Skip to main content
When external services send events to Echo Zero (Telegram bots, Discord gateways, or your bot posting to an agent inbound URL), the platform verifies authenticity before processing.

Inbound to Echo Zero

  • Telegram — configure X-Telegram-Bot-Api-Secret-Token on your bot webhook when Echo Zero provides a secret.
  • Agent HTTP ingress — sign outbound POSTs to your agent’s inbound URL with x-signature and x-timestamp using your API secret (same algorithm as REST HMAC signing).
  • Replay protection — Echo Zero rejects requests whose timestamp drifts beyond five minutes and deduplicates by event id.

Outbound from your service

If your server receives webhooks from Echo Zero in the future, apply the same principles: verify signatures, enforce timestamp windows, and treat duplicate event ids as idempotent retries.
Provider-specific setup walkthroughs (Telegram, Discord, custom HTTP ingress) will be added in a follow-up update.