Inbound to Echo Zero
- Telegram — configure
X-Telegram-Bot-Api-Secret-Tokenon your bot webhook when Echo Zero provides a secret. - Agent HTTP ingress — sign outbound POSTs to your agent’s inbound URL with
x-signatureandx-timestampusing your API secret (same algorithm as REST HMAC signing). - Replay protection — Echo Zero rejects requests whose timestamp drifts beyond five minutes and deduplicates by event id.
Outbound from your service
If your server receives webhooks from Echo Zero in the future, apply the same principles: verify signatures, enforce timestamp windows, and treat duplicate event ids as idempotent retries.Provider-specific setup walkthroughs (Telegram, Discord, custom HTTP ingress) will be added in a follow-up update.