Verify Computer Use API Webhooks with HMAC Signatures
Webhooks let your backend consume Coasty Task Run events in real time. The server calls your webhook_url when a run reaches a new state, and it signs the payload with HMAC so you can verify it came from Coasty. Without this verification, an attacker could fake states like succeeded or failed and corrupt your automation logic. This guide shows how to decode the signature, compute the HMAC, and safely accept only valid events.
How it works
When you POST a run, provide the webhook_url field in the request body. Coasty makes an HTTP POST to that URL with a JSON body containing the event and the signature header Coasty-Signature: t=unix,v1=hex. The unix value is the request timestamp and hex is the HMAC-SHA256 of the request body using your API key as the secret. You must confirm the timestamp is recent (within a few minutes) and that the HMAC matches before acting on the payload.
import os
import json
import hmac
import hashlib
import requests
import time
API_KEY = os.getenv("COASTY_API_KEY")
BASE_URL = "https://coasty.ai/v1"
run_body = {
"machine_id": "vm-123",
"task": "open chrome and go to cozy.ai",
"webhook_url": "https://your-server.com/webhook/coasty"
}
resp = requests.post(f"{BASE_URL}/runs", json=run_body, headers={"X-API-Key": API_KEY})
print(resp.status_code, resp.text)Validate the webhook payload
- ●Read the Coasty-Signature header: t=unix,v1=hex
- ●Decode unix to a timestamp and reject stale requests
- ●Extract the hex value and compute HMAC-SHA256 on the raw request body using your API key
- ●Compare the computed HMAC to the hex value (constant-time comparison recommended)
- ●Reject the request if the HMAC does not match
Always compute the HMAC on the raw request body before parsing JSON, and use constant-time comparison to prevent timing attacks.
Where this beats brittle automation
Traditional automation relies on brittle selectors and fixed API endpoints. If a page layout changes or an API introduces a new field, your scripts break. The Computer Use API lets you inspect the screen, reason about elements, and act like a human agent. When your agent completes a task, the webhook tells you the final state so you can trigger downstream workflows without guessing or polling endlessly.
Use HMAC signatures to trust every webhook from the Coasty Computer Use API. Build resilient, human-like automation that reacts to real UI changes. Get started at https://coasty.ai/developers to create your API key and read the full documentation.