Menu
Regarding Github webhooks, "HTTP requests made to your webhook's configured URL endpoint will contain several special headers" including X-Hub-Signature which is the "HMAC hex digest of the payload, using the hook's secret as the key". https://developer.github.com/webhooks/#payloads
When using AWS API Gateway, you'd ideally want to confirm the request came from Github using an authoriser function for the endpoint, by generating the HMAC hex digest of the payload and comparing it to the value in the X-Hub-Signature header. The problem is, the payload doesn't seem to be passed to the authoriser function, so it's impossible to generate the HMAC hex digest of it.
Am I missing something (in relation to getting access to the payload in the authorizer function) or is this a bit of a compatibility issue between Github webhooks and AWS API gateway?
479
asked Sep 06 '25 03:09
At the moment you cannot access the payload in the authorizer. We would like to explore various solutions for signature verification in general (including without an authorizer), but I don't have an ETA for that.
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
