Skip to main content

Overview

Webhooks allow you to build or set up integrations that subscribe to specific events in your Gitea repositories. When an event is triggered, Gitea sends an HTTP POST payload to the webhook’s configured URL. Webhooks can be configured to trigger for specific events or all repository events.

Webhook Types

Gitea supports multiple webhook formats for integration with various platforms:
  • Gitea - Native Gitea webhook format
  • Gogs - Gogs-compatible webhook format
  • Slack - Slack notifications
  • Discord - Discord channel notifications
  • DingTalk - DingTalk group notifications
  • Telegram - Telegram bot messages
  • Microsoft Teams - Teams channel notifications
  • Feishu - Feishu/Lark notifications
  • Matrix - Matrix room notifications
  • WeCom - WeChat Work notifications
  • Packagist - Packagist package updates

Event Types

Webhooks can be configured to trigger on the following events: Reference: modules/webhook/type.go:10-43

Creating a Webhook

Webhook Configuration

HTTP Method

By default, webhooks use POST requests. You can configure a custom HTTP method if needed:
Reference: models/webhook/webhook.go:129

Content Types

Webhooks support two content types:
  • JSON (application/json) - Recommended format, payload sent as JSON
  • Form (application/x-www-form-urlencoded) - Payload sent as form data

Authorization Headers

You can configure custom authorization headers for webhooks:
The authorization header is encrypted and stored securely in the database. Reference: models/webhook/webhook.go:209-229

Webhook Payloads

All webhook payloads follow a consistent structure with event-specific data.

Push Event

Reference: modules/structs/hook.go:298-325

Issue Event

Reference: modules/structs/hook.go:384-405

Pull Request Event

Reference: modules/structs/hook.go:427-452

Create Event

Reference: modules/structs/hook.go:155-172

Webhook Security

Secret Token Validation

When you set a secret token for your webhook, Gitea signs the payload with HMAC-SHA256 and includes the signature in the request headers:
Validate the signature in your webhook handler:

Request Headers

Webhook requests include identifying headers:

Branch Filtering

You can configure webhooks to trigger only for specific branches using glob patterns:
Reference: models/webhook/webhook.go:25

Webhook Delivery Status

Webhooks have three possible delivery statuses:
  • None - Not yet delivered
  • Succeed - Successfully delivered (2xx response)
  • Fail - Delivery failed (non-2xx response or network error)
Reference: modules/webhook/type.go:133-141

Viewing Delivery History

Each webhook maintains a delivery history showing:
  • Request payload
  • Response status code
  • Response body
  • Delivery timestamp
  • Delivery duration
You can redeliver any previous webhook event from the delivery history.

System Webhooks

Administrators can create system-level webhooks that trigger for events across all repositories:
  1. Navigate to Site Administration
  2. Click System Webhooks
  3. Configure webhook with the same options as repository webhooks
System webhooks are useful for:
  • Organization-wide event monitoring
  • Security auditing
  • Automated backups
  • External analytics
Reference: models/webhook/webhook.go:127

Troubleshooting

Webhook Not Triggering

  • Verify the webhook is Active
  • Check that the event type is enabled in webhook settings
  • Verify branch filter matches the pushed branch
  • Check webhook delivery history for errors

Timeout Errors

  • Webhook endpoints must respond within the configured timeout
  • Use asynchronous processing for long-running tasks
  • Return 2xx response immediately, process in background

Authentication Failures

  • Verify secret token matches on both sides
  • Check authorization header format
  • Ensure HTTPS is used for secure token transmission

Best Practices

  1. Use HTTPS: Always use HTTPS endpoints for webhooks to protect secrets and payload data
  2. Validate signatures: Always verify the webhook signature before processing payloads
  3. Respond quickly: Return HTTP 2xx response immediately, process asynchronously
  4. Handle retries: Implement idempotency to handle duplicate deliveries
  5. Log deliveries: Maintain logs of webhook deliveries for debugging
  6. Use specific events: Subscribe only to needed events to reduce noise
  7. Secure secrets: Store webhook secrets securely, rotate regularly

API Reference

Manage webhooks programmatically using the Gitea API:
Reference: modules/structs/hook.go:48-83