ADO Pilot

Webhook 401s and reviews stopped firing

What to do when ADO Pilot stops reviewing new PRs because the webhook subscription is returning 401 Unauthorized.

Last updated

Reviews used to fire automatically on new pull requests, and now they don't. There is no error in the Azure DevOps UI, but the dashboard shows no recent review activity. The most likely cause is a webhook authentication failure: ADO is delivering events, but ADO Pilot is rejecting them with 401 Unauthorized because the webhook's auth credential expired or rotated out of sync. Resolving it requires support assistance.

Symptom

What you observe

  • New PRs are created or updated and ADO Pilot does not post a review or a status check.
  • The Recent reviews list in your dashboard stops growing.
  • Older PRs that were already reviewed look fine — the existing comments and status checks remain.
  • Nothing in the Azure DevOps UI indicates anything is wrong. The PR looks normal.

What's happening behind the scenes

Each webhook subscription that ADO Pilot installed in your ADO org carries a JWT credential that authenticates POST requests to our backend. When ADO sends a git.pullrequest.created or git.pullrequest.updated event, our gateway validates the JWT before forwarding the event to the orchestrator. If validation fails, the event is rejected with 401 Unauthorized and the review is never queued. From your side, this looks like the system silently stopped working.

See Service hooks and webhooks for the full picture of what gets installed in your org.

Why it happens

JWT rotation failure

The webhook JWTs are rotated periodically as part of normal security hygiene. The rotation requires updating the credential on both the ADO subscription and our backend in lockstep. If the two sides drift — for example, our backend rotates the signing key but the rewrite to ADO fails — the next event fails the signature check and gets a 401. This is rare but is the most common cause of sustained 401s.

Expired webhook credential

Webhook JWTs have an expiry. Under normal operation, rotation refreshes them well before expiry. If rotation has been failing for a long time and no one noticed, the JWT eventually expires and every subsequent event 401s.

Manual subscription tampering

If someone in your org opens Project settings → Service hooks in Azure DevOps and edits the URL, the Resource details to send dropdown, or the headers on either of the ADO Pilot subscriptions, the next event fails authentication. Don't edit these subscriptions by hand.

How to fix it

Contact support

There is no self-serve fix in v1. Email support and include:

  • Your Azure DevOps organization name (the {org} from dev.azure.com/{org}).
  • Your ADO Pilot dashboard email.
  • The approximate time reviews stopped firing.

Support will re-provision the webhook subscriptions, which clears the 401 within a few minutes. Reviews resume on the next PR push.

How to prevent it

There is nothing you need to do — webhook auth health is our responsibility. We monitor sustained 401 rates and alert ourselves before customer reviews are affected. The path you are reading this page on is the rare case where the alert fired late or rotation kept failing.

If you want belt-and-suspenders coverage, watch the Recent reviews list on your dashboard. A 24-hour gap during normal team-wide PR activity is your strongest signal that something like this is in play.