Authentication
Signing requests to Stewi and verifying incoming webhooks.
Authentication
Every request to Stewi’s API must include an API key in the Authorization header:
Keys are scoped to an organization. Rotate them from Settings → Access Tokens. Keys never expire automatically; revoke them immediately if they leak.
Signing Outbound Webhooks
Stewi verifies Merge.dev payloads with a shared secret. Configure the secret in both Merge and Stewi, then include it when you call the /api/webhooks/merge endpoint locally (see merge-webhook).
Signature Header
tis the request’s Unix timestamp (seconds).v1is the hex-encoded HMAC-SHA256 signature generated from the raw body.
Requests more than five minutes skewed from the server clock are rejected.