Inbound webhook from a provider
Unified ingest endpoint for Linear, GitHub, GitHub Actions, and Vercel webhooks. Validates HMAC signature, checks idempotency, and immediately returns 200. All routing/execution is deferred via `after()`. Duplicate deliveries are detected via the gateway's idempotency layer and return `{ ok: true, duplicate: true }`. Providers register at: `POST /api/integrations/{provider}/oauth/authorize`.
Authorization
webhookHmac HMAC-SHA256 signature of the raw request body. Header name varies by provider: x-linear-signature (Linear), x-hub-signature-256 (GitHub/GitHub Actions), x-vercel-signature (Vercel). Secret resolved from WEBHOOK_SECRET_<PROVIDER> env var or per-org workspace integration override.
In: header
Path Parameters
"linear" | "github" | "github-actions" | "vercel"Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/api/webhooks/ingest/linear" \ -H "Content-Type: application/json" \ -d '{}'{
"ok": true,
"eventId": "string",
"correlationId": "string",
"duplicate": true
}{
"error": "Session not found"
}{
"error": "Session not found"
}{
"error": "Session not found"
}List A2A task dispatches for the authenticated org
Returns both `explicit` (authored `agent.dispatch` workflow nodes) and `transparent` (MCP-bridge auto-routed) dispatches. Auth: session cookie via `requireOrgAccess()` (cookie-only today; CLI bearer tokens use a separate path).
List tamper-evident audit events
Returns hash-chain audit events for the authenticated org. Events include a `prevHash` / `entryHash` linkage for integrity verification. Accepts optional filters by `entityId` and/or `entityType`.