Webhook Security

When you set up automatic synchronization, your repository sends Fenergo a notification every time you push code. Because that notification arrives from the public internet, Fenergo needs a way to be sure each one genuinely came from your repository — and not from someone else. This page explains, in plain terms, how that works and what you need to do.

Related pages

• Automatic synchronization
• GitHub Setup & Troubleshooting
• Managing Repositories

How notifications are trusted

The webhook notification does not use a Fenergo login. Instead, it relies on a shared secret:

1. Fenergo generates a unique webhook secret for your repository.
2. You enter that same secret when you set up the webhook in GitHub.
3. Every time GitHub sends a notification, it uses the secret to add a tamper-proof signature.
4. Fenergo checks that signature on arrival. If it matches, the notification is trusted and the library is synchronized. If it doesn't match, the notification is rejected.

Because only your repository and Fenergo know the secret, no one else can send a notification that Fenergo will accept.

info

The signature check is one of two layers of protection. Fenergo also only accepts notifications that arrive from GitHub's own network addresses — see Webhook IP Allow-Listing.

The webhook secret

The secret is what keeps automatic synchronization safe. A few important points:

• Unique to each repository – every connected repository has its own secret. If one secret were ever exposed, it would not affect any of your other repositories.
• Stored securely – the secret is kept in secure storage and is never shown in notifications or in any list of your repositories.
• Shown once, when you need it – you obtain the secret from the Webhook Info action on the Repositories page, ready to paste into GitHub. You can return to Webhook Info at any time to copy it again.

note

GitHub only adds a signature when a secret is configured on the webhook. If you leave the secret blank in GitHub, Fenergo will reject the notifications.

What happens to each notification

When a notification arrives, Fenergo does a few quick checks before doing any work:

Outcome	What it means
Accepted	The signature was valid. The change has been queued for synchronization — or it was a notification Fenergo safely ignores (for example, an event other than a code push).
Rejected (not authorised)	The signature was missing or didn't match. This usually means the secret in GitHub doesn't match the one from Webhook Info.
Rejected (invalid request)	The notification was empty or wasn't in an expected format.

For security reasons, a rejected notification does not explain exactly why it failed — this avoids giving away any useful information to a bad actor.

A successful notification is acknowledged immediately, and the actual update happens in the background. A new published version of the library is created only if the tracked file has actually changed.

Setting up the secret in GitHub

1. On the Repositories page, open the Webhook Info action for your repository and copy the webhook URL and secret.
2. In GitHub, go to Repository → Settings → Webhooks → Add webhook and enter:
   • Payload URL – the webhook URL from step 1.
   • Content type – application/json (recommended).
   • Secret – the secret from step 1.
   • Events – "Just the push event".
3. Save. From now on, GitHub signs every notification with the secret, and Fenergo verifies it on arrival.

For the full end-to-end setup, see GitHub Setup & Troubleshooting.

Good practice

• Keep the secret private. Treat it like a password — only share it with people who manage the repository's webhook settings.
• Rotate it if you suspect it was exposed. If you ever need a fresh secret, contact your Fenergo administrator, and update the webhook in GitHub to match.
• Use the same secret on both sides. The secret in GitHub must match the one shown in Webhook Info exactly — extra spaces or a partial copy will cause notifications to be rejected.

Troubleshooting

Symptom	Likely cause	Fix
Notifications are rejected as "not authorised"	The secret in GitHub doesn't match, or no secret is set in GitHub	Re-copy the secret from Webhook Info and make sure GitHub has the exact same secret configured.
GitHub shows deliveries but Fenergo never updates	The webhook URL or content type is wrong	Use the exact URL from Webhook Info and set the content type to application/json.
A push is accepted but no new version appears	The tracked file or branch didn't change	Only changed content creates a new version. Confirm the file path and branch, then try a manual sync.
Automatic synchronization seems unavailable	The feature isn't enabled for your tenant	Contact your Fenergo administrator to enable Repository Connections and automatic synchronization.