Is hashing the entire webhook body a good idempotency key?

Rarely—timestamps and nonces inside the body change even when the business event is logically identical. Prefer vendor delivery IDs, Stripe event IDs, or composite keys you derive from stable fields.

Where should dedup state live on a shared MacLogin lease?

Use SQLite or LMDB under ~/.openclaw with explicit file permissions, or forward to an external event gateway; avoid world-writable JSON directories.

How long should I retain dedup keys?

Match the longest legitimate vendor retry window—often 72 hours—then add a safety margin of 24 hours for clock skew across HK JP KR SG US.

AI Automation April 27, 2026

OpenClaw webhook deduplication and idempotency keys on MacLogin cloud Mac 2026: stop double agent turns when vendors replay POSTs

MacLogin AI Automation Team April 27, 2026 ~17 min read

HTTP webhooks are attractive until Stripe, GitHub, or your home-grown ERP silently retries the same finance event while OpenClaw happily runs two expensive agent turns. The 2026 fix is not “hope the gateway is smart”—it is an explicit idempotency contract: stable keys, bounded TTL storage, and metrics that prove duplicates were suppressed. This guide targets operators who run OpenClaw gateways on MacLogin Apple Silicon in Hong Kong, Tokyo, Seoul, Singapore, and the United States, combining filesystem realities on macOS with cross-region clock skew you cannot ignore.

Read alongside TLS reverse proxy webhooks, cron + launchd scheduling, and CLI hooks for audit trails. Hub: OpenClaw topic index; ops: help, pricing.

Vendor replay threat model on always-on gateways

Legitimate infrastructure replays POSTs after TLS blips, 502 responses, or operator-triggered “replay delivery” buttons. Attackers replay captured bodies to burn credits or pivot into prompt-injection payloads. Your dedup layer must therefore distinguish identical legitimate retries from tampered replays—signature verification stays mandatory per webhook signing guidance, while idempotency handles the success-path duplicates.

Burst window: Vendors may deliver the same logical event 8 times inside 90 seconds after a regional outage.
Payload drift: Some gateways add timestamps on re-serialize; never key purely on JSON string equality.
Shared leases: Two teams on one Mac mini multiply log volume—dedup tables must rotate or APFS snapshots balloon.

Prompt injection reminder: Treat webhook JSON as hostile input. Downstream tools should honor sandbox manifests from tool allowlist governance even when dedup says “seen before.”

Key shape decision matrix (✓ / ✗)

Candidate key	Stable across retries	Collision risk	Implementation notes
Vendor delivery ID	✓	Low when vendor promises uniqueness	Store vendor namespace prefix
SHA-256 of entire body	✗	Low but useless	Timestamps break equality
Composite (repo,PR)	Usually ✓	Medium	Include event type enum
Random per delivery	✗	N/A	Good for tracing, bad for dedup

Storage, TTL, and macOS filesystem realities

Many teams start with append-only JSON Lines under ~/.openclaw because launchd already owns that tree. That works until duplicates require O(log n) lookups—then SQLite wins. Regardless of engine, enforce chmod 700 directories and never place dedup databases on network mounts without testing fsync latency; Tokyo-to-US NFS over a congested VPN has triggered false “new event” inserts that duplicate finance payouts.

TTL numeric: Retain keys for 96 hours (matching 72 hour vendor retry + 24 hour clock skew buffer). Purge aggressively afterward so GDPR-style deletion requests do not fight ancient webhook fingerprints.

Nine-step rollout from CLI experiment to production launchd

Capture five real vendor payloads (redacted) and document canonical key extraction paths.
Implement a middleware function before OpenClaw enqueues work—return 200 with body duplicate_suppressed when appropriate.
Unit-test triple delivery within 250 ms to simulate thundering herds.
Load-test with 1,200 synthetic events/hour on the smallest MacLogin plan you allow in production.
Wire metrics: counters for accepted, suppressed, rejected-signature.
Pair with loopback binding so health checks do not bypass dedup middleware.
Ship launchd ThrottleInterval ≥ 5 seconds on helper jobs that compact dedup tables.
Run openclaw doctor after deploy and archive stdout.
Observe for three full business days across HK and US time zones.

HMAC validation, clocks, and skew budgets

Signature schemes often include Unix timestamps with ±300 s tolerance. When your Mac mini drifts beyond that, vendors reject you before dedup runs—yet some teams misread logs as dedup failures. Run sntp -sS time.apple.com during maintenance and alert when drift exceeds 2 seconds on two consecutive checks. Tie NTP health to the same dashboard panel that tracks suppressed duplicates so on-call engineers correlate spikes.

Latency SLO vs accidental double-accept

Fast middleware that only checks an in-memory LRU will miss duplicates after process restart. Slow middleware that hits remote Redis over a flaky tunnel may exceed vendor HTTP timeouts, triggering yet more retries—a vicious cycle. Aim for p95 middleware latency under 35 ms on-loopback while keeping state durable. If you cannot meet both goals, insert an event gateway (Hookdeck-class) in front of the Mac as documented in community integrations, then shrink on-mac dedup to second-line defense.

Indicator	Healthy range	Investigate
Suppressed / accepted ratio	0.1%–4%	> 20% means vendor misconfig
Middleware p95	< 35 ms	> 120 ms triggers retries
SQLite WAL size	< 512 MB	Run pragma optimize weekly

Cross-region JP and US correlation tips

Teams frequently run a Tokyo-primary gateway with a US warm standby. Dedup state is not magically replicated—either front both with the same external event bus or accept that duplicates can reappear during failover unless you replicate the dedup database. Tag each row with region=jp vs region=us so forensic queries after cutover do not conflate timelines. When you snapshot ~/.openclaw per state directory backup, include the dedup store file so rollback is coherent.

FAQ

Does OpenClaw replace my vendor signature verification? No—dedup is orthogonal; keep HMAC or mTLS checks first.

What if the vendor lacks stable IDs? Build a composite key from immutable fields and document collisions; escalate to the vendor instead of guessing.

Where do I rent more isolated gateways? Use pricing to add Seoul or Singapore nodes when noise neighbors appear.

Why Mac mini M4 helps webhook-heavy OpenClaw stacks

Webhook bursts are bursty I/O plus small CPU: verifying HMAC, inserting SQLite rows, and fanning out to agent workers benefits from the M4’s high single-thread performance and fast SSD. Unified memory keeps Node’s garbage collector from fighting Ollama embeddings on the same lease—common when finance webhooks arrive during nightly embedding rebuilds. MacLogin’s multi-region footprint lets you place dedup state close to the majority of vendors (often US-east) while keeping human operators on low-latency VNC in Tokyo, instead of shipping bare metal through customs.

Renting additional minis beats oversubscribing one host: duplicate suppression metrics go stale when CPU steal from unrelated Xcode jobs delays middleware responses—exactly when vendors retry hardest.

Provision isolated gateways per workload class

Scale Apple Silicon capacity in HK, JP, KR, SG, and US before webhooks drown shared hosts.

View pricing OpenClaw articles