# Webhook Secrets > **TL;DR.** A webhook secret is a shared string used to authenticate webhook deliveries: the sender computes an HMAC signature over the payload with the secret and sends it in a header like `X-Hub-Signature-256`; the receiver recomputes and rejects mismatches. - **Category:** Security / DevOps / Incident Response - **Stage:** validating - **Age:** 50 days - **Origin date:** 2026-04-14 - **First detected:** 2026-04-16 - **Canonical URL:** https://earlyterms.com/term/webhook-secrets - **Sources:** 8 primary URLs ## Definition A webhook secret is a shared string used to authenticate webhook deliveries: the sender computes an HMAC signature over the payload with the secret and sends it in a header like `X-Hub-Signature-256`; the receiver recomputes and rejects mismatches. The mechanism is decades old — what's emerging is an incident category around accidental exposure, rotation hygiene, and leak detection. The specific event is the [GitHub webhook secret exposure](https://www.samdjames.uk/blog/github-webhook-secret-exposure/) disclosed April 14, 2026 (advisory GH-9951654-7992-a1). A feature-flagged GitHub bug included plaintext secrets, base64-encoded, in an `X-Github-Encoded-Secret` header on a subset of deliveries Sep 11, 2025 – Dec 10, 2025 (and briefly Jan 5, 2026). Fixed Jan 26, 2026 — customers notified [eleven weeks later](https://news.ycombinator.com/item?id=47770975). ## Example CircleCI published an 'Action Required' advisory on April 14, 2026 instructing every customer with a GitHub OAuth project trigger to delete and recreate it so a fresh webhook secret is generated. Third-party receivers that logged full request headers to Datadog, New Relic, or Sentry during the affected window are now being told to purge those logs and rotate any secret that appeared under `X-Github-Encoded-Secret`. ## Analogy The password on a sealed envelope the sender and receiver share — GitHub's bug printed that password on the outside of every envelope for four months. ## Why it's emerging now GitHub emailed customers on April 14, 2026 that webhook secrets leaked in the `X-Github-Encoded-Secret` header Sep 2025–Jan 2026 — disclosed eleven weeks after the Jan 26 fix. The disclosure gap, verbatim HN reposts, and CircleCI's 'Action Required' cascade put the term into general developer circulation within 24 hours. ## Related terms - *child:* X-Github-Encoded-Secret - *child:* GH-9951654-7992-a1 - *parent:* HMAC signature verification - *related:* webhook signature - *related:* secret rotation - *related:* secret scanning - *related:* Gitleaks - *related:* TruffleHog - *competitor:* GitGuardian - *related:* CircleCI webhook rotation - *related:* responsible disclosure ## Sources 1. [Hacker News — Tell HN: GitHub might have been leaking your webhook secrets](https://news.ycombinator.com/item?id=47767928) 2. [Hacker News — GitHub gave webhook secrets away in webhook call (full email text)](https://news.ycombinator.com/item?id=47770975) 3. [Sam James — GitHub Webhook Secret Exposure (GH-9951654-7992-a1)](https://www.samdjames.uk/blog/github-webhook-secret-exposure/) 4. [Exploitr — Alert: GitHub Bug Exposed Webhook Secrets to Recipient Endpoints](https://exploitr.com/articles/alert-github-bug-exposed-webhook-secrets-to-recipient-endpoints/) 5. [BeyondMachines — GitHub Webhook Secret Exposure incident summary](https://beyondmachines.net/event_details/github-webhook-secret-exposure-incident-secrets-inadvertently-leaked-in-http-headers-between-september-2025-and-january-2026-l-j-3-7-t) 6. [CircleCI — GitHub Webhook Secret Exposure: Action Required for GitHub OAuth Projects](https://discuss.circleci.com/t/github-webhook-secret-exposure-action-required-for-github-oauth-projects/54526) 7. [GitHub Docs — Validating webhook deliveries](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries) 8. [Gist — ltrgoddard: GitHub webhook secrets leaked in headers](https://gist.github.com/ltrgoddard/7abfc8e4123e403505dfbe767a2487ab) --- _Generated by EarlyTerms · https://earlyterms.com/term/webhook-secrets_