Jira webhook secret / signature mismatch in CI
When Jira automation posts to a CI or receiver endpoint with a shared secret header, the receiver must compare that secret exactly. A mismatched or unset secret makes the receiver reject the webhook, so the pipeline never triggers.
What this error means
The receiver logs a 401/403 for the incoming Jira automation webhook, or CI never triggers, because the secret header does not match what the receiver expects.
POST /jira-hook 401
reason: X-Automation-Webhook secret header did not match expected valueCommon causes
The shared secret differs between sender and receiver
The secret configured in the Jira automation rule header does not match the value the receiver validates against, so the request is rejected.
The secret is not sent or not stored as a secret
The automation rule omits the header, or the receiver reads it from the wrong place, so validation always fails.
How to fix it
Align the secret on both ends
- Store one shared secret and configure the automation rule to send it in a header.
- Have the receiver read the same secret from its own CI secret store.
- Compare the header to the expected value before triggering CI.
if [ "$INCOMING_SECRET" != "$EXPECTED_WEBHOOK_SECRET" ]; then
echo "webhook secret mismatch"; exit 1
fiRotate and update in one place
Change the secret in the automation rule and the receiver together, keeping the value only in secret stores.
How to prevent it
- Keep the webhook secret identical in the rule and the receiver.
- Store it only in secret stores, never in code or logs.
- Compare with a constant-time check and reject on mismatch.