Skip to main content
A trigger tells Pylon what event should activate a pipeline. Every pylon has exactly one trigger, defined under the trigger key in pylon.yaml. Pylon supports two trigger types: webhook for HTTP-driven events and cron for scheduled jobs.

Webhook triggers

A webhook trigger listens for an HTTP POST to a specific path on Pylon’s built-in server. When a request arrives at that path, Pylon loads the matching pylon and starts a job. Pylon listens on port 8080 by default. You can change this in ~/.pylon/config.yaml under server.port.

Webhook fields

Signature verification

When you set both secret and signature_header, Pylon computes an HMAC signature for each incoming request, compares it to the header value, and rejects the request with 401 Unauthorized on mismatch.
Store secrets in ~/.pylon/.env or ~/.pylon/pylons/<name>/.env and reference them with ${VAR_NAME}. See secrets files for the resolution rules.

Algorithm

  1. Read the raw request body (bytes, unparsed).
  2. Compute HMAC-SHA256(secret, body).
  3. Hex-encode the digest as a lowercase string.
  4. Compare that string to the value of the header named by signature_header, using a constant-time comparison.
Pylon expects the signature header value to be a bare lowercase hex digest with no prefix or scheme. If the sender wraps the digest (for example, GitHub’s sha256=<hex> format), Pylon does not strip the prefix and the comparison will fail.
If you leave signature_header empty, Pylon skips verification entirely even when secret is set. Always set both fields together.

Provider compatibility

For providers whose format does not match (GitHub, Slack), put an intermediary (nginx, Caddy, a tiny Go/Node shim) in front of Pylon to validate the native signature first and forward the request without the verification headers. Or skip signature verification at the Pylon layer and rely on network-level isolation.

Generating a signature by hand

Useful when scripting a custom sender or re-testing with curl:
Field-level reference for trigger.secret and trigger.signature_header lives in pylon.yaml.

Exposing the webhook publicly

Pylon’s server runs locally. To receive webhooks from external services (GitHub, Sentry, etc.), you need to expose it to the internet.
Point your reverse proxy (nginx, Caddy, Traefik) at Pylon’s local port and set public_url in your global config or per-pylon:

Cron triggers

A cron trigger runs a pylon on a schedule, using standard cron expression syntax.

Cron fields

Cron expression format

Common examples:
Cron pylons run the agent directly and post results to the configured channel. There is no approval flow for cron triggers — approval: true has no effect when type: cron.

Cron example

Coming soon

The following trigger types are planned but not yet available:
  • Chat command — trigger a pylon from a Telegram or Slack message
  • API call — trigger a pylon via a direct API request with auth