Back to home

How to Test GitHub Webhooks

Capture GitHub deliveries, inspect X-GitHub-Event headers, and validate X-Hub-Signature-256 safely.

Last updated: 2026-06-24

Testing GitHub webhooks is easiest when you can see the event headers, raw JSON payload, and X-Hub-Signature-256 value side by side.

Steps

  1. Create a webhook URL in WebhookPilot.
  2. Add it to your GitHub repository or organization.
  3. Trigger a push or ping event.
  4. Inspect the event type and delivery payload.
  5. Verify the GitHub HMAC header with your secret.

Example

curl -X POST "https://your-domain.com/hook/github-test" \
  -H "Content-Type: application/json" \
  -H "X-GitHub-Event: push" \
  -H "X-Hub-Signature-256: sha256=test" \
  -d '{"ref":"refs/heads/main","repository":{"full_name":"demo/repo"}}'

Common mistakes

  • Verifying against parsed JSON instead of the raw body
  • Forgetting that GitHub retries failed deliveries
  • Ignoring the event header and guessing from the payload alone

FAQ

Which header identifies the GitHub event?

X-GitHub-Event tells you whether the request is push, ping, pull_request, and so on.

Which header carries the signature?

X-Hub-Signature-256 contains the HMAC digest.

See GitHub X-Hub-Signature-256 verification for the exact flow.