diff --git a/crates/server/src/actors/repo/webhook.rs b/crates/server/src/actors/repo/webhook.rs
index f778b5a..3dc1e4c 100644
--- a/crates/server/src/actors/repo/webhook.rs
+++ b/crates/server/src/actors/repo/webhook.rs
@@ -20,7 +20,7 @@ use crate::{
 )]
 pub struct WebhookId(String);
 
-#[derive(Clone, Debug, PartialEq, Eq, derive_more::Deref)]
+#[derive(Clone, Debug, PartialEq, Eq, derive_more::Deref, derive_more::Display)]
 pub struct WebhookAuth(ulid::Ulid);
 impl WebhookAuth {
     pub fn from_str(authorisation: &str) -> Result<Self, DecodeError> {
@@ -33,7 +33,7 @@ impl WebhookAuth {
     }
 
     fn header_value(&self) -> String {
-        format!("Basic {}", self.0.to_string())
+        format!("Basic {}", self)
     }
 }
 
@@ -182,9 +182,20 @@ impl Handler<WebhookMessage> for RepoActor {
     #[allow(clippy::cognitive_complexity)] // TODO: (#49) reduce complexity
     #[tracing::instrument(name = "RepoActor::WebhookMessage", skip_all, fields(token = %self.message_token, repo = %self.details))]
     fn handle(&mut self, msg: WebhookMessage, ctx: &mut Self::Context) -> Self::Result {
-        if msg.authorisation() != self.webhook_auth {
-            warn!("Invalid authorization");
-            return; // invalid auth
+        let Some(expected_authorization) = &self.webhook_auth else {
+            warn!("Don't know what authorization to expect");
+            return;
+        };
+        let Some(received_authorization) = &msg.authorisation() else {
+            warn!("Missing authorization token");
+            return;
+        };
+        if received_authorization != expected_authorization {
+            warn!(
+                "Invalid authorization - expected {}",
+                expected_authorization
+            );
+            return;
         }
         let id = msg.id();
         let span = tracing::info_span!("handle", %id);