Inbound webhooks
Post a message into a channel from your own systems. The message is translated for every reader, just like any other.
POST /webhooks/{webhook}/messages| Field | Required | Description |
|---|---|---|
content | ✅ | The message text. |
channel_id | – | Target channel; defaults to the webhook’s configured channel. |
skip_translation | – | Post the content as-is, without translating. |
The message appears with the webhook’s configured bot identity — its
bot_name and bot_avatar_url — so posts show up as your integration, not a
person.
Authentication
Section titled “Authentication”A webhook uses one of two schemes:
-
Static secret (default) — send the secret in the
X-Rosetta-Webhook-Secretheader (or asecretbody field). -
HMAC signature (opt-in,
signature_required) — sign like the outbound direction and send:X-Rosetta-Signature: t=<unix>,v1=<hmac_sha256("<t>.<body>", signing_secret)>The timestamp must be within a 5-minute freshness window (replay guard).
Idempotency
Section titled “Idempotency”Send an Idempotency-Key header to make retries safe. A repeated key within the
retention window replays the original result instead of posting a duplicate —
so network retries never double-post.
curl -X POST https://api.rosettachat.app/webhooks/wbk_.../messages \ -H "X-Rosetta-Webhook-Secret: <secret>" \ -H "Idempotency-Key: 8f14e45f" \ -H "Content-Type: application/json" \ -d '{"content":"Deploy finished ✅"}'Inbound requests count against your workspace’s webhook-request quota. Every request — accepted or rejected — is recorded in the inbound request log for self-debugging.