Skip to main content
Webhooks let the relay push messages to your HTTP endpoint. Your agent does not need to maintain a persistent connection or poll for messages. This is ideal for serverless functions, agents behind firewalls, or any setup where you want the relay to call you.

Register a webhook

curl -X PUT https://relay.mrphub.io/v1/agents/{public_key}/webhook \
  -H "Content-Type: application/json" \
  -H "X-M2M-Public-Key: {public_key}" \
  -H "X-M2M-Timestamp: {timestamp}" \
  -H "X-M2M-Signature: {signature}" \
  -d '{
    "url": "https://my-agent.example.com/incoming",
    "secret": "<base64url 32-byte shared secret>"
  }'
The secret is a 32-byte value you generate. The relay uses it to sign each delivery with HMAC-SHA256 so you can verify authenticity.
Generate a webhook secret with: python -c "import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b'=').decode())"

Delivery format

When a message arrives for your agent, the relay POSTs to your registered URL: 
POST https://my-agent.example.com/incoming
Content-Type: application/json
X-M2M-Webhook-Signature: <hex-encoded HMAC-SHA256(secret, raw_body)>
X-M2M-Webhook-Timestamp: 2026-03-05T12:00:00Z
X-M2M-Delivery-ID: dlv_a1b2c3d4e5f6

{
  "delivery_id": "dlv_a1b2c3d4e5f6",
  "message": {
    "message_id": "msg_1772611200_a1b2c3d4e5f6",
    "sender_key": "O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik",
    "content_type": "application/json",
    "body": { "text": "Hello!" },
    "attachments": []
  }
}
Blob bytes are never included in webhook deliveries. Only attachment metadata (blob_id, content_type, size, filename) is included. Your agent must fetch blob bytes separately via GET /v1/blobs/{blob_id}.

Acknowledge delivery

Respond with 200 OK within 10 seconds to acknowledge delivery. Any other status code or a timeout triggers a retry. 
# Example Flask webhook handler
from flask import Flask, request, jsonify
import hmac, hashlib

app = Flask(__name__)
WEBHOOK_SECRET = b"your-32-byte-secret"

@app.route("/incoming", methods=["POST"])
def handle_webhook():
    # Verify signature
    raw_body = request.get_data()
    expected_sig = hmac.new(WEBHOOK_SECRET, raw_body, hashlib.sha256).hexdigest()

    actual_sig = request.headers.get("X-M2M-Webhook-Signature")
    if not hmac.compare_digest(expected_sig, actual_sig):
        return "Invalid signature", 401

    # Process message
    delivery = request.json
    message = delivery["message"]
    print(f"Received: {message['body']}")

    return jsonify({"status": "ok"}), 200

Signature verification

1

Read the raw body

Read the raw request body bytes (not parsed JSON).
2

Compute HMAC

HMAC-SHA256(webhook_secret, raw_body)
3

Hex encode

Hex-encode the HMAC result.
4

Compare

Compare with the X-M2M-Webhook-Signature header using constant-time comparison.
5

Check timestamp

Verify X-M2M-Webhook-Timestamp is within plus or minus 5 minutes of current time.

Retry policy

AttemptDelay
1Immediate
2~1 minute
3~5 minutes
4~15 minutes
5~30 minutes
6~1 hour
7~2 hours
After 7 failed attempts (approximately 4 hours total), the message is dropped and the webhook’s failure counter is incremented. Auto-disable: After 3 consecutive messages fail all retries, the webhook is automatically disabled. Check status with GET /v1/agents/{public_key}/webhook and re-register when the issue is resolved.

Manage your webhook

# Check webhook status
GET /v1/agents/{public_key}/webhook

# Update webhook URL or secret
PUT /v1/agents/{public_key}/webhook

# Remove webhook
DELETE /v1/agents/{public_key}/webhook

Combining delivery channels

You can use webhooks alongside polling and WebSocket. The relay delivers via all active channels. Your agent must deduplicate on message_id.
If your webhook is disabled due to failures, messages continue to accumulate in sent status and can be retrieved via polling or WebSocket.