'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Git OAuth and webhooks
Bundles rely on read access to your repositories. Loopback integrates GitHub and GitLab through organization-level OAuth application routes and system ingress webhooks that receive push and pipeline events.
OAuth applications (organization)
Organization routes configure GitHub and GitLab OAuth clients:
- Application ids, secrets, and self-hosted base URLs (GitLab, GitHub Enterprise patterns) stored as integration metadata.
- Used when users authorize Loopback to clone and scan repositories for bundle discovery.
Secrets are stored by reference; never embed long-lived tokens in client-side code.
Webhooks (system ingress)
The API mounts ingress handlers for:
- GitHub push and workflow events.
- GitLab pipeline and push hooks.
- Flux CD-style notifications where enabled.
Webhooks correlate external activity with bundle discovery, build, and deploy state machines. Exact HMAC validation and URL paths are deployment-specific; your operator publishes the public endpoint base.
Buyer checklist
- Confirm which Git host editions are supported (github.com, GitLab SaaS, self-managed).
- Map egress from Loopback workers to your Git IP allow lists.
- Require least privilege OAuth scopes for repository read-only automation.