@octokit/webhooks-methods NPM

webhooks-methods.js

Methods to handle GitHub Webhook requests

usage

Browsers

🚧 @octokit/webhooks-methods is not meant to be used in browsers. The webhook secret is a sensitive credential that must not be exposed to users.

Load @octokit/webhooks-methods directly from esm.sh

<script type="module">
  import {
    sign,
    verify,
    verifyWithFallback,
  } from "https://esm.sh/@octokit/webhooks-methods";
</script>

Node

Install with npm install @octokit/core @octokit/webhooks-methods

import { sign, verify, verifyWithFallback } from "@octokit/webhooks-methods";

await sign("mysecret", eventPayloadString);
// resolves with a string like "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3"

await sign({ secret: "mysecret", algorithm: "sha1" }, eventPayloadString);
// resolves with a string like "sha1=d03207e4b030cf234e3447bac4d93add4c6643d8"

await verify("mysecret", eventPayloadString, "sha256=486d27...");
// resolves with true or false

await verifyWithFallback("mysecret", eventPayloadString, "sha256=486d27...", ["oldsecret", ...]);
// resolves with true or false

Methods

`sign()`

await sign(secret, eventPayloadString);
await sign({ secret, algorithm }, eventPayloadString);

Algorithm to calculate signature. Can be set to sha1 or sha256. sha1 is supported for legacy reasons. GitHub Enterprise Server 2.22 and older do not send the X-Hub-Signature-256 header. Defaults to sha256.

Learn more at Validating payloads from GitHub

Resolves with a signature string. Throws an error if an argument is missing.

`verify()`

await verify(secret, eventPayloadString, signature);

Resolves with true or false. Throws error if an argument is missing.

`verifyWithFallback()`

await verifyWithFallback(
  secret,
  eventPayloadString,
  signature,
  additionalSecrets,
);

This is a thin wrapper around verify() that is intended to ease callers' support for key rotation. Resolves with true or false. Throws error if a required argument is missing.