Webhook Direct Delivery Readiness

Webhook workflows are powerful because they turn events into action. They also need clear boundaries: who may call the webhook, what data is included, and where results are delivered.

Official Hermes Agent docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/webhooks

Readiness checklist

  • Use a named webhook route with a documented purpose.
  • Sign incoming requests or use an equivalent shared secret where supported.
  • Make request IDs idempotent so retries do not create duplicate actions.
  • Keep payloads minimal and public-safe when the workflow posts into a channel.
  • Separate status notifications from user-critical business writes.

Delivery standards

  • Choose the destination channel before enabling automation.
  • Keep client-facing messages short and human-safe.
  • Fail open for non-critical telemetry when the user flow should continue.
  • Log enough metadata to debug delivery without storing unnecessary private content.
  • Use separate routes or event types for different workflow stages.

Pitfalls

  • Embedding secrets in query strings or public pages.
  • Reusing one request ID for multiple distinct events.
  • Treating webhook acceptance as proof that a downstream human received the message.
  • Letting public webhooks mutate private data without validation.

Verification steps

  • Send a harmless signed test event.
  • Confirm the destination receives the expected message.
  • Check logs for rejects and duplicate handling.
  • Verify invalid or unsigned requests fail safely.