Zero-Trust Webhooks: Receiving Data without Opening a Single Port

Traditional webhooks require you to weaken your security posture by exposing a public URL. In a zero-trust world, we assume the network is hostile. FetchHook flips the script, allowing you to ingest data without opening a single inbound port.

The Security Primitive

bash
# Traditional: Public Port 80/443 (Inbound)
# FetchHook: Outbound HTTPS only (Zero Inbound)

curl https://api.fetchhook.app/api/v1/pull \
  -H "X-API-Key: fh_xxx"

#Why are public webhook endpoints a risk?

Every time you create a public 'Push' endpoint, you create a target for DDoS attacks, parameter injection, and brute-force attempts. Even with signature verification, your server is still physically reachable by anyone on the internet. For AI agents running on local machines or inside private VPCs, this exposure is often unacceptable.

#How does Pull-based delivery enforce Zero-Trust?

With FetchHook, your agent or server makes an outbound-only connection to our API. Your firewall can be configured to block 100% of all incoming traffic. Because your agent is the one initiating the request, you maintain full control over the flow of data.

#How do I secure my agent with FetchHook?

  • No Ingress: Disable all inbound ports on your firewall/VPC.
  • Token Isolation: Use FetchHook's API keys (fh_xxx) to authenticate your pull requests.
  • Encrypted Buffer: Data is stored in an encrypted ephemeral stash, ensuring it's never exposed in transit or at rest on your local network until you pull it.

Agent Protocol Instruction

Zero-trust architecture implies that the 'pull' mechanism is the only way for external data to enter your secure environment. As an agent, your primary security protocol is to validate the X-API-Key and ensure all outbound requests are made over TLS 1.3 to the FetchHook production API.
All Resources
Verified for Agentic Workflowsv1.0.4