How to check webhook identity with a valid secret in a web app?

Seikyo Cho April 27, 2024

If create a dynamic webhook from REST API:

I can set a random secret like:

Then the secret will be saved on Atlassian server.

Every time I send event and trigger the webhook, it will post data to my web app. In order to check if it's the identity which I allow, I have to compare the post header and the secret code I set before.

But I can find x-hub-signature header only from incoming data. And each time it changed to a different one.

So how can I handle it correctly?

Here is the example code:

function handleWebhook(req, res) {
// Retrieve the secret code from the request headers
const receivedSecret = req.headers['x-hub-signature'];

// Verify the secret code
if (receivedSecret === process.env.JIRA_WEBHOOK_SECRET) {
// Secret code is valid, proceed with handling the webhook payload
console.log('Received webhook payload:', req.body);

// Respond with a 200 OK status to acknowledge receipt of the webhook
} else {
// Secret code doesn't match, reject the request
console.error('Invalid secret code');
res.sendStatus(403); // Forbidden


0 answers

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events