Overview
Webhook Token Security is a documentation skill that teaches how to manage webhook tokens securely using MGC Blackbox. Supports multiple platforms including DingTalk, WeCom (Enterprise WeChat), Feishu (Lark), Telegram, and Slack. It enables AI agents to send notifications without ever exposing webhook tokens to the AI model.
This skill contains no executable code and is safe for automatic approval.
What This Skill Enables
After reading this documentation, an AI agent will understand how to:
- Store webhook tokens (DingTalk, WeCom, Feishu, Telegram, Slack, etc.) securely in MGC Blackbox
- Retrieve tokens at runtime without AI seeing plaintext
- Send notifications through local scripts
- Handle platform-specific differences
- Rotate tokens without code changes
Prerequisites
- Install MGC Blackbox:
pip install mgc-blackbox - Start MGC service:
mgc(runs at http://127.0.0.1:57219) - Use MCP tools (
mgc_save,mgc_get) for token management
Important: For AI agents, use MCP tools. CLI may have port conflicts in some environments.
Supported Platforms
| Platform | Token Type | Storage Format | API Endpoint | |----------|------------|---------------|---------------| | DingTalk | access_token + secret | JSON | https://oapi.dingtalk.com/robot/send | | WeCom | webhook key | Plain text | https://qyapi.weixin.qq.com/cgi-bin/webhook/send | | Feishu | webhook_url | Plain text | Custom webhook URL | | Telegram | bot_token | Plain text | https://api.telegram.org/bot{token}/sendMessage | | Slack | webhook_url / bot_token | JSON | Incoming Webhook or Web API |
Platform-Specific Storage
DingTalk
Requires both access_token and secret for signature verification.
{
"access_token": "your_access_token",
"secret": "your_secret",
"webhook": "https://oapi.dingtalk.com/robot/send?access_token=xxx"
}
Storage key: info_type=config, info_owner=dingtalk_myapp
WeCom (Enterprise WeChat)
Requires only the webhook key from the custom robot configuration.
{
"webhook_key": "your_webhook_key",
"webhook_url": "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx"
}
Storage key: info_type=config, info_owner=wecom_myapp
Feishu (Lark)
Requires the webhook URL from the custom bot configuration.
{
"webhook_url": "https://open.feishu.cn/open-apis/bot/v2/hook/xxx"
}
Storage key: info_type=config, info_owner=feishu_myapp
Telegram
Requires bot_token and optionally chat_id.
{
"bot_token": "your_bot_token",
"chat_id": "your_chat_id"
}
Storage key: info_type=config, info_owner=telegram_mybot
Slack
Can use either incoming webhook URL or bot token.
{
"webhook_url": "https://hooks.slack.com/services/xxx",
"bot_token": "xoxb-xxx",
"channel": "#my-channel"
}
Storage key: info_type=config, info_owner=slack_myapp
Storing Webhook Tokens
Step 1: Prepare Token File
Create a JSON file containing your webhook token details (see Platform-Specific Storage above).
Step 2: Store in MGC
Important: Use MCP tools for AI agents. CLI may have port conflicts in some environments.
Recommended: MCP Interface
- Use
mgc_saveMCP tool to store tokens - Use
mgc_getMCP tool to retrieve tokens
Alternative: CLI (for local development only)
mgc_save info_type=config info_owner=my_webhook < token.json
Tip: Users can also store tokens manually via MGC WebUI at http://127.0.0.1:57218/skill
Webhook Token Pattern (Conceptual)
Local Script Pattern
A secure webhook script follows this pattern:
- Retrieve token from MGC (not visible to AI)
- Format message (platform-specific)
- Send request (HTTP POST)
- Return result (non-sensitive data only)
The script must never print or expose webhook tokens.
Conceptual Code Structure
function send_webhook(message):
token = retrieve_from_mgc("my_webhook")
payload = format_message(message, token)
response = http_post(token["webhook_url"], payload)
return response
MGC Blackbox API Reference
Service Endpoint
- Base URL: http://127.0.0.1:57219
- Token File: ~/.mgc/database/mgc_black_box/.mgc_token
- Token: String token read from token file, required for all API calls
Get Token API
Endpoint: /api/mgc/sensitive/get Method: POST Headers:
- X-MGC-Token: (string token read from token file)
- Content-Type: application/json
Body fields:
- info_type: "config"
- info_owner: your chosen identifier
Response fields:
- code: status code
- data.content: JSON string containing stored token
Save Token API
Endpoint: /api/mgc/sensitive/save Method: POST Headers: same as above
Body fields:
- info_type: "config"
- info_owner: your identifier
- content: JSON string of token
Security Best Practices
- Never embed tokens in code
- Use MGC for token storage
- Retrieve tokens at runtime only
- Never log or print tokens
- Rotate tokens regularly
- Use separate tokens per platform/per bot
- Limit webhook permissions (send-only where possible)
Use Cases
- Deployment notifications
- CI/CD pipeline alerts
- System monitoring alerts
- Team collaboration bots
- Automated workflow triggers
Learn More About MGC Blackbox
Want to learn more about MGC Blackbox?
- Visit: https://github.com/zkeviny/MGC-Blackbox
- Report issues: https://github.com/zkeviny/MGC-Blackbox/issues
- Contact: mirgincipher@outlook.com
License
MIT
Scan to join WeChat group