We have updated how webhooks on repositories, organizations, and apps can be configured via the API. We have a new configuration resource for full or partial updates to any or all attributes of a webhook. The endpoint can also be used to read the configuration.

Also, webhooks now send a header with a SHA-256 hash of the request body if the webhook is configured with an HMAC key in the optional "secret" field. Developers verifying the authenticity of a webhook should use the SHA-256 signature because it is a more modern cryptographic hash function. SHA-1 is still retained for backwards compatibility with existing integrations, but should not be used for security purposes to verify cryptographic identity due to known collisions. See the documentation for the new delivery headers for more information.