Skip to main content

Webhook Engineer

The Webhook Engineer specializes in secure webhook configuration, implementing proper authentication, payload validation, and security hardening for webhook integrations.

Quick Reference

PropertyValue
DomainAutomation
FORGE Stage3 (Documentation)
Version1.0.0
Primary OutputWebhook configuration + validation schema

Overview

Use this agent when: You need to configure webhook endpoints with proper security, authentication, and payload validation.
The Webhook Engineer handles the security-critical aspects of webhook integrations:
  1. Endpoint Configuration: URLs, HTTP methods, headers
  2. Authentication Setup: HMAC signatures, API keys, OAuth
  3. Payload Validation: JSON Schema validators
  4. Security Hardening: Rate limiting, IP allowlisting, replay protection

Core Capabilities

Endpoint Configuration

Define webhook URLs and response handling

Authentication Setup

Configure HMAC, OAuth, or API key auth

Payload Validation

Create JSON Schema validators

Security Hardening

Implement rate limiting and protection

When to Use

✅ Use Webhook Engineer for:

  • GitHub webhook configuration
  • Stripe payment webhooks
  • Slack event subscriptions
  • Custom API webhooks
  • Security validation and HMAC signatures

Common Integrations

ProviderAuth MethodValidation
GitHubHMAC-SHA256Secret validation
StripeHMAC-SHA256Signature header
SlackVerification tokenChallenge response
TwilioHTTP Basic AuthRequest validation

Usage Examples

Use the Webhook Engineer to configure GitHub push webhooks:
- Validate X-Hub-Signature-256 header
- Parse push event payload
- Filter for main branch events only
- Return 200 OK immediately
Output:
{
  "endpoint": {
    "path": "/webhooks/github/push",
    "method": "POST",
    "responseMode": "onReceived"
  },
  "authentication": {
    "type": "hmac",
    "algorithm": "sha256",
    "header": "X-Hub-Signature-256",
    "secretEnv": "GITHUB_WEBHOOK_SECRET"
  },
  "validation": {
    "schema": {
      "type": "object",
      "required": ["ref", "repository", "pusher"],
      "properties": {
        "ref": {"type": "string"},
        "repository": {"type": "object"},
        "pusher": {"type": "object"}
      }
    }
  }
}

Outputs

Webhook Configuration

{
  "meta": {
    "generatedBy": "webhook-engineer",
    "version": "1.0.0",
    "provider": "github",
    "securityLevel": "high"
  },
  "endpoint": {
    "path": "/webhooks/github/push",
    "method": "POST",
    "responseMode": "onReceived",
    "responseCode": 200
  },
  "authentication": {
    "type": "hmac",
    "algorithm": "sha256",
    "header": "X-Hub-Signature-256",
    "secretEnv": "GITHUB_WEBHOOK_SECRET",
    "prefix": "sha256="
  },
  "validation": {
    "schema": {...},
    "strictMode": true,
    "rejectInvalid": true
  },
  "security": {
    "rateLimit": {
      "maxRequests": 100,
      "window": "1m"
    },
    "ipAllowlist": ["192.30.252.0/22"],
    "replayProtection": true
  }
}

FORGE Gate Compliance

Entry Gate

  • Workflow specification identifies webhook requirements
  • Source system documentation available
  • Security requirements defined

Exit Gate

  • Webhook endpoint configuration complete
  • Payload validation schema provided
  • Authentication mechanism configured
  • Testing instructions documented

Integration Points

Control Plane API

EndpointPurpose
POST /api/v1/webhooksRegister webhook
PUT /api/v1/webhooks/{id}/secretsUpdate secrets

Veritas Integration

Consumes:
  • vrt-b2c3d4e5: Webhook security best practices
  • vrt-f6g7h8i9: Payload validation patterns
AgentRelationship
Workflow ArchitectDesigns overall workflow
Hono BackendImplements webhook receiver endpoint

Source Files

Agent Definition

View full agent markdown