Safe Webhook Ingestion Patterns for Rocky

Webhooks let external systems trigger Rocky work. The safe pattern is to authenticate the request, reduce the payload to public-safe context, and make the resulting agent job observable.

Official webhook docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/webhooks

Recommended pattern

  • Give each workflow a named route and a specific purpose.
  • Require a shared secret, signature, or platform-native verification.
  • Normalize incoming payloads before they reach an agent prompt.
  • Drop secrets, raw customer records, and unnecessary headers.
  • Emit a concise delivery report with job status and next actions.

Payload checklist

  • Source system and event type.
  • Object ID or public URL when safe.
  • Requested action in plain language.
  • Deadline or priority if the workflow uses it.
  • Explicit exclusions for private data.

Pitfalls

  • Accepting unauthenticated POSTs from the public internet.
  • Passing entire webhook payloads into a model.
  • Letting a webhook trigger deployments without verification gates.
  • Failing silently when the downstream agent run errors.
  • Mixing test and production endpoints.

Verification steps

  • Send a synthetic test payload with no private data.
  • Confirm invalid or unsigned requests are rejected.
  • Confirm the resulting agent report includes the event ID and action taken.
  • Check logs for redaction, replay handling, and useful error messages.