Webhooks

Webhooks allow an external service to deliver a signed event to AeThex.

Field Value
Documentation status Active
Current uses Signed deployment events and Discord interactions
Last source review 2026-06-26

Deployment webhooks

The AeThex API currently exposes signed deployment webhook handlers for selected repositories.

The receiver:

  1. Reads the signature from the configured Gitea or GitHub signature header.
  2. Computes an HMAC SHA-256 value using the shared webhook secret.
  3. Rejects an invalid signature with 401.
  4. Ignores branches other than main.
  5. Acknowledges the accepted event before starting the deployment script.

Deployment webhook URLs and secrets are operational credentials and are not published here.

Discord interactions

Discord sends interactions to /discord/interactions.

The receiver verifies:

  • x-signature-ed25519.
  • x-signature-timestamp.
  • The raw request body.

Invalid requests return 401. Valid Discord ping requests receive the required handshake response.

Receiver checklist

  • Read and preserve the raw body when the provider signs raw bytes.
  • Verify the signature before processing the payload.
  • Compare signatures safely.
  • Reject stale timestamps when the provider supports replay protection.
  • Return quickly and move long work to a background process.
  • Make repeated deliveries idempotent.
  • Never log active webhook secrets.
  • Rotate secrets after suspected exposure.

Delivery behavior

Clients should expect:

  • Duplicate delivery.
  • Out-of-order delivery.
  • Network timeout after the receiver accepted the event.
  • Provider retries.

Use a provider event ID or another idempotency key when mutating state.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9