Webhooks

Inbound webhook URLs, authentication options, payload transforms, and secret rotation for triggering a Teammate.

What a webhook is

An inbound webhook lets an external system trigger a specific Teammate by sending it an HTTP request, rather than a message on a channel. It's the integration point for things that aren't people typing in Telegram or Slack: a CI pipeline notifying a Teammate a build failed, a form submission that should kick off a follow-up, a third-party service pushing an event your Teammate should react to.

Each webhook targets exactly one Teammate on one agent server, and you can create as many webhooks as you need — one per integration is the common pattern, so each has its own URL, its own auth, and its own transform logic.

The URL

Every webhook gets its own URL, conceptually shaped as your organization, then the agent server, then a unique webhook ID appended to a base path the platform controls. You don't choose or see any internal hosting details — just the full URL to give the system that's calling it.

Authentication

A webhook is authenticated one of three ways:

Auth type How it works
Bearer token The caller sends the webhook's secret as a bearer token in the Authorization header
Custom header The caller sends a value in a header name you choose; validated either as a plain token match or as an HMAC-SHA256 signature
Query parameter The caller sends the secret as a query-string parameter you name

Payload transform and event filter

Every webhook requires a payload transform function, written in JavaScript, that turns the incoming request body into whatever the Teammate needs to act on. Optionally, you can also add an event filter function — JavaScript that decides whether a given incoming request should trigger the Teammate at all, letting you ignore payloads you don't care about without touching the sender's configuration.

Secret rotation

The webhook's secret is generated for you and shown exactly once, at creation — the platform doesn't retain it in a form you can look up later, so save it somewhere safe when you create the webhook. If it leaks or you simply want to rotate it, you can regenerate it at any time; the old secret stops working immediately once you do.

Enable / disable

A webhook can be toggled on or off without deleting it, which is the quickest way to pause an integration temporarily while keeping its configuration, URL, and secret intact for when you turn it back on. Toggling doesn't invalidate the secret or change the URL — the sender can keep using the same values once you re-enable it.

API and MCP

Webhooks have full dashboard/API/MCP parity: creating, editing, toggling, rotating secrets, and deleting are all available through the API and MCP tools as well as the dashboard. See API & MCP for the resource map.


Build your team.

14 days free. No credit card required.