This feature is only available on Enterprise plan.
Webhook list
The Webhooks page displays all configured webhooks for your project. Access it from Settings → Webhooks.List columns
Webhook types
GoRules supports three webhook types for different integration scenarios.REST Webhook
Send HTTP POST requests to any URL when events occur. Ideal for custom integrations, notification services, or internal APIs. Configuration:- URL: The endpoint that receives webhook payloads
- Signing secret: Generated automatically for payload verification
GitHub
Trigger GitHub Actions workflows directly from GoRules events. Requires a configured GitHub integration. Configuration:- Repository: Select from connected GitHub repositories
- Target Branch: Branch to dispatch the workflow on (e.g.,
main) - Workflow ID: The workflow filename or ID (e.g.,
deploy.ymlor12345678)
GitLab
Trigger GitLab CI/CD pipelines from GoRules events. Requires a configured GitLab integration. Configuration:- Repository: Select from connected GitLab repositories
GitHub and GitLab webhooks require integrations to be configured first. Click “Configure Integrations” in the webhook form to set up the connection.
Available events
Select which events trigger the webhook.Commits (main branch)
Releases
Change Requests
Creating a webhook
- Go to Settings → Webhooks
- Click “Create webhook”
- Enter a description
- Select the webhook type (REST Webhook, GitHub, or GitLab)
- Configure the target:
- For REST: Enter the destination URL
- For GitHub/GitLab: Select repository and workflow details
- Select the events to listen for
- Click “Create”
Signing secret
REST webhooks include a signing secret for verifying payload authenticity. The secret is used to generate an HMAC signature sent with each request.Testing webhooks
Before relying on a webhook in production, send a test request.- Open the create or update webhook form
- In the “Test Webhook” section, select an event type
- Click “Send Test”
grl_whsec_test to verify your endpoint is reachable.
Webhook logs
View the history of webhook deliveries and troubleshoot issues.Accessing logs
- Go to Settings → Webhooks
- Click “View Logs” on the webhook row
Log details
Each log entry shows:Expanded log view
Click a log entry to see detailed information: Request tab:- URL: The destination endpoint
- Payload: JSON data sent to the endpoint
- Headers: Request headers including authentication
- Status code: HTTP response code (e.g., 204)
- Body: Response content from the endpoint
- Completion time: Request duration in milliseconds
Retrying failed deliveries
If a delivery fails, click “Retry” to resend the webhook with the same payload.Managing webhooks
Updating a webhook
- Click the three-dot menu on the webhook row
- Select “Update”
- Modify the configuration
- Click “Update”
Enabling or disabling
Toggle the “Active” switch in the update form to enable or disable a webhook without deleting it.Deleting a webhook
- Click the three-dot menu on the webhook row
- Select “Delete”
- Confirm the deletion
Deleting a webhook is permanent. Any external systems relying on the webhook will stop receiving notifications.
Webhook payload
Webhook payloads include event details in JSON format.Payload structure
Request headers
Verifying webhook signatures
REST webhooks include a signing secret for verifying payload authenticity. Each request contains anX-Webhook-Signature header with an HMAC-SHA256 signature of the request body.
Signature format
The signature header uses the formatsha256=<hex-encoded-hash>. Verify this against your own HMAC calculation using the webhook’s signing secret.
Node.js example
You must use the raw request body for signature verification, not the parsed JSON. If you’re using body-parser middleware, configure it to preserve the raw body:
Verification steps
- Extract the
X-Webhook-Signatureheader from the request - Get the raw request body (before JSON parsing)
- Compute HMAC-SHA256 of the raw body using your signing secret
- Compare the computed hash with the received signature using a timing-safe comparison
- Reject the request if signatures don’t match