id: Unique identifier for the webhook event.type: The type of event (e.g.,task.created,proposal.accepted).timestamp: The time when the event occurred, in ISO 8601 format.data: The event-specific data, which varies based on the event type.
webhook-id: the same as payloadidwebhook-timestamp: UNIX timestamp of when the event occurred (seconds since epoch)webhook-signature: the signature(s) of the webhook used to verify the payloadx-automa-server-host: the URL of the Automa server that sent the webhook
Verifying signatures
To ensure the integrity and origin of webhooks, Automa signs each one using HMAC-SHA256. The signature is passed in thewebhook-signature header, which includes a version identifier and the signature in base64 format, separated by a comma (e.g., v1,d82n...).
The signature is generated using your bot’s webhook secret (excluding the atma_whsec_ prefix). The content that is signed is a string made by concatenating the webhook ID, the timestamp in unix format, and the raw request body, joined by periods.
Retries
When a webhook event is sent, Automa ensures that it is delivered successfully. If a delivery fails due to a non-2xx response or a network issue, Automa will retry. The retry policy uses an exponential backoff strategy, with an initial delay of 10 minutes and a maximum of 5 attempts. The delay doubles with each subsequent retry. To prevent side effects from repeated deliveries:- Use the webhook id to detect and discard duplicate requests.
- Ensure your webhook handler is idempotent (safe to run multiple times).
- Use locking to protect shared resources from race conditions.