[Solved] Gogs Webhook to Drone is Failing With HTTP 400 Errors

I used to have drone 0.4 working with Gogs but after moving to 0.5 I appear to have problems when attempting to integrate gogs with the new drone instance.

My gogs webhook configuration is as follows:

Payload URL:

Content Type


In the payload URL I got the access token from the drone website, after clicking the account/show token link. In the “secret” field I have tried the value I used for the “DRONE_SECRET” env var, on the drone server startup. I have also used a token that I saw in the drone server log:

drone-server_1  | time="2017-02-02T20:36:22Z" level=warning msg="agents can connect with token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoib25lIGZsZXcgb3ZlciB0aGUgY3Vja29vIG5lc3QiLCJ0eXBlIjoiYWdlbnQifQ.QxhmflR1xtoF36c2OjUS8qtyTiXH9tDNG1CfUreq6Hk"

This is the errors I see in the log on the drone server:

drone-server_1  | time="2017-02-02T21:08:44Z" level=error msg="failure to parse token from hook for docker/java8. signature is invalid"
drone-server_1  | time="2017-02-02T21:08:44Z" level=error msg="Error #01: signature is invalid\n" ip= latency=1.65773ms method=POST path="/hook" status=400 time="2017-02-02T21:08:44Z" user-agent=GogsServer

This is the error I see in the gogs webhook “Test Delivery” panel:

Request Headers

Request URL:
Request method: POST
Content-Type: application/json
X-Gogs-Delivery: 866778c4-d49b-4061-80c0-651f0e0c1ced
X-Gogs-Event: push

Response Headers (code: 400)

Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Thu, 02 Feb 2017 21:08:44 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Thu, 02 Feb 2017 21:08:44 GMT
X-Content-Type-Options: nosniff
X-Drone-Version: 0.5.0+859
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block

this error message:

drone-server_1  | time="2017-02-02T21:08:44Z" level=error msg="failure to parse token from hook for docker/java8. signature is invalid"

tells me that the access_token in your gogs hook is not valid. This is a signed token that can only be used for a single repository. There are two common reasons for this issue:

  1. when someone tries to manually copy / paste a hook from one repository to another. This will not work because each repository has a unique token which cannot be shared
  2. this can happen if you have an old hook in place from a previous Drone installation.
  3. this can happen if you disable the gogs repository in Drone and try to re-enable. Drone does not have the ability to properly cleanup the Gogs webhook on disable. As a result, Gogs may try to keep using the old webhook with the old, invalid signature.

The latter issue can be resolved with the following steps:

  1. remove the hook from Gogs
  2. disable the repository in Drone
  3. re-enable the repository in Drone

@bradrydzewski, Thanks for taking the time to provide these valuable insights.

With regards to the fields present in the gogs webhook configuration, what should the secret field contain, and what should the Payload URL be?

The previous payload URL included an auth_token URL param. I am not sure where I got that previous payload url entry from since there is no guidance in the drone settings screen when I re-enable the repository in drone.


Sorry for brevity, typing from phone. Follow these steps. If unclear let me know

No problem on the short responses and guidance.

I have done those three steps, and there is a 4th implicit step of “Add the hook in Gogs”, hence my question about the secret and Payload URL fields when creating a webhook in Gogs. :wink:


When you re-enable the repository in drone it should re-add a new hook. Drone does not use the secret field. So no additional action should be required, outside of flipping the switch in the drone UI

Oh! Thank you for the clarification :slight_smile:

I am happy to say that the webhook was added and is working!