Skip to main content
VERDiiiCT
DevOps & CI/CDazure-devopssetupwebhooks

How to Connect Azure DevOps to VERDiiiCT: Step-by-Step Guide

VERDiiiCT Team8 min read

Overview

VERDiiiCT integrates with Azure DevOps through two components: an SCM connection (authenticated with a Personal Access Token) and a webhook registration (which triggers reviews automatically when pull requests are created). This guide walks you through both.

The process takes about five minutes:

  1. Create a Personal Access Token (PAT) in Azure DevOps
  2. Create an SCM connection in VERDiiiCT
  3. Register a webhook for your repository
  4. Configure the webhook in Azure DevOps
  5. Configure the webhook secret for payload verification

Prerequisites

  • A VERDiiiCT account with Owner or Admin role in your organization
  • An Azure DevOps project with at least one Git repository
  • Permission to create Personal Access Tokens and service hooks in Azure DevOps

Step 1: Create a Personal Access Token in Azure DevOps

VERDiiiCT uses a PAT to authenticate against the Azure DevOps API — reading pull request diffs, fetching linked work items, and posting review comments.

  1. In Azure DevOps, click your profile avatar in the top-right corner
  2. Select Personal access tokens
  1. Click + New Token
  2. Configure the token:
    • Name: VERDiiiCT Code Review (or any descriptive name)
    • Organization: Select the organization containing your repositories
    • Expiration: Choose an appropriate expiration period (maximum 1 year)
    • Scopes: Select Custom defined, then enable:
      • Code → Read & Write (required to read PR diffs and post comments)
      • Work Items → Read (required to fetch linked work items for review context)
  1. Click Create and copy the token immediately — Azure DevOps will not show it again

Security note: Store your PAT securely. VERDiiiCT encrypts it at rest using AES-256-GCM before saving it to the database. The plaintext token is never stored or logged.

Step 2: Create an SCM Connection in VERDiiiCT

An SCM connection links your Azure DevOps organization to VERDiiiCT.

  1. Log in to VERDiiiCT at app.verdiiict.com
  2. Navigate to Connections in the sidebar
  3. Click Add Connection
  1. Fill in the connection details:
    • Provider: Select Azure DevOps
    • Display Name: A friendly name like My Azure DevOps Org
    • Organization URL: Your Azure DevOps organization URL, e.g. https://dev.azure.com/your-org
    • Personal Access Token: Paste the PAT you created in Step 1
    • Webhook Secret (optional): Enter a secret string if you want connection-level secret validation. You can leave this blank — VERDiiiCT generates a unique secret per webhook registration automatically.
  1. Click Create
  2. Use the Test Connection button to verify VERDiiiCT can authenticate with Azure DevOps using your PAT

Step 3: Register a Webhook in VERDiiiCT

A webhook registration tells VERDiiiCT which repository to watch and generates a unique callback URL.

  1. Open the connection you just created
  2. Navigate to the Webhooks tab
  3. Click Register Webhook

  1. Fill in:

    • Repository ID: The GUID or name of the Azure DevOps repository (you can find this in your project's Repos settings)
    • Repository Name: A display name like my-api or frontend-app
    • Events (optional): Defaults to pull_request.created and pull_request.updated. Leave as default for standard PR review triggers.

  2. Click Register

VERDiiiCT returns a Webhook URL and generates a Secret Token — you'll need both in the next step.

The webhook URL follows this format:

https://api.verdiiict.com/api/webhooks/azuredevops/{registration-id}

Important: Copy both the Webhook URL and the Secret Token. You will configure these in Azure DevOps in the next step.

Step 4: Configure the Service Hook in Azure DevOps

Azure DevOps uses service hooks to send webhook notifications. You need to create one that fires when pull requests are created.

  1. In your Azure DevOps project, go to Project Settings (gear icon in the bottom-left)
  2. Under General, click Service hooks
  1. Click + Create subscription
  2. Select Web Hooks as the service and click Next
  1. Configure the trigger:
    • Trigger on this type of event: Select Pull request created
    • Repository: Select your target repository (or leave as [Any] to cover all repos)
    • Target branch: Leave as [Any] unless you want to limit to specific branches like main
  1. Click Next
  2. Configure the action:
    • URL: Paste the Webhook URL from VERDiiiCT (e.g. https://api.verdiiict.com/api/webhooks/azuredevops/{registration-id})
    • HTTP headers: Leave empty
    • Resource details to send: Select All
    • Messages to send: Select None
    • Detailed messages to send: Select None
  1. Click Test to send a test payload to VERDiiiCT — you should see a successful response
  2. Click Finish to create the subscription

Tip: If you also want reviews triggered when a PR is updated (new commits pushed), create a second service hook with the Pull request updated trigger pointing to the same webhook URL.

Step 5: Configure the Webhook Secret

The webhook secret ensures that only legitimate payloads from Azure DevOps are processed by VERDiiiCT. Without it, anyone who discovers your webhook URL could send fake payloads.

How Secret Validation Works for Azure DevOps

When you configure a secret on an Azure DevOps service hook, Azure DevOps sends it as a Basic Authentication header on every webhook request:

Authorization: Basic {base64-encoded-secret}

VERDiiiCT validates this by:

  1. Reading the Authorization header from the incoming request
  2. Base64-encoding the stored secret token
  3. Comparing the header value against the expected Base64-encoded secret

If the values don't match, VERDiiiCT rejects the payload with a 401 Unauthorized response.

Configuring the Secret

To add secret validation to your Azure DevOps service hook:

  1. In Azure DevOps, go to Project SettingsService hooks
  2. Find your VERDiiiCT webhook subscription and click to edit
  3. In the Action configuration, locate the Basic authentication password field
  4. Paste the Secret Token from VERDiiiCT (the 64-character hex string generated during webhook registration)
  1. Username: You can leave this empty or enter any value — VERDiiiCT only validates the password portion
  2. Save the subscription

Verifying It Works

After configuring the secret:

  1. Create a test pull request in your Azure DevOps repository
  2. Check the service hook history in Azure DevOps — you should see a 200 OK response
  3. If you see 401 Unauthorized, double-check that you pasted the exact secret token from VERDiiiCT

Security best practice: Always configure the webhook secret. While VERDiiiCT's webhook URLs use unpredictable GUIDs as registration IDs, adding secret validation provides defense in depth against replay attacks and unauthorized requests.

The Complete Flow

Once everything is configured, here's what happens automatically:

Developer opens a Pull Request in Azure DevOps
        ↓
Azure DevOps fires the service hook (HTTP POST)
        ↓
VERDiiiCT receives the payload at /api/webhooks/azuredevops/{id}
        ↓
VERDiiiCT validates the secret (Authorization header)
        ↓
VERDiiiCT extracts PR metadata (title, branches, author)
        ↓
VERDiiiCT fetches the PR diffs using the stored PAT
        ↓
AI (Claude or GPT) reviews the code changes
        ↓
VERDiiiCT posts line-level comments and a verdict
(Approved / Needs Work / Rejected) back to the PR

No manual steps required. Every pull request gets an AI-powered review within minutes of being created.

Troubleshooting

Webhook returns 404

  • Verify the webhook URL matches exactly what VERDiiiCT provided
  • Confirm the webhook registration is still active in VERDiiiCT
  • Check that the SCM connection is active

Webhook returns 401

  • The secret token doesn't match. Copy it again from VERDiiiCT and paste it into the Azure DevOps service hook's Basic authentication password field
  • Make sure you're pasting the token as-is (64-character hex string), not Base64-encoding it yourself — Azure DevOps handles the encoding

Webhook returns 200 but no review appears

  • VERDiiiCT only processes git.pullrequest.created events. If you configured a different event type, the payload is accepted but ignored
  • Check that your PAT has the required scopes (Code Read/Write, Work Items Read)
  • Verify the PAT hasn't expired

Reviews don't post comments to the PR

  • Ensure the PAT has Code Write permissions
  • Check that the PAT's organization matches the repository's organization

What's Next

Share

Try VERDiiiCT Free

Automate your code reviews with AI. Set up in under 5 minutes — no credit card required.

Get Started Free

Related Posts

H
DevOps & CI/CD

How to Connect Bitbucket to VERDiiiCT: Step-by-Step Guide

Learn how to connect your Bitbucket Cloud repositories to VERDiiiCT for automated AI-powered code reviews on every pull request.

9 min read
H
DevOps & CI/CD

How to Connect Gitea to VERDiiiCT: Step-by-Step Guide

Learn how to connect your self-hosted Gitea instance to VERDiiiCT for automated AI-powered code reviews on every pull request.

8 min read
H
DevOps & CI/CD

How to Connect GitLab to VERDiiiCT: Step-by-Step Guide

Learn how to connect your GitLab repositories to VERDiiiCT for automated AI-powered code reviews on every merge request.

9 min read
PreviousHow to Connect GitHub to VERDiiiCT: Step-by-Step GuideNextHow to Connect GitLab to VERDiiiCT: Step-by-Step Guide