Quick Start
Which mode am I in?
How It Works
| accepts_webhooks | Verifier configured | PRAISONAI_INSECURE_WEBHOOKS | Outcome |
|---|---|---|---|
| false | — | — | No verification gate |
| true | yes | unset | Verify; 401 on failure |
| true | no | unset | 401 (fail-closed) |
| true | — | true | Skip with warning |
Configuration Options
| Variable | Purpose |
|---|---|
PRAISONAI_INSECURE_WEBHOOKS | Set to true / 1 / yes to disable verification globally (local dev only) |
LINEAR_WEBHOOK_SECRET | HMAC secret for Linear webhooks |
AGENTMAIL_WEBHOOK_SECRET | HMAC secret for AgentMail webhooks (required in production; API token is not a fallback) |
WHATSAPP_APP_SECRET | Meta app secret for Cloud-mode WhatsApp webhooks |
| PlatformCapabilities field | Default | Meaning |
|---|---|---|
accepts_webhooks | False | Channel receives inbound HTTP webhooks |
verifies_webhook_signature | False | Adapter exposes a verifier implementation |
Common Patterns
Built-in adapter, secret only — set the platform env var and run the bot; no code required. Custom adapter withHmacWebhookVerifier:
Best Practices
Never set PRAISONAI_INSECURE_WEBHOOKS in production
Never set PRAISONAI_INSECURE_WEBHOOKS in production
The override logs a warning on every request and disables all signature checks.
Rotate signing secrets with the platform
Rotate signing secrets with the platform
Update both the platform webhook config and your env var at the same time.
This page covers outbound bot webhook signature verification (verifying that requests to your bot are from the real platform). For inbound event triggers — pointing external services at your gateway to run an agent — see Gateway Inbound Hooks.
Related
Linear Bot
Linear webhook setup and secrets
Email Bot
AgentMail webhook mode
Gateway Inbound Hooks
Trigger agents from external services via POST /hooks/<path>
Platform Capabilities
accepts_webhooks and verifies_webhook_signature

