14 lines (9 loc) · 487 Bytes

Webhook security

Inbound (to AgentStack)

Read raw body before JSON parse
Compute HMAC with your signing secret
Compare to header using constant-time equality
Reject replays with idempotency keys where supported

Outbound (from AgentStack)

Integration Hub records delivery attempts; use MCP integrations.list_issues and integrations.replay_delivery for failures.

Next: ../integrations/INTEGRATION_QUICKSTART.md