Webhook Guide
GitHub Webhook Testing
Repository and organization event webhooks
Quick path: CLI helper commands
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider github --port 3000 --path /webhooks/github
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
instatunnel webhook test --provider github
If you run into provider-specific issues, use the full checklist sections below.
1. Local app setup
Create a local webhook endpoint at: /webhooks/github
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/github', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.header('x-hub-signature-256') || ''
const rawBody = req.body as Buffer
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawBody)
.digest('hex')
const signatureBuf = Buffer.from(signature)
const expectedBuf = Buffer.from(expected)
const valid =
signatureBuf.length === expectedBuf.length &&
crypto.timingSafeEqual(signatureBuf, expectedBuf)
if (!valid) {
return res.status(401).send('invalid signature')
}
console.log('github event:', req.header('x-github-event'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. Run InstaTunnel command
instatunnel 3000 --subdomain github-hooks
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Provider config fields to paste
| Field | Value | Where/notes |
|---|---|---|
| Payload URL | {{WEBHOOK_URL}} | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Use the helper below to generate exact values with your chosen subdomain and path.
One-Click Webhook Setup Helper
Generate copy-ready tunnel command, webhook URL, and provider config values.
Run InstaTunnel
instatunnel 3000 --subdomain github-devWebhook URL
https://github-dev.instatunnel.my/webhooks/github| Provider field | Value to paste | Notes |
|---|---|---|
| Payload URL | https://github-dev.instatunnel.my/webhooks/github | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Tip: keep one stable subdomain per provider to avoid reconfiguring dashboards.
4. Send test event
- In repository settings, open the webhook and click "Redeliver" on a recent delivery.
- Or click "Test delivery" after saving webhook settings.
- Check your app logs for event type and successful signature check.
5. Verify signature
Verify this header on every request: x-hub-signature-256
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('hex')
const valid = Buffer.from(signature).length === Buffer.from(expected).length &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
if (!valid) return res.status(401).send('invalid signature')6. Retries and idempotency
- Use GitHub delivery ID as your idempotency key.
- Persist processed delivery IDs for a safe replay window.
- Handle out-of-order events by reading current resource state before mutating.
7. Common failures and quick fixes
Hook deliveries show 404
Verify endpoint path and tunnel URL are exact and active.
Signature mismatch
Match secret exactly and hash the raw payload bytes.
Webhook disabled
Fix failing responses and re-enable the webhook in GitHub settings.