DeployHQ will automatically add a webhook to your repository so you can [deploy your code from GitHub automatically](https://www.deployhq.com/deploy-from-github), however if you've changed repository details you'll need add it manually.

Before you can add your webhook to GitHub, you'll need to [retrieve it](https://www.deployhq.com/support/deployments/automatic-deployments#getting-the-webhook-url-for-a-project) from your DeployHQ project.

Open your repository up in GitHub (there's a shortcut at the top of DeployHQ labelled "Browse Repository") and click the **Settings** tab at the top of the screen. Next click **Webhooks** on the left hand side, then **Add webhook** at the top:

{screenshot: 115}

Enter the URL from DeployHQ into the **Payload URL**, select **application/x-www-form-urlencoded** as the Content type and hit **Add webhook**.

### Verifying webhook payloads with the GitHub "Secret" field

GitHub's webhook configuration includes an optional **Secret** field, which, when set, causes GitHub to sign each payload with HMAC-SHA256 and send the signature in the `X-Hub-Signature-256` request header.

By default, DeployHQ authenticates incoming webhook requests using the unguessable `auto_deploy_key` token embedded in the webhook URL itself — that token is what proves the request belongs to your project.

DeployHQ can also **optionally verify the GitHub payload signature** for an additional layer of security. This is useful if your organisation treats the URL-as-secret model as too weak (for example under SOC 2 or other compliance requirements), because the webhook URL can end up in `git push` logs, GitHub's webhook delivery history, screenshots, and support tickets. With signature verification enabled, a leaked URL alone cannot trigger a deployment without the signing secret.

#### Turning on signature verification

1. In DeployHQ, open your project and go to **Settings -> Automatic Deployments**.
2. In the **Webhook secret** field, enter a strong random secret and save it.
3. In GitHub, open your repository's **Settings -> Webhooks**, edit the DeployHQ webhook, and enter the **same** value in the **Secret** field.

Once both sides share the secret, DeployHQ verifies the `X-Hub-Signature-256` header (and the legacy `X-Hub-Signature` SHA-1 header, for older configurations) on every incoming webhook. Requests with a missing or incorrect signature are rejected with a `401` response, and the rejection is recorded in the **Recently Received Hooks** list on the Automatic Deployments page so you can diagnose a mismatch without contacting support.

Leaving the **Webhook secret** field blank keeps the existing URL-only behaviour — no existing webhooks are affected unless you opt in.

#### Notes

* Treat the webhook URL as a secret even with signature verification enabled — do not paste it into public issues, screenshots, or third-party services
* If you suspect a webhook URL has been exposed, contact support@deployhq.com to have a new URL issued for the project so the old one stops working
* GitLab webhooks can be verified the same way using GitLab's **Secret token** (sent as the `X-Gitlab-Token` header). Bitbucket Cloud does not sign webhook payloads, so signature verification is not available for Bitbucket repositories