A3S Docs
A3S SafeClaw

Channels

7 messaging platform adapters with webhook authentication and message normalization

Channels

SafeClaw supports 7 messaging platforms through a unified adapter interface. Each adapter normalizes platform-specific webhook payloads into a common message format and handles authentication.

Channel Adapter Trait

pub trait ChannelAdapter: Send + Sync {
    async fn send_message(&self, message: OutboundMessage) -> Result<String>;
    async fn receive_message(&self, payload: &[u8]) -> Result<InboundMessage>;
}

Message Types

pub struct InboundMessage {
    pub channel: String,
    pub user_id: String,
    pub chat_id: String,
    pub content: String,
    pub attachments: Vec<MessageAttachment>,
    pub timestamp: i64,
}

pub struct OutboundMessage {
    pub channel: String,
    pub chat_id: String,
    pub content: String,
}

pub struct MessageAttachment {
    pub attachment_type: String,
    pub url: String,
    pub size: usize,
}

Supported Platforms

Prop

Type

Webhook Authentication

pub trait ChannelAuth: Send + Sync {
    fn verify_signature(&self, payload: &[u8], signature: &str) -> Result<bool>;
}

Each platform has its own authentication implementation:

Prop

Type

Failed authentication generates a Critical severity audit event with LeakageVector::AuthFailure.

Configuration

[channels.telegram]
bot_token = "${TELEGRAM_BOT_TOKEN}"

[channels.slack]
bot_token = "${SLACK_BOT_TOKEN}"
signing_secret = "${SLACK_SIGNING_SECRET}"

[channels.discord]
bot_token = "${DISCORD_BOT_TOKEN}"
public_key = "${DISCORD_PUBLIC_KEY}"

[channels.feishu]
app_id = "${FEISHU_APP_ID}"
app_secret = "${FEISHU_APP_SECRET}"
verification_token = "${FEISHU_VERIFICATION_TOKEN}"

[channels.dingtalk]
app_key = "${DINGTALK_APP_KEY}"
app_secret = "${DINGTALK_APP_SECRET}"

[channels.wecom]
corp_id = "${WECOM_CORP_ID}"
agent_id = "${WECOM_AGENT_ID}"
secret = "${WECOM_SECRET}"
token = "${WECOM_TOKEN}"
encoding_aes_key = "${WECOM_ENCODING_AES_KEY}"

[channels.webchat]
api_key = "${WEBCHAT_API_KEY}"

Webhook Endpoint

All webhooks are received at:

POST /api/v1/gateway/webhook/:channel

For example:

  • POST /api/v1/gateway/webhook/telegram
  • POST /api/v1/gateway/webhook/slack
  • POST /api/v1/gateway/webhook/discord

Message Flow

Platform Webhook

Webhook Endpoint (/api/v1/gateway/webhook/:channel)

Channel Auth (verify signature)

Channel Adapter (parse → InboundMessage)

Privacy Classifier (detect PII)

Session Manager (route to local or TEE)

AI Agent (process)

Output Sanitizer (redact tainted data)

Channel Adapter (OutboundMessage → platform format)

Platform API (send response)

A3S Gateway Integration

When running behind A3S Gateway, SafeClaw registers its routes automatically:

[a3s_gateway]
enabled = true
service_name = "safeclaw"
api_rule = "PathPrefix(`/safeclaw/api`)"
ws_rule = "Path(`/safeclaw/ws`)"
webhook_rule = "PathPrefix(`/safeclaw/webhook`)"
middlewares = ["auth-jwt", "rate-limit"]
entrypoints = ["websecure"]
conversation_affinity = true
affinity_cookie = "safeclaw_session"
token_metering = true
max_tokens_per_minute = 10000

TEE Integration

Trusted Execution Environment support with AMD SEV-SNP, Intel SGX, and ARM CCA

Memory System

Three-layer memory with resources, artifacts, insights, and privacy gates

On this page

ChannelsChannel Adapter TraitMessage TypesSupported PlatformsWebhook AuthenticationConfigurationWebhook EndpointMessage FlowA3S Gateway Integration