Webhooks
Subscribe to real-time events from the NANDA registry. Webhooks deliver HTTP POST callbacks when agents are registered, certified, reputation scores change, or compliance violations occur.
/api/queue/webhook-deliver endpoint is available for external callers but delivery
happens synchronously during event dispatch. A circuit breaker disables subscriptions
after 10 consecutive failures.Event Types
| Event | Description |
|---|---|
agent.registered | New agent registered or updated |
agent.deprecated | Agent deprecated or tombstoned |
cert.issued | Certification issued or renewed |
cert.revoked | Certification revoked |
reputation.updated | Reputation score changed |
compliance.violation | Compliance violation detected |
federation.peer_added | New federation peer connected |
Creating a Subscription
The server generates a cryptographic secret (32-byte hex) for HMAC signing and returns it in the response. Store this secret securely — it is only shown once.
curl -X POST https://nanda.nexartis.com/api/admin/webhooks \
-H "Content-Type: application/json" \
-H "Authorization: Bearer nanda_YOUR_KEY" \
-d '{
"callbackUrl": "https://your-app.com/hooks/nanda",
"events": ["agent.registered", "cert.issued"]
}'Response:
{
"id": "sub_abc123",
"secret": "a1b2c3d4...64-char-hex-string",
"status": "active"
}Subscription Lifecycle
Pause / Resume
Temporarily stop deliveries without deleting the subscription. Paused subscriptions retain their secret and event filters.
Circuit Breaker
After 10 consecutive delivery failures, the subscription is automatically disabled. Successful deliveries reset the failure counter. Disabled subscriptions must be manually re-enabled.
Delete
Only the subscription owner can delete. Deletion is permanent — the secret is discarded.
Delivery Envelope
Each delivery POSTs a JSON envelope to your callback URL:
{
"event": "agent.registered",
"payload": { "agent_id": "my-agent", "name": "..." },
"timestamp": "2026-04-05T12:00:00.000Z",
"idempotency_key": "nk_abc123"
}Headers
| Header | Description |
|---|---|
X-Webhook-Signature | HMAC-SHA256 signature: sha256={hex_digest} |
X-Webhook-Event | Event type string (e.g. agent.registered) |
X-Idempotency-Key | Unique key for deduplication |
Content-Type | application/json |
Verifying Signatures
import crypto from 'node:crypto';
function verifyWebhook(body, signature, secret) {
const expected = 'sha256=' +
crypto.createHmac('sha256', secret)
.update(body).digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}URL Validation
Callback URLs are validated at subscription creation:
- Must use HTTPS — HTTP is rejected
- Must not target
localhost,127.0.0.1,[::1], or any private/RFC1918 IP range - Redirects are blocked during delivery (SSRF protection) — returns are discarded rather than followed
Delivery Behavior
- Timeout: 10-second delivery timeout per request
- Success: Any
2xxresponse resets the failure counter and updateslast_delivered_at - Failure: Non-2xx or network error increments the failure counter
- Circuit breaker: ≥ 10 consecutive failures → subscription disabled
API Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /api/admin/webhooks | Create subscription |
| GET | /api/admin/webhooks | List subscriptions |
| DELETE | /api/admin/webhooks/:id | Delete subscription |
| PATCH | /api/admin/webhooks/:id/pause | Pause subscription |
| PATCH | /api/admin/webhooks/:id/resume | Resume subscription |
MCP Integration
Create subscriptions via MCP: nanda_subscribe_webhook tool. Manage existing
subscriptions via the /api/admin/webhooks REST endpoints.