What you can do
Each surface has its own auth mode tailored to its use — quota, rate-limit and audit journal apply to all three.
Dashboard tenant (NextAuth session)
/api/automations/* — CRUD, toggle, seed, replay run and inbound-token management. Gated by requireCapability(automations.{view, manage, run}).
Public v1 API (API key)
/api/v1/automations and /api/v1/automations/[id]/fire. Auth via X-API-Key + X-API-Secret, metered against the plan's monthly quota. Path used by the MCP server.
HMAC inbound webhook
/api/automations/trigger/[token] — public HMAC-SHA256 signed POST with 5-min anti-replay. Token + secret generation and rotation from the automation page.
Replay & observability
Replay endpoint releases the dedupeKey so the next tick can re-run. Run history with status, duration and action timeline. Per-rule success rate on the list page.
How it works
From creating an inbound endpoint to testing it from a terminal.
- 1
Generate a token (inbound)
On an event-driven automation, click "Generate a token". URL and HMAC secret are shown ONCE — copy them right away.
- 2
Sign your requests
Send X-CompanyBelgium-Timestamp (epoch ms, 5-min window) and X-CompanyBelgium-Signature: sha256=HMAC(secret, "[ts].[body]"). Any JSON body becomes the payload.
- 3
Monitor and replay
The execution history (filterable by status) lists the 50 most recent runs. A failed run can be replayed in one click — the engine recomputes on the next tick.