Webhook Guide
GitHub Guides de test webhook
Repository and organization event webhooks
Chemin rapide : commandes helper CLI
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider github --port 3000 --path /webhooks/github
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
instatunnel webhook test --provider github
If you run into provider-specific issues, use the full checklist sections below.
For cross-provider MCP + webhook diagnostics, open /docs/troubleshooting.
Replay + helper signature (dashboard)
Open /dashboard or /dashboard/tunnels and use Webhook Command Center for this provider. It gives one-click replay and signature verification helpers.
instatunnel webhook verify --provider github --secret-env GITHUB_WEBHOOK_SECRET
curl -i -X POST "https://YOUR-SUBDOMAIN.instatunnel.my/webhooks/github" -H "Content-Type: application/json" --data-binary @sample-github.json
Required signature header: x-hub-signature-256
1. Setup app locale
Create a local webhook endpoint at: /webhooks/github
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/github', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.header('x-hub-signature-256') || ''
const rawBody = req.body as Buffer
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawBody)
.digest('hex')
const signatureBuf = Buffer.from(signature)
const expectedBuf = Buffer.from(expected)
const valid =
signatureBuf.length === expectedBuf.length &&
crypto.timingSafeEqual(signatureBuf, expectedBuf)
if (!valid) {
return res.status(401).send('invalid signature')
}
console.log('github event:', req.header('x-github-event'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. Lancer InstaTunnel
instatunnel 3000 --subdomain github-hooks
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Champs provider a coller
| Field | Value | Where/notes |
|---|---|---|
| Payload URL | {{WEBHOOK_URL}} | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Use the helper below to generate exact values with your chosen subdomain and path.
Assistant setup webhook en un clic
Genere commande tunnel, URL webhook et valeurs provider pretes a coller.
Lancer InstaTunnel
instatunnel 3000 --subdomain github-devURL webhook
https://github-dev.instatunnel.my/webhooks/github| Champ provider | Valeur a coller | Notes |
|---|---|---|
| Payload URL | https://github-dev.instatunnel.my/webhooks/github | Repository/Org Settings > Webhooks > Add webhook |
| Content type | application/json | Use JSON for consistent parsing |
| Secret | GITHUB_WEBHOOK_SECRET | Use the same secret in your app verification code |
| SSL verification | Enable | Keep SSL verification enabled |
Astuce : gardez un sous-domaine stable par provider pour eviter la reconfiguration.
4. Envoyer un evenement de test
- In repository settings, open the webhook and click "Redeliver" on a recent delivery.
- Or click "Test delivery" after saving webhook settings.
- Check your app logs for event type and successful signature check.
5. Verifier la signature
Verify this header on every request: x-hub-signature-256
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.GITHUB_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('hex')
const valid = Buffer.from(signature).length === Buffer.from(expected).length &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
if (!valid) return res.status(401).send('invalid signature')6. Retrys et idempotence
- Use GitHub delivery ID as your idempotency key.
- Persist processed delivery IDs for a safe replay window.
- Handle out-of-order events by reading current resource state before mutating.
7. Echecs courants et corrections rapides
Hook deliveries show 404
Verify endpoint path and tunnel URL are exact and active.
Signature mismatch
Match secret exactly and hash the raw payload bytes.
Webhook disabled
Fix failing responses and re-enable the webhook in GitHub settings.