Service hooks and webhooks

When you connect ADO Pilot to your Azure DevOps organization, the onboarding wizard creates two service hook subscriptions per project — one for git.pullrequest.created, one for git.pullrequest.updated. Those subscriptions are how Azure DevOps tells ADO Pilot that a pull request needs reviewing. This page explains what they are, where to find them, and how they authenticate.

What gets installed

For every Azure DevOps project ADO Pilot reviews, two subscriptions are created with publisher and consumer both labeled ADO Pilot:

The "PR updated" subscription is filtered to commit-push events. ADO Pilot does not re-review when someone edits the PR title, reassigns reviewers, or replies in a thread.

Why two subscriptions

Azure DevOps emits separate events for "PR was opened" and "the PR's source branch got new commits". The first triggers your initial review; the second triggers a re-review on every push so your status check stays current as you address feedback.

Where to find them in Azure DevOps

1. Open your Azure DevOps project.
2. Go to Project settings → Service Hooks → Subscriptions.
3. Filter the list by publisher ADO Pilot or scroll until you see entries with consumer ADO Pilot.

You should see exactly two ADO Pilot rows per project. Each row shows the event type, when it last fired, and a green or red status indicator. Click into a row and open the History tab to see recent delivery attempts and their HTTP response codes.

How the webhooks authenticate

Azure DevOps service hooks do not support HMAC-signed payloads, so ADO Pilot cannot verify event authenticity the way GitHub webhooks do. Instead, each subscription carries a per-tenant JWT as a header on every outbound request. Azure DevOps treats the JWT as an opaque string — it just sends it on every delivery — and ADO Pilot's API gateway validates the signature, expiry, and tenant claim before forwarding the event to the review pipeline.

Two practical consequences:

• You do not need to manage a shared secret. There is no webhook secret to rotate, no signing key to copy. The JWT is provisioned during onboarding, stored in our key vault, and renewed automatically.
• The credential is unique to your tenant. A leaked or replayed payload from another customer cannot trigger a review on your behalf because the JWT's tenant claim won't match.

Rotation is automatic

ADO Pilot rotates webhook JWTs on a fixed schedule as part of normal security hygiene. You do not have to do anything — when the rotation runs, both the Azure DevOps subscription and our backend are updated together. If the two ever drift, deliveries fail with 401 Unauthorized and reviews stop firing.

What to do if you see a 401

If subscription history in Azure DevOps shows recent 401 responses, or if reviews have silently stopped firing on new pull requests, see Webhook 401s and reviews stopped firing. The fix is run by support — there is no self-serve resync in v1.

While you wait for support, do not delete or recreate the subscriptions yourself. Recreating them in Azure DevOps does not restore the JWT; only the backend can do that.

Can I delete the subscriptions?

You can, but reviews will stop firing immediately and there is no in-product way to recreate them in v1. If you want to pause reviews without losing the integration, toggle individual repos off in Settings → Repositories in your dashboard. To fully disconnect, cancel your plan and uninstall the extension; uninstall lifecycle hooks remove the subscriptions cleanly.

Can I edit the subscriptions?

No. The URL, headers, event filter, and resource-detail level are all managed by ADO Pilot. Any manual edit will either be overwritten on the next reconciliation or break delivery in the meantime. Repository selection lives in the ADO Pilot dashboard, not in the Azure DevOps subscription.