Webhooks
Configure webhooks to receive real-time notifications from GitProductivity.
Webhooks
GitProductivity webhooks allow you to receive real-time notifications when events occur in your account. This enables integration with your own systems and automation workflows.
Supported Events
| Event | Description |
|-------|-------------|
| developer.added | A new developer was added to the organization |
| developer.removed | A developer was removed from the organization |
| repository.connected | A new repository was connected |
| repository.disconnected | A repository was disconnected |
| analysis.complete | Repository analysis has been completed |
| metrics.updated | Developer metrics have been updated |
Setting Up Webhooks
Create Webhook Endpoint
Set up an HTTP endpoint on your server to receive webhook events. This endpoint must:
- Accept POST requests
- Return 200 status within 30 seconds
- Be publicly accessible (or use a tunnel for development)
Configure Webhook
In GitProductivity, go to Settings → Webhooks and click Add Webhook.
Enter your endpoint URL and select the events you want to receive.
Verify Setup
After saving, we'll send a test webhook to verify your endpoint is working correctly.
Webhook Payload
Each webhook POST request includes:
{
"id": "evt_123abc",
"type": "developer.added",
"created_at": "2026-03-19T10:30:00Z",
"data": {
"developer_id": "dev_456",
"name": "Jane Doe",
"email": "jane@example.com"
}
}
Security
Signing Payloads
All webhooks are signed with HMAC-SHA256. The signature is included in the X-GitProductivity-Signature header:
X-GitProductivity-Signature: sha256=abc123...
Verify the signature:
import crypto from 'crypto';
function verifyWebhook(payload: string, signature: string, secret: string) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(`sha256=${expected}`)
);
}
Always verify webhook signatures to ensure requests are legitimate.
Retry Policy
If your endpoint returns a non-2xx status or times out, we'll retry the webhook:
- Retry 1: 1 minute after failure
- Retry 2: 5 minutes after failure
- Retry 3: 30 minutes after failure
- Retry 4: 2 hours after failure
- Retry 5: 24 hours after failure
After 5 failed attempts, the webhook is marked as failed and you'll be notified.
Troubleshooting
Webhook Not Delivered
- Check your server logs
- Verify the endpoint is accessible
- Ensure it returns 200 within 30 seconds
Signature Verification Failed
- Check you're using the correct secret
- Verify the signature format (sha256=...)
- Ensure payload hasn't been modified
Example Integration
Here's an example using Express.js:
import express from 'express';
import crypto from 'crypto';
const app = express();
app.use(express.json());
app.post('/webhooks', (req, res) => {
const signature = req.headers['x-gitproductivity-signature'];
const secret = process.env.WEBHOOK_SECRET;
if (!verifySignature(req.body, signature, secret)) {
return res.status(401).json({ error: 'Invalid signature' });
}
const { type, data } = req.body;
switch (type) {
case 'developer.added':
// Handle new developer
break;
case 'repository.connected':
// Handle new repository
break;
}
res.status(200).json({ received: true });
});
Next Steps
- API Reference for programmatic access
- Self-Hosted deployment options