Skip to main content
from praisonaiagents import Agent

agent = Agent(name="webhook-agent", instructions="Verify and process incoming webhooks.")
agent.start("Verify the HMAC signature on this incoming webhook from GitHub.")
Inbound webhooks are verified by default — misconfigured secrets return HTTP 401 instead of silently accepting unsigned traffic.
export LINEAR_WEBHOOK_SECRET=your-linear-signing-secret
export LINEAR_OAUTH_TOKEN=your-linear-token
praisonai bot linear --token "$LINEAR_OAUTH_TOKEN"
The user posts a webhook; HMAC verification runs before the agent handles the payload.

Quick Start

1

Set your signing secret

export LINEAR_WEBHOOK_SECRET=your-linear-secret
# or for AgentMail:
export AGENTMAIL_WEBHOOK_SECRET=your-agentmail-secret
2

Run the bot — verification is on by default

praisonai bot linear --token $LINEAR_OAUTH_TOKEN
3

Local dev without a real platform

Never set this in production.
PRAISONAI_INSECURE_WEBHOOKS=true praisonai bot linear --token $LINEAR_OAUTH_TOKEN

Which mode am I in?

How It Works

accepts_webhooksVerifier configuredPRAISONAI_INSECURE_WEBHOOKSOutcome
falseNo verification gate
trueyesunsetVerify; 401 on failure
truenounset401 (fail-closed)
truetrueSkip with warning

Configuration Options

VariablePurpose
PRAISONAI_INSECURE_WEBHOOKSSet to true / 1 / yes to disable verification globally (local dev only)
LINEAR_WEBHOOK_SECRETHMAC secret for Linear webhooks
AGENTMAIL_WEBHOOK_SECRETHMAC secret for AgentMail webhooks (required in production; API token is not a fallback)
WHATSAPP_APP_SECRETMeta app secret for Cloud-mode WhatsApp webhooks
PlatformCapabilities fieldDefaultMeaning
accepts_webhooksFalseChannel receives inbound HTTP webhooks
verifies_webhook_signatureFalseAdapter exposes a verifier implementation

Common Patterns

Built-in adapter, secret only — set the platform env var and run the bot; no code required. Custom adapter with HmacWebhookVerifier:
from praisonai.bots.webhook_security import HmacWebhookVerifier

verifier = HmacWebhookVerifier(
    secret="your-secret",
    signature_headers=["X-Hub-Signature-256"],
    prefix="sha256=",
)
Custom ingress with the shared gate:
from praisonai.bots.webhook_security import enforce_webhook_verification

ok = enforce_webhook_verification(
    accepts_webhooks=True,
    verifier=verifier,
    headers=dict(request.headers),
    raw_body=await request.body(),
    platform="mychat",
)
if not ok:
    return Response(status_code=401)

Best Practices

The override logs a warning on every request and disables all signature checks.
verify_hmac and HmacWebhookVerifier fail closed on missing secrets, unknown digest algorithms, and verifier exceptions.
Update both the platform webhook config and your env var at the same time.
This page covers outbound bot webhook signature verification (verifying that requests to your bot are from the real platform). For inbound event triggers — pointing external services at your gateway to run an agent — see Gateway Inbound Hooks.

Linear Bot

Linear webhook setup and secrets

Email Bot

AgentMail webhook mode

Gateway Inbound Hooks

Trigger agents from external services via POST /hooks/<path>

Platform Capabilities

accepts_webhooks and verifies_webhook_signature