CHATBOT
Chatbot action webhooks
Verify signed payloads for private/action workflows.
Purpose
Used when intents trigger private webhook actions. StartupCore signs each delivery; you verify signature, timestamp, tenant/environment, externalUserId ownership, and idempotencyKey.
Headers
- X-StartupCore-Signature
- X-StartupCore-Timestamp
- X-StartupCore-Tenant-Id
- X-StartupCore-Environment-Id
- X-StartupCore-Action-Id
- Idempotency-Key
Payload example
json{ "actionId": "act_123", "tenantId": "tenant_abc", "environmentId": "env_prod", "externalUserId": "user_456", "intentKey": "order_status", "idempotencyKey": "idem_789" }
Verification (pseudocode)
- 1) Reject if timestamp older than 5 minutes.
- 2) Recompute HMAC with your webhook secret.
- 3) Compare to X-StartupCore-Signature.
- 4) Ensure externalUserId matches your logged-in user.
- 5) Process once per Idempotency-Key.