Live • Secure Jira Webhook

Jira Webhook Automation — Resolution Timestamp Service

An event-driven API that listens to Jira Cloud webhooks and updates a custom field with the exact status-change timestamp (from Jira’s changelog), with HMAC verification, idempotency, and duplicate protection.

Maintained by Arivanandhanarivanandhan.site
Visit Portfolio

What this API does

This endpoint accepts POST webhooks from Jira Cloud for selected statuses (Resolved DeclinedCancelled Completed & Deployed).

  • Verifies authenticity using HMAC-SHA256 (shared secret).
  • Finds the authoritative transition time from Jira changelog.
  • Updates the configured custom field (e.g., Resolution Date) — clearing old values first if needed.
  • Guards against duplicates/retries and automation loops.

How it works (flow)

  • Jira triggers a webhook → request hits this API.
  • Signature is validated (constant-time compare) → only trusted calls proceed.
  • API reads latest status transition from changelog (or statuscategorychangedate).
  • Custom field is set to that exact ISO timestamp.

GET / shows this info page for humans.

Benefits of this API

  • Accuracy: Uses Jira’s own event time — not server time — avoiding webhook/network delay drift.
  • Security: HMAC verification, HTTPS, minimal surface area.
  • Idempotent: Safe to receive duplicates; prevents infinite loops.
  • Observability: Clean, structured logs (success, skip, errors).
  • Portable: Works on Vercel or any Node host.

Why use a Webhook (vs. polling)

  • Real-time updates without cron jobs or delay.
  • Lower cost — no API polling, fewer requests.
  • Simpler architecture — Jira pushes, your API reacts.
  • Scales with events, not time intervals.

Reduce JSM Automation Usage

  • Move complex logic out of JSM rules to code → fewer automation executions.
  • Centralize cross-project rules in this API → avoid per-project rule duplication.
  • Cut down audit log noise; keep JSM rules for only what must stay inside Jira.
  • Easier versioning, review, and testing than point-and-click rules.

Security Highlights

  • HMAC signature verification with shared secret.
  • Constant-time comparison to prevent timing attacks.
  • Replay protection & in-memory dedupe for retries.
  • Optional IP allowlisting and field-level overwrite policy.

Operational Features

  • Timeouts and retries handled by platform; API is stateless.
  • Clear, human-readable logs for received, ignored, updated, and error states.
  • Supports both /api/webhook and / POST paths for Jira configs.

Last build year: 2025

© 2025 Arivanandhan • arivanandhan.site