Skip to content

Inbound webhooks

Post a message into a channel from your own systems. The message is translated for every reader, just like any other.

POST /webhooks/{webhook}/messages
FieldRequiredDescription
contentThe message text.
channel_idTarget channel; defaults to the webhook’s configured channel.
skip_translationPost the content as-is, without translating.

The message appears with the webhook’s configured bot identity — its bot_name and bot_avatar_url — so posts show up as your integration, not a person.

A webhook uses one of two schemes:

  • Static secret (default) — send the secret in the X-Rosetta-Webhook-Secret header (or a secret body field).

  • HMAC signature (opt-in, signature_required) — sign like the outbound direction and send:

    X-Rosetta-Signature: t=<unix>,v1=<hmac_sha256("<t>.<body>", signing_secret)>

    The timestamp must be within a 5-minute freshness window (replay guard).

Send an Idempotency-Key header to make retries safe. A repeated key within the retention window replays the original result instead of posting a duplicate — so network retries never double-post.

Terminal window
curl -X POST https://api.rosettachat.app/webhooks/wbk_.../messages \
-H "X-Rosetta-Webhook-Secret: <secret>" \
-H "Idempotency-Key: 8f14e45f" \
-H "Content-Type: application/json" \
-d '{"content":"Deploy finished ✅"}'

Inbound requests count against your workspace’s webhook-request quota. Every request — accepted or rejected — is recorded in the inbound request log for self-debugging.