Webhook Secrets

Atlantis uses Webhook secrets to validate that the webhooks it receives from your Git host are legitimate.

One way to confirm this would be to whitelist requests to only come from the IPs of your Git host but an easier way is to use a Webhook Secret.


Webhook secrets are actually optional. However they're highly recommended for security.


Azure DevOps uses Basic authentication for webhooks rather than webhook secrets.


Bitbucket.org does not support webhook secrets. To mitigate, use repo whitelists and IP whitelists. See Security for more information.

Generating A Webhook Secret

You can use any random string generator to create your Webhook secret. It should be > 24 characters.

For example:


You must use the same webhook secret for each repo.

Next Steps