# Webhook contract

If your platform emits webhooks, AO ingests them on a push path. Your
manifest's `webhook` block declares:

- **signature_scheme** — one of: `hmac_sha256` (preferred),
  `hmac_sha512`, `hmac_sha1` (legacy), `bearer_token` /
  `bearer_token_compare` (static token compare), `stripe_signature`
  (timestamped HMAC, Stripe-style), `shared_secret`. Unsigned
  webhooks are not accepted.
- **signature_header** — the header carrying the signature.
- **delivery_id_header** — a per-delivery unique id header (strongly
  recommended; it's the best dedup key).
- **event_type_header** — the header naming the event type, when the
  type isn't in the payload.

Secret handling: the verification secret may be platform-wide (one
secret for AO), reuse your OAuth client secret as the HMAC key, or be
minted per customer connection. Per-connection secrets are REQUIRED
when customer admins can see the secret in your UI — otherwise one
customer could forge another's deliveries. Say which model you use in
the dossier.

Delivery semantics we expect: retry with backoff on non-2xx for at
least 24h; idempotent redelivery (same delivery id); event payloads
under 1 MB. During submission you'll get a live test endpoint — point
real webhooks at it and the portal shows exactly what AO would parse
or reject.