202 immediately. Use the monitoring endpoints or the workspace WebSocket channel to follow execution.
This endpoint uses webhook-secret authentication only — not session or CLI token auth. Provide exactly one of
X-Signature (preferred) or X-Webhook-Secret (deprecated).Trigger Agent via Webhook
Authentication
The endpoint accepts two header-based schemes. Provide one of them; if both are absent the request is rejected with401.
X-Signature (preferred). A hex-encoded HMAC-SHA256 of the raw request body, keyed by the agent’s per-agent webhook secret (no sha256= prefix):
X-Webhook-Secret (deprecated). The per-agent secret sent in plaintext:
Deprecation and Sunset: Thu, 31 Dec 2026 23:59:59 GMT response headers.
Both schemes validate using constant-time comparison. This endpoint does not use session or CLI token authentication.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
crewId | string | Crew ID the agent belongs to |
agentId | string | Agent ID to trigger |
Request Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | application/json |
X-Signature | One of | Preferred. Hex HMAC-SHA256 of the raw body, keyed by the agent’s webhook secret. |
X-Webhook-Secret | One of | Deprecated (sunset 2026-12-31). Per-agent webhook secret in plaintext. |
Request Body
The payload is passed to the agent as context. The structure is flexible — include whatever data is relevant to the agent’s task.Response
The webhook returns immediately. Agent execution happens asynchronously.202 Accepted on success — the body is {"status": "accepted"}. The status reflects the fire-and-forget contract: the agent run is enqueued asynchronously, and 202 (not 200) signals “we received it, work has not finished”.
401 Unauthorized if neither X-Signature nor X-Webhook-Secret is provided, or the supplied signature/secret is invalid.
What Happens Behind the Scenes
Webhook execution pipeline
Webhook execution pipeline
- Auth validation — the agent’s webhook secret is looked up via the internal IPC resolver; an
X-Signatureis verified as an HMAC of the body, otherwise a plaintextX-Webhook-Secretis compared (constant-time) - Agent config resolution — the agent’s full configuration (CLI adapter, LLM model, credentials, etc.) is resolved
- Chat session creation — a webhook-scoped chat session is created or reused (
webhook-{agentId}) - Container startup — the crew’s container runtime is ensured running
- Run record creation — a run record with trigger type
WEBHOOKis created - Agent execution — the agent is started asynchronously with a 10-minute timeout
- Log streaming — agent output is streamed to the log collector and broadcast via WebSocket on
workspace:{workspaceId} - Run completion — the run record is updated with status (
COMPLETEDorFAILED), exit code, duration, and error message
Prerequisites
The webhook endpoint is only registered when all of the following are configured:- Orchestrator is available
- Container provider (Keeper) is available
- Log writer is configured
- Internal token is set
If any prerequisite is missing the route is never registered, so the endpoint returns
404.Use Cases
| Source | Event | Agent Action |
|---|---|---|
| GitHub Actions | PR opened | Code review agent analyzes changes |
| Grafana | Alert fired | SRE agent investigates incident |
| n8n / Zapier | Form submitted | Data processing agent |
| CI/CD | Build failed | Debug agent analyzes logs |
| Cron / Scheduler | Timed event | Scheduled reporting agent |
| Custom service | Business event | Domain-specific agent |
Monitoring Webhook Runs
After triggering, use these endpoints to monitor execution:| Endpoint | Description |
|---|---|
GET /api/v1/agents/{agentId}/runs | List execution history (filter by trigger type) |
GET /api/v1/agents/{agentId}/logs | Get agent logs |
WebSocket workspace:{workspaceId} | Real-time agent.log events |