Configuring the GitHub Marketplace webhook

After creating a draft GitHub Marketplace listing, you can configure a webhook that notifies you when changes to customer account plans occur. After you configure the webhook, you can handle the marketplace_purchase event types in your app.

The GitHub Marketplace event webhook can only be set up from your application's GitHub Marketplace listing page. You can configure all other events from your application's developer settings page. If you haven't created a GitHub Marketplace listing, read "Creating a draft GitHub Marketplace listing" to learn how.

Creating a webhook

To create a webhook for your GitHub Marketplace listing, click Webhook in the left sidebar of your GitHub Marketplace listing page. You'll see the following webhook configuration options needed to configure your webhook:

Payload URL

The payload URL is the URL of the server that will receive the webhook POST requests.

Content type

Webhooks can be delivered using different content types:

  • The application/json content type will deliver the JSON payload directly as the body of the POST request.
  • The application/x-www-form-urlencoded content type will send the JSON payload as a form parameter called payload.

Choose the one that best fits your needs. GitHub recommends using the application/json content type.

Secret

Setting a webhook secret allows you to ensure that POST requests sent to the payload URL are from GitHub. When you set a secret, you'll receive the X-Hub-Signature header in the webhook POST request. For more details on how to use the secret and the X-Hub-Signature header to secure your webhook payloads, see "Securing your webhooks."

SSL Verification

If your "Payload URL" is a secure site (HTTPS), you will have the option to configure the SSL verification settings. If your "Payload URL" is not secure (HTTP), GitHub will not display this option. By default, GitHub verifies the SSL certificate of your website when delivering webhook payloads. SSL verification helps ensure that hook payloads are delivered to your URL endpoint securely. You have the option to disable SSL, but we recommend keeping Enable SSL verification selected.

Active

By default, webhook deliveries are "Active." You can choose to disable the delivery of webhook payloads during development by deselecting "Active." If you've disabled webhook deliveries, you will need to select "Active" before you submit your app for review.

Viewing webhook deliveries

Once you've configured your GitHub Marketplace webhook, you'll be able to inspect POST request payloads from the Webhook page of your application's GitHub Marketplace listing. GitHub doesn't resend failed delivery attempts. Ensure your app can receive all webhook payloads sent by GitHub.

Inspect recent GitHub Marketplace webhook deliveries