Skip to main content
Use webhooks to respond to alerts, address tickets, or react to deploys. Use schedules to run audits, triage dependencies, or send weekly reports.

Examples

  • Datadog alerts, root-caused in Slack — when a Datadog monitor fires, the agent investigates with the Datadog MCP and posts the root cause back to the alert’s Slack thread.
  • Weekly flaky test fixes — every Monday morning, the agent scans the last week of GitHub Actions runs for flaky tests and opens a PR with an attempted fix for each.
  • Nightly bug hunt — every night, the agent reads the last 24 hours of commits, flags the riskiest changes, and opens a PR with fixes for any bugs it finds.

Scheduled tasks

Use a schedule for recurring work like dependency bumps, periodic test runs, code-quality scans, or weekly maintenance passes. Configure:
  • Repository, branch, and model
  • Schedule and task: describe in plain language what the agent should do and when it should run. Niteshift parses it into a task prompt, cron expression, timezone, and a human-readable schedule label.

Webhook triggers

Use a webhook for event-driven work like CI failures, monitoring alerts, deploy notifications, or anything else that emits an HTTP webhook. Configure:
  • Name, repository, branch, and model
  • Task prompt template: the instructions the agent gets each time a request hits the URL. Use {{payload.field}} (dot paths into the JSON) or {{payload_json}} / {{payload}} to insert the full request body as pretty-printed JSON.

Authentication

Each trigger has a single shared secret. Incoming requests authenticate with one of:
  • HMAC (preferred): send x-niteshift-signature and x-niteshift-timestamp headers. The signature is sha256=<hex> where the HMAC is computed over <timestamp>.<body> using the trigger secret. Includes timestamp-based replay protection.
  • Bearer token: send Authorization: Bearer <secret>. Use this for sources like Datadog that can set static custom headers but can’t compute a per-request signature.

Rate limiting

Each webhook URL is limited to 10 requests per rolling minute and 100 per 24 hours. The burst rule runs first; a request only counts toward the daily cap if it would have passed the burst check, so a flood of throttled calls does not use up the whole day. 429 responses: JSON with error and retryAfter (seconds), plus the Retry-After and X-RateLimit-* headers. Header values match whichever limit blocked you; X-RateLimit-Reset is a Unix time in seconds for the end of that limit’s current window.