Webhook Guide
GitHub Guias de prueba de webhooks
Repository and organization event webhooks
Ruta rapida: comandos helper CLI
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider github --port 3000 --path /webhooks/github
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
instatunnel webhook test --provider github
If you run into provider-specific issues, use the full checklist sections below.
For cross-provider MCP + webhook diagnostics, open /docs/troubleshooting.
Replay + helper de firma (dashboard)
Open /dashboard or /dashboard/tunnels and use Webhook Command Center for this provider. It gives one-click replay and signature verification helpers.
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
curl -i -X POST "https://YOUR-SUBDOMAIN.instatunnel.my/webhooks/github" -H "Content-Type: application/json" --data-binary @sample-github.json
Required signature header: x-hub-signature-256
1. Setup local de app
Create a local webhook endpoint at: /webhooks/github
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/github', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.header('x-hub-signature-256') || ''
const rawBody = req.body as Buffer
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawBody)
.digest('hex')
const signatureBuf = Buffer.from(signature)
const expectedBuf = Buffer.from(expected)
const valid =
signatureBuf.length === expectedBuf.length &&
crypto.timingSafeEqual(signatureBuf, expectedBuf)
if (!valid) {
return res.status(401).send('invalid signature')
}
console.log('github event:', req.header('x-github-event'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. Ejecutar comando InstaTunnel
instatunnel 3000 --subdomain github-hooks
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Campos a pegar en proveedor
| Field | Value | Where/notes |
|---|---|---|
| Payload URL | {{WEBHOOK_URL}} | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Use the helper below to generate exact values with your chosen subdomain and path.
Helper de configuracion webhook en un click
Genera comando, URL webhook y valores para copiar en el proveedor.
Ejecutar InstaTunnel
instatunnel 3000 --subdomain github-devURL webhook
https://github-dev.instatunnel.my/webhooks/github| Campo del proveedor | Valor para pegar | Notas |
|---|---|---|
| Payload URL | https://github-dev.instatunnel.my/webhooks/github | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Consejo: usa un subdominio estable por proveedor para no reconfigurar el panel.
4. Enviar evento de prueba
- In repository settings, open the webhook and click "Redeliver" on a recent delivery.
- Or click "Test delivery" after saving webhook settings.
- Check your app logs for event type and successful signature check.
5. Verificar firma
Verify this header on every request: x-hub-signature-256
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('hex')
const valid = Buffer.from(signature).length === Buffer.from(expected).length &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
if (!valid) return res.status(401).send('invalid signature')6. Reintentos e idempotencia
- Use GitHub delivery ID as your idempotency key.
- Persist processed delivery IDs for a safe replay window.
- Handle out-of-order events by reading current resource state before mutating.
7. Fallos comunes y solucion rapida
Hook deliveries show 404
Verify endpoint path and tunnel URL are exact and active.
Signature mismatch
Match secret exactly and hash the raw payload bytes.
Webhook disabled
Fix failing responses and re-enable the webhook in GitHub settings.