CHATBOT

Chatbot action webhooks

Verify signed payloads for private/action workflows.

Purpose

Used when intents trigger private webhook actions. StartupCore signs each delivery; you verify signature, timestamp, tenant/environment, externalUserId ownership, and idempotencyKey.

Headers

  • X-StartupCore-Signature
  • X-StartupCore-Timestamp
  • X-StartupCore-Tenant-Id
  • X-StartupCore-Environment-Id
  • X-StartupCore-Action-Id
  • Idempotency-Key

Payload example

json

{ "actionId": "act_123", "tenantId": "tenant_abc", "environmentId": "env_prod", "externalUserId": "user_456", "intentKey": "order_status", "idempotencyKey": "idem_789" }

Verification (pseudocode)

  • 1) Reject if timestamp older than 5 minutes.
  • 2) Recompute HMAC with your webhook secret.
  • 3) Compare to X-StartupCore-Signature.
  • 4) Ensure externalUserId matches your logged-in user.
  • 5) Process once per Idempotency-Key.