This guide covers native Nextcloud Talk integration for ZeroClaw.
- Receives inbound Talk bot webhook events via
POST /nextcloud-talk. - Verifies webhook signatures (HMAC-SHA256) when a secret is configured.
- Sends bot replies back to Talk rooms via Nextcloud OCS API.
Add this section in ~/.zeroclaw/config.toml:
[channels_config.nextcloud_talk]
base_url = "https://cloud.example.com"
app_token = "nextcloud-talk-app-token"
webhook_secret = "optional-webhook-secret"
allowed_users = ["*"]Field reference:
base_url: Nextcloud base URL.app_token: Bot app token used asAuthorization: Bearer <token>for OCS send API.webhook_secret: Shared secret for verifyingX-Nextcloud-Talk-Signature.allowed_users: Allowed Nextcloud actor IDs ([]denies all,"*"allows all).
Environment override:
ZEROCLAW_NEXTCLOUD_TALK_WEBHOOK_SECREToverrideswebhook_secretwhen set.
Run the daemon or gateway and expose the webhook endpoint:
zeroclaw daemon
# or
zeroclaw gateway --host 127.0.0.1 --port 3000Configure your Nextcloud Talk bot webhook URL to:
https://<your-public-url>/nextcloud-talk
When webhook_secret is configured, ZeroClaw verifies:
- header
X-Nextcloud-Talk-Random - header
X-Nextcloud-Talk-Signature
Verification formula:
hex(hmac_sha256(secret, random + raw_request_body))
If verification fails, the gateway returns 401 Unauthorized.
- ZeroClaw ignores bot-originated webhook events (
actorType = bots). - ZeroClaw ignores non-message/system events.
- Reply routing uses the Talk room token from the webhook payload.
- Set
allowed_users = ["*"]for first-time validation. - Send a test message in the target Talk room.
- Confirm ZeroClaw receives and replies in the same room.
- Tighten
allowed_usersto explicit actor IDs.
404 Nextcloud Talk not configured: missing[channels_config.nextcloud_talk].401 Invalid signature: mismatch inwebhook_secret, random header, or raw-body signing.- No reply but webhook
200: event filtered (bot/system/non-allowed user/non-message payload).