Requex.me LogoRequex.me

Documentation

Browse by section

Keep all guides, tool docs, automation recipes, and comparison pages in one navigable place.

Docs Home
Docs

Foundation docs for getting started fast, understanding key terms, and tracking what has changed.

Features

Mock Server
Guides

Start with fundamentals, then move into provider-specific webhook testing and production hardening.

Tool Docs

These pages explain what each tool does, when to use it, and how it fits into a webhook debugging workflow.

Automation Docs

Use these setup guides when you want forwarding rules, custom responses, security checks, or multi-destination fanout.

Compare

Use these pages to compare developer workflows, pricing tradeoffs, and feature differences between webhook tools.

How to Test GitHub Webhooks: Complete Guide

How to inspect GitHub deliveries during development, verify signatures, and handle the event quirks that show up in real repositories.

Editorially reviewed by the Requex team12 min readAbout the product

GitHub Webhook Basics

GitHub webhooks power a lot of engineering automation: CI/CD triggers, deployment bots, issue sync, release workflows, and notifications. The request usually looks straightforward until a branch is force-pushed, a PR changes state, or GitHub resends a delivery you were not expecting.

Real deliveries matter for this reason. GitHub payloads vary slightly across event actions, and those small differences are often what break brittle handlers.

Key GitHub Webhook Events

EventTriggerUse Case
pushCode pushed to any branchCI/CD triggers, auto-deploy
pull_requestPR opened, closed, mergedCode review bots, notifications
issuesIssue created, edited, closedProject management sync
releaseRelease publishedAuto-publish, changelog
workflow_runGitHub Action completedPost-CI notifications
starRepository starredAnalytics, notifications

Step-by-Step: Test GitHub Webhooks with Requex.me

  1. Get your test URL: Visit requex.me and copy your unique webhook URL.
  2. Configure GitHub: Go to your repository → Settings → Webhooks → Add webhook. Paste your Requex URL in the "Payload URL" field. Set Content type to application/json. Choose which events to receive.
  3. Set a secret: Enter a webhook secret (any random string). You'll use this to verify signatures in production.
  4. Trigger an event: Make a commit, open a PR, or create an issue. The webhook payload appears instantly in your Requex dashboard.
  5. Inspect the payload: Click on the request to review the full JSON body, the X-GitHub-Event header, the signature header, and the delivery ID GitHub assigns.

GitHub Webhook Signature Verification

GitHub signs each webhook delivery using your secret. The signature is sent in the X-Hub-Signature-256 header as a SHA-256 HMAC hex digest.

// Node.js verification
const crypto = require('crypto');

function verifyGitHubSignature(payload, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// Usage in Express
app.post('/webhooks/github', express.raw({type: '*/*'}), (req, res) => {
  const sig = req.headers['x-hub-signature-256'];
  if (!verifyGitHubSignature(req.body, sig, process.env.GITHUB_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  
  const event = req.headers['x-github-event'];
  const payload = JSON.parse(req.body);
  
  switch(event) {
    case 'push':
      console.log('Push to', payload.ref);
      break;
    case 'pull_request':
      console.log('PR', payload.action, payload.pull_request.title);
      break;
  }
  
  res.status(200).send('OK');
});

GitHub-Specific Tips

Use the X-GitHub-Event header

Unlike most providers where the event type is in the body, GitHub puts it in the X-GitHub-Event header. Always use this header to route events to the appropriate handler.

Redeliver from GitHub

GitHub keeps a delivery log for every webhook. Go to Settings → Webhooks → Recent Deliveries to see the payload, response, and redeliver any failed event. This is invaluable for debugging production issues.

Handle the action field

Many GitHub events have an action field (e.g., "opened", "closed", "reopened" for pull_request events). Always check this field: don't assume a pull_request event means a new PR was opened.

GitHub sends a ping event first

When you first configure a webhook, GitHub sends a ping event to verify your endpoint is reachable. Make sure your handler returns 200 OK for ping events.

401 Unauthorized errors from GitHub

If your endpoint returns 401, GitHub will mark the delivery as failed and retry. This typically means your handler rejected the request before processing the payload. See the webhook 401 unauthorized guide for step-by-step diagnosis.

Node.js GitHub Webhook Handler

The code examples above are in Node.js. For a complete guide with Express middleware, HMAC verification, and event routing patterns, see the Node.js webhook testing guide.

Start Testing Webhooks Now

Generate your unique URL and test webhooks instantly. Free, no signup.

Open Webhook Tester →