Slack webhook disconnected
Send a Slack message every time the verifier flags an answer with verdict CONFLICT, REJECTED, or BLOCK. Paste an incoming webhook URL — Wauldo only posts to hooks.slack.com.
hooks.slack.com.
Discord webhook disconnected
Send a Discord message every time the verifier flags an answer. Wauldo only posts to discord.com/api/webhooks/.
Generic webhook disconnected
POST a JSON payload to any HTTPS endpoint on flagged verdicts. Drop the URL into Zapier "Webhooks by Zapier", Make.com Custom webhook, n8n Webhook trigger, or your own backend. Wauldo signs each payload with HMAC-SHA256 so you can verify authenticity.
X-Wauldo-Signature: sha256=<hex> = HMAC-SHA256 of the raw body using this secret. Verify it server-side to reject spoofed events. Save this secret now — it's revealed once on save/rotate and never returned again. Rotate to mint a new one if lost.
▸ Sample payload + verification snippet
{
"event": "task.completed",
"event_id": "01HXY...",
"timestamp": "2026-05-03T12:00:00.000Z",
"tenant": "you@example.com",
"verdict": "CONFLICT",
"support_score": 0.32,
"hallucination_rate": 0.68,
"claims": {
"total": 4,
"supported": 1,
"flagged": [
{ "text": "...", "evidence": null, "confidence": 0.2 }
]
},
"agent": { "id": "agent-xyz", "name": "support-bot" },
"answer": "...",
"run_url": "https://wauldo.com/studio/run?...",
"latency_ms": 4521
}
import crypto from 'crypto';
import express from 'express';
// IMPORTANT: capture the raw body BEFORE JSON parsing — HMAC must
// verify the exact bytes Wauldo signed.
app.use(express.json({ verify: (req, _res, buf) => { req.rawBody = buf; } }));
app.post('/wauldo', (req, res) => {
const sig = req.headers['x-wauldo-signature']; // "sha256=<hex>"
const ts = req.headers['x-wauldo-timestamp']; // epoch ms
if (!sig || !ts) return res.status(401).end();
if (Date.now() - Number(ts) > 5 * 60_000) return res.status(401).end();
const expected = 'sha256=' + crypto
.createHmac('sha256', WAULDO_WEBHOOK_SECRET)
.update(req.rawBody)
.digest('hex');
// Constant-time compare — required to defeat timing oracle attacks.
const a = Buffer.from(sig);
const b = Buffer.from(expected);
if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
return res.status(401).end();
}
// Verified — process req.body safely
res.status(200).end();
});
Auto-publish flagged runs Off
When the verifier flags a run as UNVERIFIED, CONFLICT, BLOCK, INSUFFICIENT_CLAIMS or UNCERTAIN, automatically publish it as a public link (https://wauldo.com/r/<id>) BEFORE the webhook fires — your Slack / Discord / generic endpoint receives the run with a deep-link to the public page already in the payload's share_url field. Off by default ; flip on to opt in.
Same privacy contract as manual sharing : the public page exposes the verdict, claims, sources, and timeline phases — never your prompt template, system message, or tool args. Free-tier links expire after 30 days.
Weekly email digest Not subscribed
Get a Monday recap of your verdicts, top agents, and quota. We never send "you did nothing this week" — if there are no runs, there's no email. One-click unsubscribe in every digest.
Sent every Monday around 13:00 UTC.
We send to the email tied to your sign-in. Unsubscribe link is in every email.
More integrations
Need GitHub PR comments, Linear ticket creation, or Notion auto-sync? Tell us what you need — we ship integrations driven by user demand.
Your data & account
GDPR rights — your data, your call. Export at any time, delete permanently if you want out.
Export covers tier, agents metadata, settings, runs count. Per-run transcripts and RAG corpus require manual export — email privacy@wauldo.com. Deletion is irreversible: agents wiped, settings cleared, session ended. Stripe subscription must be cancelled separately.