Webhooks

Webhooks let external systems receive real-time notifications about events in Axoria. When an event occurs, Axoria sends an HTTP POST request to the configured URL with a signed JSON payload.

Access in Settings → Webhooks.

Creating a Webhook

1. Click + New Webhook.
2. Fill in:
   • URL - endpoint that will receive events (should be HTTPS in production)
   • Secret - string used to sign the payload (HMAC-SHA256). Store it securely.
   • Events - select which events trigger this webhook
   • Name - descriptive identifier (optional)
3. Save.

Available Events

Payload Format

{
  "event": "status.changed",
  "payload": {
    "issue": {
      "id": "...",
      "key": "SHOP-42",
      "title": "Fix checkout bug",
      "type": "BUG",
      "priority": "HIGH",
      "status": "In Review"
    }
  }
}

The payload is always an object with event (string) and payload (object with event data).

Verifying the Signature

Every payload includes the headers:

X-Axoria-Signature: sha256=<base64-hash>
X-Axoria-Event: status.changed

The signature is sha256= followed by the Base64 encoding of the HMAC-SHA256 of the request body.

To verify authenticity:

import hmac, hashlib, base64

def verify(secret: str, payload: bytes, signature: str) -> bool:
    mac = hmac.new(secret.encode(), payload, hashlib.sha256)
    expected = "sha256=" + base64.b64encode(mac.digest()).decode()
    return hmac.compare_digest(expected, signature)

const crypto = require('crypto');

function verify(secret, payload, signature) {
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(payload);
  const expected = 'sha256=' + hmac.digest('base64');
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}

Never process the payload without verifying the signature.