Skip to content
Latchkey

Jira webhook secret / signature mismatch in CI

When Jira automation posts to a CI or receiver endpoint with a shared secret header, the receiver must compare that secret exactly. A mismatched or unset secret makes the receiver reject the webhook, so the pipeline never triggers.

What this error means

The receiver logs a 401/403 for the incoming Jira automation webhook, or CI never triggers, because the secret header does not match what the receiver expects.

Webhook
POST /jira-hook 401
reason: X-Automation-Webhook secret header did not match expected value

Common causes

The shared secret differs between sender and receiver

The secret configured in the Jira automation rule header does not match the value the receiver validates against, so the request is rejected.

The secret is not sent or not stored as a secret

The automation rule omits the header, or the receiver reads it from the wrong place, so validation always fails.

How to fix it

Align the secret on both ends

  1. Store one shared secret and configure the automation rule to send it in a header.
  2. Have the receiver read the same secret from its own CI secret store.
  3. Compare the header to the expected value before triggering CI.
Terminal
if [ "$INCOMING_SECRET" != "$EXPECTED_WEBHOOK_SECRET" ]; then
  echo "webhook secret mismatch"; exit 1
fi

Rotate and update in one place

Change the secret in the automation rule and the receiver together, keeping the value only in secret stores.

How to prevent it

  • Keep the webhook secret identical in the rule and the receiver.
  • Store it only in secret stores, never in code or logs.
  • Compare with a constant-time check and reject on mismatch.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →