Webhook Guide
GitHub Webhook-Testguides
Repository and organization event webhooks
Schnellpfad: CLI-Helper-Befehle
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider github --port 3000 --path /webhooks/github
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
instatunnel webhook test --provider github
If you run into provider-specific issues, use the full checklist sections below.
For cross-provider MCP + webhook diagnostics, open /docs/troubleshooting.
Replay + Signatur-Helper (Dashboard)
Open /dashboard or /dashboard/tunnels and use Webhook Command Center for this provider. It gives one-click replay and signature verification helpers.
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
curl -i -X POST "https://YOUR-SUBDOMAIN.instatunnel.my/webhooks/github" -H "Content-Type: application/json" --data-binary @sample-github.json
Required signature header: x-hub-signature-256
1. Lokales App-Setup
Create a local webhook endpoint at: /webhooks/github
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/github', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.header('x-hub-signature-256') || ''
const rawBody = req.body as Buffer
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawBody)
.digest('hex')
const signatureBuf = Buffer.from(signature)
const expectedBuf = Buffer.from(expected)
const valid =
signatureBuf.length === expectedBuf.length &&
crypto.timingSafeEqual(signatureBuf, expectedBuf)
if (!valid) {
return res.status(401).send('invalid signature')
}
console.log('github event:', req.header('x-github-event'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. InstaTunnel-Befehl ausfuhren
instatunnel 3000 --subdomain github-hooks
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Provider-Felder zum Einfugen
| Field | Value | Where/notes |
|---|---|---|
| Payload URL | {{WEBHOOK_URL}} | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Use the helper below to generate exact values with your chosen subdomain and path.
Webhook-Setup-Helper mit einem Klick
Erzeugt Tunnel-Befehl, Webhook-URL und Provider-Werte zum Kopieren.
InstaTunnel starten
instatunnel 3000 --subdomain github-devWebhook-URL
https://github-dev.instatunnel.my/webhooks/github| Provider-Feld | Wert zum Einfugen | Hinweise |
|---|---|---|
| Payload URL | https://github-dev.instatunnel.my/webhooks/github | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Tipp: eine stabile Subdomain pro Provider nutzen, damit kein stndiges Umkonfigurieren notig ist.
4. Testevent senden
- In repository settings, open the webhook and click "Redeliver" on a recent delivery.
- Or click "Test delivery" after saving webhook settings.
- Check your app logs for event type and successful signature check.
5. Signatur prufen
Verify this header on every request: x-hub-signature-256
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('hex')
const valid = Buffer.from(signature).length === Buffer.from(expected).length &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
if (!valid) return res.status(401).send('invalid signature')6. Retries und Idempotenz
- Use GitHub delivery ID as your idempotency key.
- Persist processed delivery IDs for a safe replay window.
- Handle out-of-order events by reading current resource state before mutating.
7. Haufige Fehler und schnelle Fixes
Hook deliveries show 404
Verify endpoint path and tunnel URL are exact and active.
Signature mismatch
Match secret exactly and hash the raw payload bytes.
Webhook disabled
Fix failing responses and re-enable the webhook in GitHub settings.