Webhook Direct Delivery Readiness
Webhook workflows are powerful because they turn events into action. They also need clear boundaries: who may call the webhook, what data is included, and where results are delivered.
Official Hermes Agent docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/webhooks
Readiness checklist
- Use a named webhook route with a documented purpose.
- Sign incoming requests or use an equivalent shared secret where supported.
- Make request IDs idempotent so retries do not create duplicate actions.
- Keep payloads minimal and public-safe when the workflow posts into a channel.
- Separate status notifications from user-critical business writes.
Delivery standards
- Choose the destination channel before enabling automation.
- Keep client-facing messages short and human-safe.
- Fail open for non-critical telemetry when the user flow should continue.
- Log enough metadata to debug delivery without storing unnecessary private content.
- Use separate routes or event types for different workflow stages.
Pitfalls
- Embedding secrets in query strings or public pages.
- Reusing one request ID for multiple distinct events.
- Treating webhook acceptance as proof that a downstream human received the message.
- Letting public webhooks mutate private data without validation.
Verification steps
- Send a harmless signed test event.
- Confirm the destination receives the expected message.
- Check logs for rejects and duplicate handling.
- Verify invalid or unsigned requests fail safely.
