Workers can read the same config file as the server, but SaaS workers typically only need the endpoint. SaaS CLI and SDK calls use GITHOOK_API_KEY (sent as x-api-key). Self-hosted workers default to no auth, with optional OAuth2 if enabled on the server.
endpoint: https://api.your-domain.com
auth:
oauth2:
enabled: true
issuer: https://auth.your-domain.com
audience: githook-api
client_id: ${GITHOOK_OAUTH_CLIENT_ID}
client_secret: ${GITHOOK_OAUTH_CLIENT_SECRET}
scopes: [githook.read]
Avoid committing secrets in config files. Prefer environment variables or secret managers for API keys and OAuth client secrets.
Set GITHOOK_API_BASE_URL or GITHOOK_CONFIG_PATH if you prefer environment configuration. For SaaS, set GITHOOK_API_KEY in the environment. For self-hosted deployments, you can still use local Watermill config and skip API-backed driver resolution.