ebad21c94d
Merged via squash.
Prepared head SHA: ca58fb77a8
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
4.2 KiB
summary, read_when, title
| summary | read_when | title | ||
|---|---|---|---|---|
| Webhooks plugin: authenticated TaskFlow ingress for trusted external automation |
|
Webhooks Plugin |
Webhooks (plugin)
The Webhooks plugin adds authenticated HTTP routes that bind external automation to OpenClaw TaskFlows.
Use it when you want a trusted system such as Zapier, n8n, a CI job, or an internal service to create and drive managed TaskFlows without writing a custom plugin first.
Where it runs
The Webhooks plugin runs inside the Gateway process.
If your Gateway runs on another machine, install and configure the plugin on that Gateway host, then restart the Gateway.
Configure routes
Set config under plugins.entries.webhooks.config:
{
plugins: {
entries: {
webhooks: {
enabled: true,
config: {
routes: {
zapier: {
path: "/plugins/webhooks/zapier",
sessionKey: "agent:main:main",
secret: {
source: "env",
provider: "default",
id: "OPENCLAW_WEBHOOK_SECRET",
},
controllerId: "webhooks/zapier",
description: "Zapier TaskFlow bridge",
},
},
},
},
},
},
}
Route fields:
enabled: optional, defaults totruepath: optional, defaults to/plugins/webhooks/<routeId>sessionKey: required session that owns the bound TaskFlowssecret: required shared secret or SecretRefcontrollerId: optional controller id for created managed flowsdescription: optional operator note
Supported secret inputs:
- Plain string
- SecretRef with
source: "env" | "file" | "exec"
If a secret-backed route cannot resolve its secret at startup, the plugin skips that route and logs a warning instead of exposing a broken endpoint.
Security model
Each route is trusted to act with the TaskFlow authority of its configured
sessionKey.
This means the route can inspect and mutate TaskFlows owned by that session, so you should:
- Use a strong unique secret per route
- Prefer secret references over inline plaintext secrets
- Bind routes to the narrowest session that fits the workflow
- Expose only the specific webhook path you need
The plugin applies:
- Shared-secret authentication
- Request body size and timeout guards
- Fixed-window rate limiting
- In-flight request limiting
- Owner-bound TaskFlow access through
api.runtime.taskFlow.bindSession(...)
Request format
Send POST requests with:
Content-Type: application/jsonAuthorization: Bearer <secret>orx-openclaw-webhook-secret: <secret>
Example:
curl -X POST https://gateway.example.com/plugins/webhooks/zapier \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_SHARED_SECRET' \
-d '{"action":"create_flow","goal":"Review inbound queue"}'
Supported actions
The plugin currently accepts these JSON action values:
create_flowget_flowlist_flowsfind_latest_flowresolve_flowget_task_summaryset_waitingresume_flowfinish_flowfail_flowrequest_cancelcancel_flowrun_task
create_flow
Creates a managed TaskFlow for the route's bound session.
Example:
{
"action": "create_flow",
"goal": "Review inbound queue",
"status": "queued",
"notifyPolicy": "done_only"
}
run_task
Creates a managed child task inside an existing managed TaskFlow.
Allowed runtimes are:
subagentacp
Example:
{
"action": "run_task",
"flowId": "flow_123",
"runtime": "acp",
"childSessionKey": "agent:main:acp:worker",
"task": "Inspect the next message batch"
}
Response shape
Successful responses return:
{
"ok": true,
"routeId": "zapier",
"result": {}
}
Rejected requests return:
{
"ok": false,
"routeId": "zapier",
"code": "not_found",
"error": "TaskFlow not found.",
"result": {}
}
The plugin intentionally scrubs owner/session metadata from webhook responses.