In Tines, add a Webhook action as the entry point of your story and copy the generated webhook URL from the action configuration panel.
Send a POST request to the webhook URL with Content-Type: application/json and a structured JSON body representing the security event (alert, finding, IOC, etc.).
Reference incoming payload fields within subsequent Tines actions using the dot-notation path syntax (e.g., {{.webhook_action.body.alert_id}}) to drive conditional logic and downstream steps.
To require synchronous responses, enable the webhook_api_enabled option on the story (configurable via the Stories API with the webhook_api_enabled parameter); the response is emitted from the first Exit action reached within 30 seconds.
Test end-to-end by sending a synthetic event payload and inspecting the Tines story audit log to confirm each action received and processed the expected data.
Known gotchas
By default, Tines webhook URLs are unauthenticated; add a secret token check in the first action and return HTTP 403 on mismatch to prevent unauthorised story execution.
The 30-second synchronous-response window applies only when the API-response mode is enabled; for long-running workflows, design for asynchronous patterns and return an immediate acknowledgement.
CORS must be explicitly enabled on the webhook action for browser-originated requests; server-to-server integrations do not require this setting.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp