GitLab Webhooks
How to Test GitLab Webhooks Locally (2026)
GitLab webhooks notify you about pushes, merge requests, issues, pipelines, and more. GitLab authenticates webhooks with a secret token sent in the X-Gitlab-Token header (plaintext); newer projects can use a signing token that adds an HMAC-SHA256 signature.
Signature Header
X-Gitlab-Token
Algorithm
Plaintext secret token (newer signing token adds HMAC-SHA256)
Setup Guide
- 1Create a free HookSense endpoint at hooksense.com
- 2Copy your unique webhook URL
- 3In GitLab → your project → Settings → Webhooks → Add new webhook
- 4Paste your HookSense URL and set a Secret token
- 5Select the trigger events you want (Push, Merge request, Pipeline, etc.)
- 6Click Test → Push events to fire a sample webhook
- 7Watch it land in HookSense in real-time
Common GitLab Webhook Events
Push HookTag Push HookMerge Request HookIssue HookNote HookPipeline HookJob HookDeployment HookForward to Localhost
Use HookSense CLI to forward GitLab webhooks directly to your local development server:
npx hooksense listen -p 3000 --path /api/integrations/gitlabNo ngrok or tunnel setup required. Install with npm i -g hooksense or use npx.
Tips & Best Practices
- The X-Gitlab-Token is a plaintext shared secret — compare it directly (constant-time), don't HMAC it
- Prefer GitLab's newer signing token where available: it adds a real HMAC-SHA256 signature over the payload
- The X-Gitlab-Event header (e.g. 'Merge Request Hook') tells you the type; the body's object_kind echoes it
- Use GitLab's built-in Test button to replay each event type without real repo activity
Related
Start Testing GitLab Webhooks
Create a free endpoint and receive your first GitLab webhook in seconds.
Get Started Free