trigger key in pylon.yaml. Pylon supports two trigger types: webhook for HTTP-driven events and cron for scheduled jobs.
Webhook triggers
A webhook trigger listens for an HTTP POST to a specific path on Pylon’s built-in server. When a request arrives at that path, Pylon loads the matching pylon and starts a job. Pylon listens on port8080 by default. You can change this in ~/.pylon/config.yaml under server.port.
Webhook fields
Signature verification
When you set bothsecret and signature_header, Pylon computes an HMAC signature for each incoming request, compares it to the header value, and rejects the request with 401 Unauthorized on mismatch.
~/.pylon/.env or ~/.pylon/pylons/<name>/.env and reference them with ${VAR_NAME}. See secrets files for the resolution rules.
Algorithm
- Read the raw request body (bytes, unparsed).
- Compute
HMAC-SHA256(secret, body). - Hex-encode the digest as a lowercase string.
- Compare that string to the value of the header named by
signature_header, using a constant-time comparison.
sha256=<hex> format), Pylon does not strip the prefix and the comparison will fail.
Provider compatibility
For providers whose format does not match (GitHub, Slack), put an intermediary (nginx, Caddy, a tiny Go/Node shim) in front of Pylon to validate the native signature first and forward the request without the verification headers. Or skip signature verification at the Pylon layer and rely on network-level isolation.
Generating a signature by hand
Useful when scripting a custom sender or re-testing withcurl:
trigger.secret and trigger.signature_header lives in pylon.yaml.
Exposing the webhook publicly
Pylon’s server runs locally. To receive webhooks from external services (GitHub, Sentry, etc.), you need to expose it to the internet.- Reverse proxy
- ngrok (development)
Point your reverse proxy (nginx, Caddy, Traefik) at Pylon’s local port and set
public_url in your global config or per-pylon:Cron triggers
A cron trigger runs a pylon on a schedule, using standard cron expression syntax.Cron fields
Cron expression format
Cron pylons run the agent directly and post results to the configured channel. There is no approval flow for cron triggers —
approval: true has no effect when type: cron.Cron example
Coming soon
The following trigger types are planned but not yet available:- Chat command — trigger a pylon from a Telegram or Slack message
- API call — trigger a pylon via a direct API request with auth