🦞ClawTips
← Back to library

Release tip: lock webhook session routing with hooks.defaultSessionKey

Scenario: webhook-driven automations could be hijacked by request-level sessionKey overrides. Fix by pinning a default hook session and restricting prefixes, then test legacy compatibility only when needed.

GITHUBDiscovered 2026-02-14Author openclaw
Prerequisites
  • You are using POST /hooks/agent or any webhook-triggered agent flow.
  • You can edit gateway config and restart safely in a maintenance window.
Steps
  1. Inspect current hook routing behavior and list any clients that send explicit sessionKey in payloads.
  2. Set hooks.defaultSessionKey to a fixed hook namespace value and restrict hooks.allowedSessionKeyPrefixes (e.g., hook:).
  3. Keep hooks.allowRequestSessionKey disabled by default; enable only for temporary legacy migration with explicit review.
  4. Restart gateway and replay a known webhook payload to verify routing lands in the pinned session context.
Commands
openclaw config set hooks.defaultSessionKey "hook:ops"
openclaw config set hooks.allowedSessionKeyPrefixes '["hook:"]'
openclaw gateway restart
openclaw gateway status
Verify

Webhook requests without trusted prefix no longer reroute sessions, and expected hook jobs still execute in the pinned session.

Caveats
  • Legacy clients that relied on per-request sessionKey will break until migrated.
  • If multiple hook workloads share one session, context pollution risk increases; split by namespace when possible(需验证).
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post