Skip to main content
Inbound webhooks are verified by default — misconfigured secrets return HTTP 401 instead of silently accepting unsigned traffic.
The user posts a webhook; HMAC verification runs before the agent handles the payload.

Quick Start

1

Set your signing secret

2

Run the bot — verification is on by default

3

Local dev without a real platform

Never set this in production.

Which mode am I in?

How It Works

Configuration Options

Common Patterns

Built-in adapter, secret only — set the platform env var and run the bot; no code required. Custom adapter with HmacWebhookVerifier:
Custom ingress with the shared gate:

Best Practices

The override logs a warning on every request and disables all signature checks.
verify_hmac and HmacWebhookVerifier fail closed on missing secrets, unknown digest algorithms, and verifier exceptions.
Update both the platform webhook config and your env var at the same time.
This page covers outbound bot webhook signature verification (verifying that requests to your bot are from the real platform). For inbound event triggers — pointing external services at your gateway to run an agent — see Gateway Inbound Hooks.

Linear Bot

Linear webhook setup and secrets

Email Bot

AgentMail webhook mode

Gateway Inbound Hooks

Trigger agents from external services via POST /hooks/<path>

Platform Capabilities

accepts_webhooks and verifies_webhook_signature