Service hooks and webhooks

What ADO Pilot installs in your Azure DevOps organization, where to find it, and how the webhook authentication model works.

Last updated

When you connect ADO Pilot to your Azure DevOps organization, the onboarding wizard creates two service hook subscriptions per project — one for git.pullrequest.created, one for git.pullrequest.updated. Those subscriptions are how Azure DevOps tells ADO Pilot that a pull request needs reviewing. This page explains what they are, where to find them, and how they authenticate.

What gets installed

For every Azure DevOps project ADO Pilot reviews, two subscriptions are created with the consumer labeled ADO Pilot (the publisher is Azure DevOps's own built-in Git/Azure Repos event source):

SubscriptionEvent IDTriggers when
PR createdgit.pullrequest.createdAny new pull request is opened in the project.
PR updatedgit.pullrequest.updatedA push lands on a PR's source branch (not on title or reviewer-list edits).

The "PR updated" subscription is filtered to commit-push events. ADO Pilot does not re-review when someone edits the PR title, reassigns reviewers, or replies in a thread.

Why two subscriptions

Azure DevOps emits separate events for "PR was opened" and "the PR's source branch got new commits". The first triggers your initial review; the second triggers a re-review on every push so your status check stays current as you address feedback.

How subscriptions are created

The onboarding wizard creates subscriptions automatically during provisioning. There is no other supported path for creating or updating subscriptions — the ADO Pilot Settings Hub is read-only and cannot create or modify them.

Where to find them in Azure DevOps

  1. Open your Azure DevOps project.
  2. Go to Project settings → Service Hooks → Subscriptions.
  3. Scroll the list until you see the two rows whose consumer is ADO Pilot — the publisher column shows Azure DevOps's built-in Git/Azure Repos event source, not ADO Pilot.

You should see exactly two ADO Pilot rows per project. Each row shows the event type, when it last fired, and a green or red status indicator. Click into a row and open the History tab to see recent delivery attempts and their HTTP response codes.

How the webhooks authenticate

Azure DevOps service hooks do not support HMAC-signed payloads, so ADO Pilot cannot verify event authenticity the way GitHub webhooks do. Instead, each subscription carries a per-tenant credential on every outbound request, issued by our API gateway's native subscription-key mechanism. ADO Pilot's API gateway validates the credential before forwarding the event to the review pipeline.

Two practical consequences:

  • You do not need to manage a shared secret. There is no webhook secret to rotate, no signing key to copy. The credential is provisioned during onboarding and stored securely by our backend.
  • The credential is unique to your tenant. A leaked or replayed payload from another customer cannot trigger a review on your behalf because the credential won't match.

The credential is revoked when you disconnect

Unlike a shared secret, your tenant's credential lives entirely at the gateway. If you intentionally cancel your plan, ADO Pilot revokes it immediately — no separate cleanup step, and no window where a disconnected tenant's webhooks can still reach us. A disputed payment doesn't revoke anything by itself; if the dispute later leads to your subscription being cancelled, the credential is revoked at that point, the same as any other cancellation. If your subscription instead lapses because a payment failed, your account is suspended and the credential is deliberately left in place, so reviews can resume automatically once you update your billing — nothing is revoked in that case. Uninstalling the extension does not touch the credential either way; see Uninstalling the extension.

What to do if you see a 401

If subscription history in Azure DevOps shows recent 401 responses, or if reviews have silently stopped firing on new pull requests, open the dashboard Integration page and use the Service Hooks card: Check now reads the live status, Resync re-creates any broken subscriptions, and Test connection fires a synthetic event that Azure DevOps accepts for asynchronous delivery — so click Check now again a moment later to confirm the event arrived. ADO Pilot also re-checks and repairs your subscriptions automatically every hour. See Webhook 401s and reviews stopped firing for the step-by-step.

If reviews have never fired, even on a brand-new pull request, that's a different failure — the subscription was likely never created due to a permission error, not disabled after the fact. See Reviews never started: service-hook permission error.

Do not delete or recreate the subscriptions by hand in Azure DevOps — recreating them there does not restore the credential. Use Resync instead, which re-provisions them correctly.

Can I delete the subscriptions?

You can, but reviews will stop firing immediately. To recreate them, use Resync on the dashboard Integration page — it re-provisions the subscriptions with the correct credential. If you want to pause reviews without losing the integration, toggle individual repos off in Repositories in your dashboard instead. To fully disconnect, cancel your plan and uninstall the extension; support can remove the subscriptions from the backend.

Can I edit the subscriptions?

No. The URL, authentication credential, event filter, and resource-detail level are all managed by ADO Pilot. Any manual edit will either be overwritten on the next reconciliation or break delivery in the meantime. Repository selection lives in the ADO Pilot dashboard, not in the Azure DevOps subscription.