2020-10-24 23:57:45 +05:30
---
2022-11-25 23:54:43 +05:30
stage: Manage
2021-10-27 15:23:28 +05:30
group: Integrations
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2020-10-24 23:57:45 +05:30
---
2017-08-17 22:00:37 +05:30
2021-04-17 20:07:23 +05:30
# Webhooks **(FREE)**
2018-11-18 11:00:15 +05:30
2021-11-18 22:05:49 +05:30
[Webhooks ](https://en.wikipedia.org/wiki/Webhook ) are custom HTTP callbacks
that you define. They are usually triggered by an
2023-03-04 22:38:38 +05:30
event, such as pushing code to a repository or posting a comment on an issue.
2021-11-18 22:05:49 +05:30
When the event occurs, the source app makes an HTTP request to the URI
configured for the webhook. The action to take may be anything. For example,
you can use webhooks to:
- Trigger continuous integration (CI) jobs, update external issue trackers,
update a backup mirror, or deploy to your production server.
- Send a notification to
2019-07-07 11:18:12 +05:30
[Slack ](https://api.slack.com/incoming-webhooks ) every time a job fails.
2021-11-18 22:05:49 +05:30
- [Integrate with Twilio to be notified via SMS ](https://www.datadoghq.com/blog/send-alerts-sms-customizable-webhooks-twilio/ )
every time an issue is created for a specific project or group in GitLab.
- [Automatically assign labels to merge requests ](https://about.gitlab.com/blog/2016/08/19/applying-gitlab-labels-automatically/ ).
2017-08-17 22:00:37 +05:30
2022-03-02 08:16:31 +05:30
You can configure your GitLab project or [group ](#group-webhooks ) to trigger a
[percent-encoded ](https://developer.mozilla.org/en-US/docs/Glossary/percent-encoding ) webhook URL
when an event occurs. For example, when new code is pushed or a new issue is created. The webhook
listens for specific [events ](#events ) and GitLab sends a POST request with data to the webhook URL.
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
Usually, you set up your own [webhook receiver ](#create-an-example-webhook-receiver )
to receive information from GitLab and send it to another app, according to your requirements.
We have a [built-in receiver ](slack.md )
for sending [Slack ](https://api.slack.com/incoming-webhooks ) notifications per project.
2019-12-21 20:55:43 +05:30
2021-11-18 22:05:49 +05:30
GitLab.com enforces [webhook limits ](../../../user/gitlab_com/index.md#webhooks ),
including:
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
- The maximum number of webhooks and their size, both per project and per group.
- The number of webhook calls per minute.
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
## Group webhooks **(PREMIUM)**
2017-08-17 22:00:37 +05:30
2021-12-11 22:18:48 +05:30
You can configure a group webhook, which is triggered by events
2022-07-23 23:45:48 +05:30
that occur across all projects in the group. If you configure identical webhooks
in a group and a project, they are both triggered by an event in the
project.
2021-12-11 22:18:48 +05:30
Group webhooks can also be configured to listen for events that are
specific to a group, including:
- [Group member events ](webhook_events.md#group-member-events )
- [Subgroup events ](webhook_events.md#subgroup-events )
2017-08-17 22:00:37 +05:30
2022-06-21 17:19:12 +05:30
## Configure a webhook in GitLab
2017-08-17 22:00:37 +05:30
2023-03-04 22:38:38 +05:30
To configure a webhook for a project or group:
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
1. In your project or group, on the left sidebar, select **Settings > Webhooks** .
1. In **URL** , enter the URL of the webhook endpoint.
2022-03-02 08:16:31 +05:30
The URL must be percent-encoded if it contains one or more special characters.
2021-11-18 22:05:49 +05:30
1. In **Secret token** , enter the [secret token ](#validate-payloads-by-using-a-secret-token ) to validate payloads.
1. In the **Trigger** section, select the [events ](webhook_events.md ) to trigger the webhook.
2022-07-16 23:28:13 +05:30
1. Optional. Clear the **Enable SSL verification** checkbox to disable [SSL verification ](index.md#manage-ssl-verification ).
2021-11-18 22:05:49 +05:30
1. Select **Add webhook** .
2017-08-17 22:00:37 +05:30
2023-03-04 22:38:38 +05:30
## Mask sensitive portions of webhook URLs
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/99995) in GitLab 15.5 [with a flag](../../../administration/feature_flags.md) named `webhook_form_mask_url`. Disabled by default.
> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/376106) in GitLab 15.6.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/376106) in GitLab 15.7. Feature flag `webhook_form_mask_url` removed.
You can define and mask sensitive portions of webhook URLs and replace them
with configured values any number of times when webhooks are executed.
Sensitive portions do not get logged and are encrypted at rest in the database.
To mask sensitive portions of the webhook URL:
1. In your project or group, on the left sidebar, select **Settings > Webhooks** .
1. In **URL** , enter the full webhook URL.
1. Select **Mask portions of URL** .
1. In **Sensitive portion of URL** , enter the portion you want to mask.
1. In **How it looks in the UI** , enter the masking value.
To interpolate sensitive portions for each webhook, use `url_variables` .
For example, if a webhook has the following URL:
```plaintext
https://{subdomain}.example.com/{path}?key={value}
```
You must define the following variables:
- `subdomain`
- `path`
- `value`
Variable names can contain only lowercase letters (`a-z`), numbers (`0-9`), or underscores (`_`).
You can define URL variables directly using the REST API.
2022-06-21 17:19:12 +05:30
## Configure your webhook receiver endpoint
2022-11-25 23:54:43 +05:30
Webhook receiver endpoints should be fast and stable.
Slow and unstable receivers can be [disabled automatically ](#failing-webhooks ) to ensure system reliability. Webhooks that fail can lead to retries, [which cause duplicate events ](#webhook-fails-or-multiple-webhook-requests-are-triggered ).
Endpoints should follow these best practices:
- **Respond quickly with a `200` or `201` status response.** Avoid any significant processing of webhooks in the same request.
Instead, implement a queue to handle webhooks after they are received. The timeout limit for webhooks is [10 seconds on GitLab.com ](../../../user/gitlab_com/index.md#other-limits ).
- **Be prepared to handle duplicate events.** In [some circumstances ](#webhook-fails-or-multiple-webhook-requests-are-triggered ), the same event may be sent twice. To mitigate this issue, ensure your endpoint is
2022-06-21 17:19:12 +05:30
reliably fast and stable.
2022-11-25 23:54:43 +05:30
- **Keep the response headers and body minimal.**
GitLab does not examine the response headers or body. GitLab stores them so you can examine them later in the logs to help diagnose problems. You should limit the number and size of headers returned. You can also respond to the webhook request with an empty body.
- Only return client error status responses (in the `4xx` range) to
indicate that the webhook has been misconfigured. Responses in this range can lead to your webhooks being [automatically disabled ](#failing-webhooks ). For example, if your receiver
only supports push events, you can return `400` if sent an issue
payload, as that is an indication that the hook has been set up
incorrectly. Alternatively, you can ignore unrecognized event
payloads.
- Never return `500` server error status responses if the event has been handled as this can cause the webhook to be [temporarily disabled ](#failing-webhooks ).
- Invalid HTTP responses are treated as failed requests.
2022-06-21 17:19:12 +05:30
### Failing webhooks
2023-03-04 22:38:38 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/60837) in GitLab 13.12 [with a flag](../../../administration/feature_flags.md) named `web_hooks_disable_failed`. Disabled by default.
> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/329849) in GitLab 15.7.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/329849) in GitLab 15.7. Feature flag `web_hooks_disable_failed` removed.
2022-06-21 17:19:12 +05:30
If a webhook fails repeatedly, it may be disabled automatically.
Webhooks that return response codes in the `5xx` range are understood to be failing
2023-03-04 22:38:38 +05:30
intermittently and are temporarily disabled. These webhooks are initially disabled
for 1 minute, which is extended on each retry up to a maximum of 24 hours.
2022-06-21 17:19:12 +05:30
2023-03-04 22:38:38 +05:30
Webhooks that return response codes in the `4xx` range are understood to be
misconfigured and are permanently disabled until you manually re-enable
them yourself.
2022-06-21 17:19:12 +05:30
2023-03-04 22:38:38 +05:30
See [Troubleshooting ](#troubleshoot-webhooks ) for more information on
disabled webhooks and how to re-enable them.
2022-06-21 17:19:12 +05:30
2021-11-18 22:05:49 +05:30
## Test a webhook
2017-08-17 22:00:37 +05:30
2022-05-07 20:08:51 +05:30
You can trigger a webhook manually, to ensure it's working properly. You can also send
a test request to re-enable a [disabled webhook ](#re-enable-disabled-webhooks ).
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
For example, to test `push events` , your project should have at least one commit. The webhook uses this commit in the webhook.
2017-08-17 22:00:37 +05:30
2023-01-13 00:05:48 +05:30
NOTE:
Testing is not supported for some types of events for project and groups webhooks.
Read more in [issue 379201 ](https://gitlab.com/gitlab-org/gitlab/-/issues/379201 ).
Prerequisites:
- To test project webhooks, you must have at least the Maintainer role for the project.
- To test group webhooks, you must have the Owner role for the group.
2021-11-18 22:05:49 +05:30
To test a webhook:
2017-08-17 22:00:37 +05:30
2022-08-27 11:52:29 +05:30
1. In your project or group, on the left sidebar, select **Settings > Webhooks** .
2021-11-18 22:05:49 +05:30
1. Scroll down to the list of configured webhooks.
1. From the **Test** dropdown list, select the type of event to test.
2017-08-17 22:00:37 +05:30
2022-05-07 20:08:51 +05:30
You can also test a webhook from its edit page.
2021-11-18 22:05:49 +05:30
![Webhook testing ](img/webhook_testing.png )
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
## Create an example webhook receiver
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
To test how GitLab webhooks work, you can use
an echo script running in a console session. For the following script to
work you must have Ruby installed.
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
1. Save the following file as `print_http_body.rb` :
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
```ruby
require 'webrick'
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
puts req.body
end
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
trap 'INT' do
server.shutdown
end
server.start
```
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
1. Choose an unused port (for example, `8000` ) and start the script:
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
```shell
ruby print_http_body.rb 8000
```
2017-08-17 22:00:37 +05:30
2022-07-23 23:45:48 +05:30
1. In GitLab, [configure the webhook ](#configure-a-webhook-in-gitlab ) and add your
receiver's URL, for example, `http://receiver.example.com:8000/` .
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
1. Select **Test** . You should see something like this in the console:
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
```plaintext
{"before":"077a85dd266e6f3573ef7e9ef8ce3343ad659c4e","after":"95cd4a99e93bc4bbabacfa2cd10e6725b1403c60",< SNIP > }
example.com - - [14/May/2014:07:45:26 EDT] "POST / HTTP/1.1" 200 0
- -> /
```
2017-08-17 22:00:37 +05:30
2021-02-22 17:27:13 +05:30
NOTE:
2021-11-18 22:05:49 +05:30
You may need to [allow requests to the local network ](../../../security/webhooks.md ) for this
receiver to be added.
2021-03-11 19:13:27 +05:30
2021-11-18 22:05:49 +05:30
## Validate payloads by using a secret token
2021-03-11 19:13:27 +05:30
2021-11-18 22:05:49 +05:30
You can specify a secret token to validate received payloads.
The token is sent with the hook request in the
`X-Gitlab-Token` HTTP header. Your webhook endpoint can check the token to verify
that the request is legitimate.
2021-03-11 19:13:27 +05:30
2021-11-18 22:05:49 +05:30
## Filter push events by branch
2021-01-29 00:20:46 +05:30
2023-01-13 00:05:48 +05:30
You can filter push events by branch. Use one of the following options to filter which push events are sent to your webhook endpoint:
- **All branches**: push events from all branches.
- **Wildcard pattern**: push events from a branch that matches a wildcard pattern (for example, `*-stable` or `production/*` ).
2023-03-04 22:38:38 +05:30
- **Regular expression**: push events from a branch that matches a regular expression (for example, `^(feature|hotfix)/` ).
2023-01-13 00:05:48 +05:30
2023-03-04 22:38:38 +05:30
To configure branch filtering for a project or group, see
[Configure a webhook in GitLab ](#configure-a-webhook-in-gitlab ).
2021-01-29 00:20:46 +05:30
2021-11-18 22:05:49 +05:30
## How image URLs are displayed in the webhook body
2021-01-29 00:20:46 +05:30
2021-11-18 22:05:49 +05:30
Relative image references are rewritten to use an absolute URL
in the body of a webhook.
For example, if an image, merge request, comment, or wiki page includes the
following image reference:
2018-11-18 11:00:15 +05:30
```markdown
![image ](/uploads/$sha/image.png )
```
2021-11-18 22:05:49 +05:30
If:
2021-02-22 17:27:13 +05:30
- GitLab is installed at `gitlab.example.com` .
- The project is at `example-group/example-project` .
2018-11-18 11:00:15 +05:30
2021-11-18 22:05:49 +05:30
The reference is rewritten in the webhook body as follows:
2018-11-18 11:00:15 +05:30
```markdown
2018-12-13 13:39:08 +05:30
![image ](https://gitlab.example.com/example-group/example-project/uploads/$sha/image.png )
2018-11-18 11:00:15 +05:30
```
2021-11-18 22:05:49 +05:30
Image URLs are not rewritten if:
2018-11-18 11:00:15 +05:30
2021-11-18 22:05:49 +05:30
- They already point to HTTP, HTTPS, or
protocol-relative URLs.
- They use advanced Markdown features like link labels.
2017-09-10 17:25:29 +05:30
2021-11-18 22:05:49 +05:30
## Events
2017-09-10 17:25:29 +05:30
2021-11-18 22:05:49 +05:30
For more information about supported events for Webhooks, go to [Webhook events ](webhook_events.md ).
2017-09-10 17:25:29 +05:30
2022-11-25 23:54:43 +05:30
## Delivery headers
> `X-Gitlab-Instance` header [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31333) in GitLab 15.5.
Webhook requests to your endpoint include the following headers:
| Header | Description | Example |
| ------ | ------ | ------ |
| `User-Agent` | In the format `"Gitlab/<VERSION>"` . | `"GitLab/15.5.0-pre"` |
| `X-Gitlab-Event` | Name of the webhook type. Corresponds to [event types ](webhook_events.md ) but in the format `"<EVENT> Hook"` . | `"Push Hook"` |
| `X-Gitlab-Instance` | Hostname of the GitLab instance that sent the webhook. | `"https://gitlab.com"` |
2017-09-10 17:25:29 +05:30
## Troubleshoot webhooks
2022-08-27 11:52:29 +05:30
> **Recent events** for group webhooks [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325642) in GitLab 15.3.
2021-11-18 22:05:49 +05:30
GitLab records the history of each webhook request.
You can view requests made in the last 2 days in the **Recent events** table.
2017-09-10 17:25:29 +05:30
2023-01-13 00:05:48 +05:30
Prerequisites:
- To troubleshoot project webhooks, you must have at least the Maintainer role for the project.
- To troubleshoot group webhooks, you must have the Owner role for the group.
2021-11-18 22:05:49 +05:30
To view the table:
2017-09-10 17:25:29 +05:30
2022-08-27 11:52:29 +05:30
1. In your project or group, on the left sidebar, select **Settings > Webhooks** .
2021-11-18 22:05:49 +05:30
1. Scroll down to the webhooks.
2022-05-07 20:08:51 +05:30
1. Each [failing webhook ](#failing-webhooks ) has a badge listing it as:
- **Failed to connect** if it is misconfigured, and needs manual intervention to re-enable it.
- **Fails to connect** if it is temporarily disabled and will retry later.
2022-07-16 23:28:13 +05:30
2022-05-07 20:08:51 +05:30
![Badges on failing webhooks ](img/failed_badges.png )
2022-06-21 17:19:12 +05:30
2021-11-18 22:05:49 +05:30
1. Select **Edit** for the webhook you want to view.
2021-02-22 17:27:13 +05:30
2021-11-18 22:05:49 +05:30
The table includes the following details about each request:
2017-09-10 17:25:29 +05:30
2021-11-18 22:05:49 +05:30
- HTTP status code (green for `200` -`299` codes, red for the others, and `internal error` for failed deliveries)
- Triggered event
- Elapsed time of the request
- Relative time for when the request was made
2017-09-10 17:25:29 +05:30
2021-11-18 22:05:49 +05:30
![Recent deliveries ](img/webhook_logs.png )
2017-09-10 17:25:29 +05:30
2021-11-18 22:05:49 +05:30
Each webhook event has a corresponding **Details** page. This page details the data that GitLab sent (request headers and body) and received (response headers and body).
To view the **Details** page, select **View details** for the webhook event.
To repeat the delivery with the same data, select **Resend Request** .
2021-02-22 17:27:13 +05:30
NOTE:
2021-11-18 22:05:49 +05:30
If you update the URL or secret token of the webhook, data is delivered to the new address.
2017-09-10 17:25:29 +05:30
2021-02-22 17:27:13 +05:30
### Unable to get local issuer certificate
2019-07-07 11:18:12 +05:30
2021-11-18 22:05:49 +05:30
When SSL verification is enabled, you might get an error that GitLab cannot
verify the SSL certificate of the webhook endpoint.
Typically, this error occurs because the root certificate isn't
issued by a trusted certification authority as
2019-07-07 11:18:12 +05:30
determined by [CAcert.org ](http://www.cacert.org/ ).
2021-11-18 22:05:49 +05:30
If that is not the case, consider using [SSL Checker ](https://www.sslshopper.com/ssl-checker.html ) to identify faults.
Missing intermediate certificates are common causes of verification failure.
2022-05-07 20:08:51 +05:30
2022-11-25 23:54:43 +05:30
### Webhook fails or multiple webhook requests are triggered
If you are receiving multiple webhook requests, the webhook might have timed out and
been retried.
GitLab expects a response in [10 seconds ](../../../user/gitlab_com/index.md#other-limits ). On self-managed GitLab instances, you can [change the webhook timeout limit ](../../../administration/instance_limits.md#webhook-timeout ).
2022-05-07 20:08:51 +05:30
### Re-enable disabled webhooks
2022-11-25 23:54:43 +05:30
> - Introduced in GitLab 15.2 [with a flag](../../../administration/feature_flags.md) named `webhooks_failed_callout`. Disabled by default.
2023-03-04 22:38:38 +05:30
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/365535) in GitLab 15.7. Feature flag `webhooks_failed_callout` removed.
2022-11-25 23:54:43 +05:30
2022-05-07 20:08:51 +05:30
If a webhook is failing, a banner displays at the top of the edit page explaining
why it is disabled, and when it will be automatically re-enabled. For example:
![A banner for a failing webhook, warning it failed to connect and will retry in 60 minutes ](img/failed_banner.png )
In the case of a failed webhook, an error banner is displayed:
![A banner for a failed webhook, showing an error state, and explaining how to re-enable it ](img/failed_banner_error.png )
To re-enable a failing or failed webhook, [send a test request ](#test-a-webhook ). If the test
request succeeds, the webhook is re-enabled.