
*`User-Agent`: This header will always have the prefix `GitHub-Hookshot/`.
46
-
*`X-GitHub-Hook-Installation-Target-Type`: The type of resource where the webhook was created.
47
-
*`X-GitHub-Hook-Installation-Target-ID`: The unique identifier of the resource where the webhook was created.
38
+
*`X-GitHub-Hook-ID`: This is a unique identifier assigned to your specific webhook. You can use this to track and manage your webhooks.
39
+
*`X-GitHub-Event`: This header specifies the exact name of the event that triggered the webhook delivery. For example, it might be `issues`, `pull_request`, or `push`.
40
+
*`X-GitHub-Delivery`: A universally unique identifier (GUID) for each specific event delivery. This is helpful for debugging and tracking individual webhook calls.
41
+
*`User-Agent`: This header always starts with `GitHub-Hookshot/`, indicating that the request originates from {% data variables.product.prodname_dotcom %}’s webhook system.
42
+
*`X-GitHub-Hook-Installation-Target-Type`: This indicates the type of resource where the webhook was created. Possible values include `repository`, `organization`, or `marketplace_account`.
43
+
*`X-GitHub-Hook-Installation-Target-ID`: This is the unique numerical identifier of the resource where the webhook was created.
48
44
49
-
To see what each header might look like in a webhook payload, see [Example webhook delivery](#example-webhook-delivery).
45
+
{% ifversion ghes %}
50
46
51
-
### Example webhook delivery
47
+
*`X-GitHub-Enterprise-Version`: If you're using {% data variables.product.prodname_ghe_server %}, this header provides the specific version of your instance that sent the webhook payload.
48
+
*`X-GitHub-Enterprise-Host`: For {% data variables.product.prodname_ghe_server %} users, this header contains the hostname of your instance.
52
49
53
-
You can choose to have payloads delivered in JSON format (`application/json`) or as URL-encoded data (`x-www-form-urlencoded`). Following is an example of a webhook POST request that uses the JSON format.
50
+
{% endif %}
51
+
52
+
#### Securing Your Webhooks with Signatures
53
+
54
+
{% data reusables.webhooks.security-headers %}
55
+
56
+
*`X-Hub-Signature`: This header is present if you've configured a `secret` for your webhook. It contains the HMAC-SHA1 hash of the request body, using your `secret` as the key. While provided for backward compatibility, we recommend using the more secure `X-Hub-Signature-256`.
57
+
*`X-Hub-Signature-256`: This header is also sent when a `secret` is configured. It contains the HMAC-SHA256 hash of the request body, offering a stronger level of security. For detailed information on securing your webhooks, see "[Securing your webhooks](/webhooks/using-webhooks/securing-your-webhooks)."
58
+
59
+
To get a clearer picture of these headers in action, take a look at the "[Example webhook delivery](#example-webhook-delivery)" section below.
60
+
61
+
### Example Webhook Delivery
62
+
63
+
You have the flexibility to choose whether webhook payloads are delivered in JSON format (`application/json`) or as URL-encoded data (`x-www-form-urlencoded`). The following example illustrates a webhook POST request using the more common JSON format.
0 commit comments