Skip to main content
This guide walks you through using ngrok to receive Bitbucket repository webhooks on your localhost app. By integrating ngrok with Bitbucket, you can:
  • Develop and test Bitbucket webhooks locally without deploying to a public environment or setting up HTTPS.
  • Inspect and troubleshoot requests from Bitbucket in real time via the inspection UI and API.
  • Modify and replay Bitbucket webhook requests with a single click instead of reproducing events manually in your Bitbucket account.

What you’ll need

1. Start your app

For this tutorial, you can use the sample Node.js app on GitHub. To install the sample, run the following in a terminal: 
git clone https://github.com/ngrok/ngrok-webhook-nodejs-sample.git
cd ngrok-webhook-nodejs-sample
npm install
Then start the app: 
npm start
The app runs on port 3000 by default. You can confirm it’s running by visiting http://localhost:3000. The app logs request headers and body in the terminal and shows a message in the browser.

2. Expose your app with ngrok

Once your app is running locally, you’re ready to put it online securely using ngrok.
The ngrok agent uses your authtoken to authenticate when you start a tunnel.
  • Start ngrok: 
    ngrok http 3000
  • Copy the URL ngrok displays. Your app is now exposed at that URL for use with Bitbucket.

3. Configure Bitbucket to send webhooks

Bitbucket can send webhook requests to your app when repository events occur. To register for those events:
  • Sign in to Bitbucket.
  • Click Repositories in the top menu and open a repository from the list.
If you don’t have a repository, create an empty one first.
  • In the repository, go to Repository settings in the left menu and click Webhooks.
  • On the Webhooks page, click Add webhook.
  • On Add new webhook, enter a Title and paste the ngrok URL in URL (for example, https://1a2b-3c4d-5e6f-7g8h-9i0j.ngrok.app).
  • Under Triggers, check Push and click Save.

Run webhooks with Bitbucket and ngrok

With Push as the trigger, Bitbucket sends a POST request to your app through ngrok when you push to the repository.
The payload your app receives depends on the trigger event you chose.
To trigger a push event:
  • In the repository, click and then Add file.
  • On the Source page, enter a filename in Filename and add content in the text box (for example, This is my new file content).
  • Click Commit, then Commit in the popup.
Confirm your localhost app receives the push event and logs both headers and body in the terminal. Alternatively, clone the repository locally, make changes, commit, and push: 
git add .
git commit -m "my first commit"
git push

Inspecting requests

ngrok’s Traffic Inspector captures all requests made through your ngrok endpoint to your localhost app. Select any request to view detailed information about both the request and response.
To avoid exposing secrets, accounts only collect traffic metadata by default. You must enable full capture in the Observability section of your account settings to capture complete request and response data.
Use the traffic inspector to:
  • Validate webhook payloads and response data
  • Debug request headers, methods, and status codes
  • Troubleshoot integration issues without adding logging to your app

Replaying requests

Test your webhook handling code without triggering new events from your service using the Traffic Inspector’s replay feature:
  1. Send a test webhook from your service to generate traffic in your Traffic Inspector.
  2. Select the request you want to replay in the traffic inspector.
  3. Choose your replay option:
    • Click Replay to send the exact same request again
    • Select Replay with modifications to edit the request before sending
  4. (Optional) Modify the request: Edit any part of the original request, such as changing field values in the request body.
  5. Send the request by clicking Replay.
Your local application will receive the replayed request and log the data to the terminal.

Secure webhook requests

You can restrict or verify traffic in two ways depending on your Bitbucket setup. Bitbucket Cloud: Use ngrok IP restrictions to allow ingress only from Bitbucket Cloud IP addresses.
IP restrictions require an ngrok Pro or Enterprise plan. You can find Bitbucket Cloud IP addresses in Bitbucket Support.
  • In the ngrok dashboard, go to Security and IP Restrictions.
  • In Agent, click Attach IP Policies, New IP Policy, and Add Rule.
  • In Add Rule, click Allow and enter a CIDR that covers the Bitbucket IP (for example, 123.456.789.1/32) in CIDR.
  • Enter a Description for the rule and policy, click Save, then Attach IP Policy.
  • On IP Restrictions, click Save.
Bitbucket Server: Use ngrok webhook verification so only requests from your Bitbucket webhook reach your app.
Webhook verification is limited to 500 validations per month on free accounts. If you need more, you can upgrade to Hobbyist or Pay-as-you-go. See TPU Pricing for details.
  • In your Bitbucket repository, open the webhook page and edit the webhook.
  • In Authentication, select Secret token and enter a secret value.
  • Create a Traffic Policy file named bitbucket_policy.yml. Replace {your secret token} with that value: 
    on_http_request:
  - actions:
      - type: verify-webhook
        config:
          provider: bitbucket
          secret: "{your secret token}"
  • Restart ngrok with the policy file: 
    ngrok http 3000 --traffic-policy-file bitbucket_policy.yml
  • Add and commit a new file in the repository to trigger the webhook.
Your app should receive the request and log it in the terminal.