GitHub Webhooks

GitHub can notify your systems about pushes, PRs, issues, and more. HookNexus is a convenient payload URL for development and debugging: you see headers, JSON body, and delivery history without deploying a public server first.

Prerequisites

• Admin access to the repository (or organization) where you add the webhook
• A HookNexus endpoint URL: https://api.hooknexus.com/h/{endpoint-id}

Repository webhook setup

1. Open webhook settings

   On GitHub, open your repository → Settings → Webhooks → Add webhook.

2. Set the payload URL

   https://api.hooknexus.com/h/YOUR_ENDPOINT_ID

3. Set content type

   Select Content type: application/json (recommended for modern integrations).

4. Choose a secret

   Enter a Secret string. GitHub uses it to compute X-Hub-Signature-256. Save the same value in your password manager—you need it for verification in HookNexus.

5. Select events

   Choose Let me select individual events (or start with Just the push event for a minimal test).

6. Create the webhook

   Click Add webhook. GitHub sends a ping event immediately if configured to do so—check HookNexus for the delivery.

Signature verification

GitHub sends:

• Header: X-Hub-Signature-256
• Format: sha256=<hex digest>
• Algorithm: HMAC-SHA256 over the raw request body using your webhook secret

In HookNexus, open a delivery, then use the dashboard Verify Signature tool with provider GitHub and your secret string.

API check

curl -X POST https://api.hooknexus.com/api/verify-signature \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "github",
    "payload": "<raw body>",
    "signature": "sha256=...",
    "secret": "your-webhook-secret"
  }'

Reference

See Signature Verification for the exact HMAC construction.

Tip

For enterprise or GitHub Apps, delivery headers and signing behavior are similar, but always confirm the app’s documentation for any extra headers.

Common events

Event	Typical use
push	CI, deployments, changelog automation
pull_request	Review bots, merge queues
issues	Issue trackers, notifications
release	Release notes, artifact publishing

Start with one event type, confirm deliveries in HookNexus, then expand.

Organization webhooks vs repository webhooks

	Repository webhook	Organization webhook
Scope	Single repo	All repos in the org (per your selection)
Where to add	Repo Settings → Webhooks	Org Settings → Webhooks
Use case	Project-specific automation	Org-wide policies, security scanning

Both use the same payload URL pattern and X-Hub-Signature-256 verification.

Troubleshooting

Symptom	What to check
Red delivery in GitHub	Open the delivery; confirm URL reaches HookNexus (no corporate proxy blocking).
No X-Hub-Signature-256	Webhook must use a secret; recreate if missing.
Signature invalid	Compare secret character-for-character; verify raw body (no pretty-print changes).
Wrong repository	For org webhooks, confirm repo filters and event selections.

Caution

Never commit webhook secrets to git. Rotate the secret in GitHub if it leaks.