Introducing Webhook Signatures!

Webhook notifications are one of the most popular notifications we offer, providing users with many opportunities to customize what happens after the build.

Originally, the hook was verified using the Authorization header value based on the repository’s name, and the user token.

Under certain circumstances the token may be invalid for use, resulting in invalid webhook delivery.

Today we are happy to introduce a more robust and reliable verification process using private/public key signing!

The signature comes in the form of the custom Signature HTTP header.

The old method will be removed on November 1, 2016

On November 1, 2016, the old method will be removed.

Your webhook endpoint should be updated to handle the new method, as described here.

If you have questions regarding this change, please email us at

Happy testing!